Attackers can bypass WAF interception by using HTTP parameters.

Translation: pnig0s _ Small P

Last week, I was invited to team up for a CTF flag race organized by CSAW. because of my wife and children, I can only pick one question related to Web vulnerability exploitation, called "HorceForce ". this question is worth 300 points. The general background of this question is that you have a low-privilege account and need to find a way to obtain administrator permissions.

Of course, there are many ways to introduce how to pass the customs clearance, but I want to share my customs clearance experience.
After sending some single quotes as parameter values, the typical MySQL Error Message "MySQL SQL Error Message" is returned. Therefore, you can easily find an SQL injection vulnerability.

Then, as you know, we usually try the following:
Http: // 128.238.66.217/horse. php? Id = 7 or 1 IN (select current_user)
Then I got an error message like "please stop attacking this Website.

After I tried a lot of methods to bypass SQLi filter, I realized that I had configured a WAF behind the website to block arbitrary packets.
SQL query keywords that are commonly used in SQL injection, such as select or union. Through such a black box test, we can guess that WAF uses a regular expression similar to the following:

Www.2cto.com/^. * select. * $/or/^. * union. * $/
This means that any string with an SQL injection attempt is submitted, such as blablaSELECTblabla or image /*! Union */will trigger WAF interception errors.

After some research, I found that through HTTP parameter contamination, attackers can bypass WAF interception.
So how can we implement it?

Let's assume there is a parameter "id" submitted in GET mode. You can repeat this parameter and send it in the following form:
? Id = value1 & id = value2

Then, depending on the framework you use (PHP, Java, ASP. NET, etc), the parameter string will be parsed in different ways, in our experiment scenario Apache/PHP, if you can inject the same parameter value multiple times, only the last parameter value will be parsed by the framework, but guess what? Only the first parameter is analyzed and filtered by WAF!

This means that through injection: id = 7 & id = [SQLi]
The WAF network layer parses id = 7 <-valid

The PHP application layer parses id = [SQLi] <-the injection statement is successfully executed.
Therefore, this is a typical example. What you inject is treated differently at the network layer and the application layer.
The following table lists the differences between different frameworks when the same parameter is accepted multiple times. Like ASP. NET. if it receives two parameter values, it concatenates two values with the same parameter. Therefore, you can split the filtered keywords into two parameters for attack to bypass WAF, of course, this topic is beyond the scope of this article.
 
Next, we try to inject some SQL statements:
128.238.66.217/horse. php? Id = 0 & id = 7% 20 union % 20 select %, 3, current_user
You can notice that all injection and usage statements are written to the second parameter value, which will not be parsed by WAF.

I got the first correct response:

Csaw_chal1 @ localhost
The next step is the conventional MySQL injection process. I will not repeat it here. This article mainly describes a new way to bypass WAF, Thx
For reading!