Bypass NGX_LUA_WAF SQL Injection Defense (multi-pose)

0x00 Preface

Ngx_lua_waf is a Ngx_lua-based Web application firewall that is easy to use, high performance, and lightweight. The default defense rule is in the wafconf directory, which extracts several core SQL injection defense rules:

select.+ (From|limit) (?:( Union (. *?) Select)) (?: from\w+information_schema\w)

This side mainly shares three kinds of alternative ideas, Bypass NGX_LUA_WAF SQL injection defense.

0x01 Environment Construction

GitHub Source:https://github.com/loveshell/ngx_lua_waf/

NGX_LUA_WAF installation deployment, setting the SQL injection point for reverse proxy access constructs

0x02 WAF Test

NGX_LUA_WAF is based on Ngx_lua, let's start with a test case to see how it gets the parameters.

First look at the official API documentation, get a URI there are two methods: Ngx.req.get_uri_args, Ngx.req.get_post_args, the main difference is that the parameter source is different, Ngx.req.get_uri_args get the URI Request parameters, Ngx.req.get_post_args gets the content from the POST request.

Test Case:

Output test:

Through this test, we can find:

1. When submitting the same parameter ID, sort according to the order of the received parameters

2, when the parameter ID, the case transformation, such as the transformation of ID, ID, ID, will be treated as a different parameter, case sensitive.

We know that the Iis+asp/aspx case under window is insensitive,

The submission parameters are:? id=1&id=2&id=3&id=4,

Output results: 1, 2, 3, 4

Then, when the Nginx reverse proxy to the IIS server, there is a parameter to obtain the difference, in conjunction with HPP, can be used to bypass Ngx_lua built SQL injection defense.

Bypass Posture One: parameter casing +hpp

Http://192.168.8.147/test/sql.aspx?id=1 Union/&id=/select Null,name,null/&id=/from Master.dbo.sysdatabases

Bypass Posture II: GPC

In aspx, there is a special HPP feature that, when get/post/cookie the parameter ID that is submitted at the same time, the server receives the order of the parameter ID Get,post,cookie, the middle by a comma link, so there is this idea.

The UNION, SELECT, from three keywords are placed in the Get/post/cookie position, which is a perfect posture to be connected by the ASPX feature, which is not a good defense.

But posture utilization is too limited: using request.params["id" to get parameters, GPC gets to the parameters of stitching up, just as bypass share a way of thinking.

Bypass Posture Three: URI parameter overflow

The first two kinds are MSSQL bypass, and the use of posture there is a certain limit, there is no such a can bypass Mysql, and can bypass MSSQL, completely disregard SQL injection defense, do whatever posture? This is the ultimate big move of the next.

By default, the URI parameter is obtained by Ngx.req.get_uri_args, Ngx.req.get_post_args, only the first 100 parameters can be obtained, when the 101th argument is submitted, the URI parameter overflows, and the 100th parameter value cannot be obtained correctly. Security protection, based on Ngx_lua development, does not allow for effective security detection of the 100th subsequent parameter submitted by an attacker, bypassing security defenses. Detailed analysis I wrote another article: "Break the Web security protection based on Openresty (cve-2018-9230)"

Mysql Bypass instance:

Mssql Bypass Example:

0x03 END

These three postures mainly utilize HPP, which combines the characteristics and differences obtained by the parameters to circumvent NGX_LUA_WAF's SQL injection defenses.

Different languages, middleware, database, the corresponding characteristics of the difference, and these differences in some specific scenarios, is available.

Bypass NGX_LUA_WAF SQL Injection Defense (multi-pose)