SQL injection bypass and defense techniques for WAF

I. About SQL injection

SQL injection is a common technique for invading Web applications. SQL injection is a result of changing the original SQL statement execution logic using the application system's programming vulnerability and the syntax characteristics of the SQL language.

An attacker sends carefully constructed input data to a Web application that is interpreted as a SQL instruction, alters the original normal SQL execution logic, executes an attacker-issued SQL command, This ultimately allows the attacker to obtain administrator privileges for the Web app or to download sensitive information that the Web app is stored in the database.

Two. How SQL injection is implemented

For a better explanation of this article, the following is a simple example of how SQL injection works.

As a login interface for a website.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/73/0A/wKiom1XygXviNJVrAAAy7R9laHU732.jpg "title=" Waf-rg-fh-1.jpg "alt=" Wkiom1xygxvinjvraaay7r9lahu732.jpg "/>

Login interface to enter the user name: admin password admin1234. In the background of the Web application, the input and program are mixed into SQL commands to access the database. The SQL commands that the final web app sends to the background data are:

Select * from users where username = ' admin ' and Password = ' admin1234 ' (this form)

This SQL query requires the database to check each row in the user table to extract records for each username column that has the admin and password columns values of admin1234. If the condition after where in the database is satisfied. The application will establish a authenticated session for the user. (Web App login successful)

The above is the normal landing Web application process. If the SQL injection point exists at the user name or password input due to a lack of programming rigor, an attacker could take advantage of SQL injection to bypass the login access control of the Web App. For example, the attacker enters admin ' at the user's name--the password can be entered at any value.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/73/07/wKioL1Xyg7Xj2jdkAAA9aZ0g_Qw325.jpg "title=" Waf-rg-fh-2.jpg "alt=" Wkiol1xyg7xj2jdkaaa9az0g_qw325.jpg "/>

Because the actual SQL statements in the background will evolve into:

SELECT * from users where username = ' admin '--' and password = ' 123DQ

In SQL Server "-" equals the comment, because the statement above is added to the "-" is equivalent to

SELECT * from users where username= ' admin '

This means that as long as there is a user named admin. An attacker could log in to the application directly with admin.

Of course, the use of SQL injection is far more than this one, this article does not elaborate.

Three. How WAF defends SQL injection

The WAF simply means parsing an HTTP request, verifying that there is an attack on the HTTP parameter, and triggering the attack if it exists.

There are two main ways to get around the WAF, one is to use the HTTP protocol that the WAF may exist to parse the flaw, and the other is to use the wrapped SQL command to make the WAF unrecognized for SQL injection.

In general, there are four ways to bypass WAF intrusion by HTTP protocol attacks:

(1) Fault packet bypass

Some earlier versions of WAF did not have the ability to combine TCP packets into a full TCP packet. Once an attacker sends an HTTP request packet that is a broken packet, the WAF will not handle the incomplete HTTP request package properly. If these request packages contain SQL injection statements, you can bypass the WAF directly and enter the Web application to compose the SQL injection statement.

(2) Buffer overflow

Today's WAF products basically have the ability to parse the parameters in the HTTP protocol. However, if an attacker intentionally writes an excessive amount of placeholder content to a parameter, then if the WAF product itself is not +shellcode to the parameter, it may cause a buffer overflow to occur. For example, change the input of id=1 to id=1 and select 0xAAAAAAAAAAA ... (more than 1000) +shellcode mode. An attacker could use this intrusion method to bypass the WAF and then invade the application's internal system.

(3) Incompatible protocol

Another way is to send malformed, rather than RFC2616, HTTP requests to the Web server, where the Web server may resolve malformed HTTP requests for compatibility purposes, in which case a bypass may occur if the WAF and Web compatibility are inconsistent. For example, if a request has no protocol field and no host field, Apache will default to the HTTP protocol as version 0.9, and host defaults to Apache's own servername. For compatibility purposes, WAF may not be able to take the same policy as the server on the Web server. Since different versions of HTTP have syntax differences, this situation may be possible to bypass the WAF and get inside the system.

(4) Parameter pollution

Parameter pollution simply said that the same name parameter write multiple, WAF often only check the first parameter. However, the specific parameters used by the server, the policy is not the same

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/73/0A/wKiom1XygZGRJ4N8AAEEv92uK1k787.jpg "title=" Waf-rg-fh-3.jpg "alt=" Wkiom1xygzgrj4n8aaeev92uk1k787.jpg "/>

For example: XXX. Php?id=0&id=7%20union%20select%201,2,3,current_user is an obvious SQL injection. WAF parsing id=0 This is legal, but PHP parsing is really id=7 union select ..... is an injected statement. Different servers have different parsing methods, and the WAF is likely to be bypassed at this time.

Bypassing WAF in the form of a SQL command wrapper is a flaw that leverages WAF to match the core technology of the defense of SQL commands. This technique is typically done in 4 ways that match the job:

1. Identify key reserved words for SQL statements, such as select From,union Select,drop table,into outfile.

2. Identify the built-in functions of the DBMS, such as version (), Load_file (), sleep (), benchmark (), etc.

3, identify the DBMS built-in variables, such as @ @version.

4. Identify the inline annotations identified by the database, such as/*!union*//*!select*/or/*!50000union*/, etc.

In response to the above defenses, hackers have summed up some of the attacks that bypass WAF, such as:

(1) Case-insensitive bypass

A way to bypass the simplest basis such as the keyword select early due to regular match rule not sound Select is unable to distinguish between a select that leads to a WAF bypass, and the subsequent database is parsed correctly into select.

(2) Encoding bypass

The encoding bypass begins on the basis of the case bypass. There are three main types: URL encoding, hex encoding, Unicode encoding. Entering a URL in a browser will encode the URL once and the hacker will bypass the WAF with multiple encodings. For example: Id.php?id=1%2520union/**/select, the database gets the id.php?id=1 union/**/select. If Id.php?id=1%20union/**/select is only decoded once, it is possible to bypass the WAF to invade the database. This problem can be handled using multiple loops of decoding. There are many kinds of Unicode encoding, if it is only based on the blacklist filter, unable to handle the whole situation, so that the WAF can also be bypassed. Where the UTF-32 code once implemented a bypass for Google.

(3) Comment bypass

Not only can the code rewrite the keyword, but also can use comments to rewrite the keyword, to avoid regular matching. For example
z.com/index.php?page_id=-15%55nion/**/%53elect 1,2,3,4 ' Union%a0select pass from users#. is to use symbolic coding instead of a subset of letters and spaces to avoid regular matches. (Selectxxx will not be intercepted because it may be a function name, etc.) Select Space xxx is bound to be intercepted, remove the space to become the key to bypass). There is also the/*!5000union*/series for the MySQL version.

(4) equivalent substitution

Equivalent substitution is a relatively large classification, which can be divided into 4 categories, such as equivalence function, equivalence symbol, special number symbol and comparison symbol.
Equivalence function is the substitution of the same function function. The WAF prohibits some functions, but there are no prohibitions on other functions, such as substring () can be replaced with mid (), substr () functions, and can be used to bypass the function of the original function, which may successfully implement the WAF keyword bypasses. And or this keyword can be used in PHP | | And && instead, the statement id=1 or 1=1 can be written id=1 | | 1= to be bypassed. Similarly, =, >, <, etc. can be bypassed instead of equals sign.
In addition to bypassing keywords and key symbols, the key is to bypass the spaces. Think of ways to avoid the appearance of spaces.

For example, the original sentence id=1 or 1=1

Can be written as:

Id=1+or+1=1

Id=1%0bor%0b1=1

Id=1--s%0aor--s%0a1=1

Id=1/*!or*/1=1

Id=1 () or (1=1) and many other forms to try to bypass

Quad Database firewall assists WAF in addressing SQL injection

In fact, WAF does not have the means to circumvent various SQL injections, so WAF offers various extensions to help users rule out the rules to cope with new attacks, rather than blacklist policies, but a large number of rules will degrade the performance of the WAF, which in turn affects the performance of the entire system. , and may also cause some manslaughter.

Therefore, it is more effective to add a database firewall between the Web application and the database. The database firewall parses the SQL statements from the Web application to the database, alerting and blocking the attack behavior that conforms to the SQL injection characteristics.

Here is the topology after the firewall is joined:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/73/07/wKioL1Xyg8uhp2opAACHvOhTe6g420.jpg "title=" Waf-rg-fh-4.jpg "alt=" Wkiol1xyg8uhp2opaachvohte6g420.jpg "/>

The protection strategy and means of database firewall are based on SQL protocol parsing, and the database firewall solves the problem that the WAF is at the expense of performance in preventing SQL injection. The way that database firewalls and WAF are deployed together will make your core data more secure.

One of the core strengths of the database firewall's prevention of SQL injection is where it is deployed, and where it is deployed after the application server. Regardless of how the attacker used the wrapper for the SQL injection attack, the final send to the database side is pure SQL statements.

The core advantage of database firewall is the SQL injection defense through SQL parsing technique instead of regular matching technique. SQL syntax parsing technology has higher performance and higher accuracy.

The core advantage of the database firewall is that it has a comprehensive defense approach to help minimize the loss of security even after being injected.

The database firewall can achieve overall security protection with four points:

1, whether the statement contains obvious SQL injection characteristics, there is a block

2, the statement of high-risk command was found, to alarm or block

3. Whether the object accessed by the statement is part of the user's access rights, and if none is blocked

4, limit the number of return rows of the statement, and then block the return row

After joining the database firewall, the database firewall gets the SQL statements that the Web app sends to the database between the databases. SQL protocol is parsed according to different database by the SQL statement obtained.

By using protocol resolution, the SQL statements sent by the application are restored to the standard mode (with the addition of various symbols, translation codes, etc.), the way the attacker used to wrap around the WAF, where it will be killed, will become a more pure SQL statement.

Based on these pure SQL statements, match the predefined SQL injection features, such as:

A combination of constant expressions and annotations

A combination of constant expressions and Union

Calls to out-of-band functions

A combination of stitching characters and OR

Commonly injected SQL functions, etc.

In addition to the characteristics of SQL injection matching, some high-risk commands will be accused or blocked, such as truncate, drop, delete nowhere, insert nowhere and other high-risk operations to block, to prevent attacks caused by large disaster accidents.

At the same time, the application of SQL statements, operations and fine-grained permission control of the object, you can prevent the application to access some sensitive tables, such as to prevent SQL Injection reconnaissance phase common system table access.

Even if a SQL injection is sent to the database side, the database firewall will further limit the number of rows returned by the database through the row count control, which will block the return of a large number of data, such as the number of rows returned for some sensitive tables to not allow more than 100, thus minimizing the loss.

The database firewall is no doubt more thorough than the WAF's prevention of SQL injection.

This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1693830

SQL injection bypass and defense techniques for WAF