Use MySQL implicit type conversion in SQL injection to bypass WAF detection freebuf)

Web applications generally use form-based authentication (as shown in Figure). The processing logic is to pass the user name and password submitted in the form to the background database for query, determine whether the authentication is successful Based on the query results. For web applications with LAMP architecture, PHP is used for processing logic, and MySQL is used for background databases. In this process, due to poor processing, many serious vulnerabilities may occur. Apart from weak passwords and brute-force cracking, the most common one is SQL injection. SQL injection can be used by injecting load_file Fuzz tool in SQLNuke -- mysql. The focus of this blog is to bypass WAF detection by using MySQL implicit type conversion.

 

The following example shows the process. Two login.html and login. php packages, one member. user table storing the user name and password

 

(1)table single login.html

 

 
(2) login. php Authentication
 
<?phpif(isset($_POST["login"])){$link = mysql_connect("localhost","root","toor")ordie("cannot connect database".mysql_error());mysql_select_db("member")ordie("cannot select the db");$query ="select * from user where user='".$_POST["user"]."'and password='".md5($_POST["password"])."'";echo $query."<br/>";$result = mysql_query($query)ordie("the query failed:".mysql_error());echo "<br/>";$match_count = mysql_num_rows($result);if($match_count){while($row = mysql_fetch_assoc($result)){echo "<strong>User: </strong>".$row["user"]."<br/>";echo "<strong>Password: </strong>".$row["password"]."<br/>";echo "<br/>";}}else{echo "Wrong User or password <br/>";echo '<a href="http://10.1.36.34/login.html">Back</a><br/>';}mysql_free_result($result);mysql_close($link);}
 
Pay attention to the red font section. The user name and password entered by the user are passed into the database for query without any filtering. this script displays the query string and query result on the page for you to intuitively demonstrate the SQL query result.
(3) member. user
 
A common user table consists of two fields: user name and password.

The table contains 8 rows of data.

 
Obviously, this is a program with SQL injection. Next let's take a look at the following interesting query results (1) enter the user name
A' + 'B #
 
Shows the query result.

(2) enter the user name45a' + 'B '#
 
 

 
The reason for the above results is that the arithmetic operator + converts the operator-type user to a numeric user. 
Dani, tanjiti, dani123, and 0 dani correspond to 0123 dani, and 123tanjiti corresponds to 12345 dani, the value of 045tanjiti is 45 'A' + 'B'. The value is 0 + 0 = 0, the user name whose type is converted to 0 will be searched for '45a' + 'B' corresponding to the value 45 + 0 = 45. The user name whose type is converted to 45 will be searched.
In addition to the plus sign, other arithmetic operation symbols also undergo type conversion, such as MOD, DIV, *,/, % ,-, 
(3) enter the user nameA' MOD '1 ′#

The value corresponding to 'A' MOD '1' is 0 MOD 1 = 0, and the user's corresponding value is 0.

 
(4) enter the user name
'-"#
 
"-" The corresponding value is 0-0 = 0, and the user's corresponding value is 0.

 
 
Bit operators &, |, ^, <<>> have the same effect
 
(5) enter the user name
'/'1 ′#
 
 
"/The value corresponding to '1' is 0/1 = 0, and the user's corresponding value is 0.

Bit operators &, |, ^, <<>> have the same effect
(6) enter the username a' & 'B '#

The value corresponding to 'A' & 'B' is 0 & 0 = 0, and the user's corresponding value is 0.

For the WAF firewall, when 'or 1 =' 1 is entered, the ModSecurity firewall reports an error (I have not tried ModSecurity, as described in my blog)
The above instance can bypass the firewall. In general, using MySQL implicit type conversion to bypass WAF's SQL Injection detection is a pretty good idea.