How i was able to bypass Cloudflare WAF for SQLi payload
2021-12-11 17:24:10 Author: infosecwriteups.com(查看原文) 阅读量:1897 收藏

Momen Ali (Cyber Guy)

Hi hackers and hunters!

Cloudflare was a mistake for a lot of people they want to achieve critical vulnerabilities like: SQL injection but unfortunately, It blocks most / all the payloads. So I was hunting on a target and I used my mindset in order to bypass and break the beast!

First, I wanted to inject a boolean-based SQL Injection Payload, In bypassing you should know that the most important stage is the stage when you gonna detect the bad characters that the WAF (Web Application Firewall) blocks.

So in my case after trying a lot I find that the firewall blocks the following:

  • spaces
  • OR / AND in all cases
  • -- comment
  • # comment
  • ;
  • =

So let’s think about how can we bypass them by separating this write-up into sections:

Bypassing the — Space —

In order to bypass the space I thought of bypassing using URL Encoding like using the: %20 but it doesn’t work, also I tried to put: + instead of space but it didn’t work also, so I tried to think creatively by adding multi-line comments instead of spaces like this: /**/ so now when the WAF will pass it as a normal string, but when it goes to the Back-End DBMS it will be parsed as a comment, it will be like that:

So this is an ordinary SELECT statement in a query with the multi-line comment, this is a live example also:

Bypassing the boolean restrictions

Now the WAF blocks all the boolean operators even it was in a capital case or small case, so on of my techniques to bypass this I used to perform multi-case operators like: oR / aNd ..etc. but unfortunately in my case the WAF blocks all of those also, so I thought of the Standard URL Encoding, so the blocked operators will be like:

oR -> %6fR

But unfortunately, the firewall blocked it, so think of the non-standard encoding, which in most cases doesn’t get caught by the WAF’s, and finally, the result was:

oR -> %256fR

Now I face a new challenge the = character is blocked, so now I knew the weak point of this WAF, which is the non-standard encoding, so I did a non-standard encoding, so the payload was like:

= -> %253d

But unfortunately, if you put any value after it, simply you will be blocked, so I thought:

  • Now we wanna achieve the True datatype using the boolean based SQL Injection, and the firewall blocks anything after the non-standard encoded =
  • But I thought for a while, why I didn’t achieve the True datatype through another method, for example, if i said: 50!=22 so surely here will return a True value because 50 doesn’t equal 22

So i did a non-standard encoding for the != to be like:

!= -> %2521%253D

Bypassing the end-of-the-payload

Finally i wanna bypass the end-of-the-payload characters, for example the # or -- which refers to the comment, also the ; which ends to the query, and because i knew the weakness point in my case, so i did the same encoding type of the previous payloads, and it will be:

;# -> %253B%2523

Final result of the payload:


文章来源: https://infosecwriteups.com/how-i-was-able-to-bypass-cloudflare-waf-for-sqli-payload-b9e7a4260026?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh