A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection.
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.
A WAF that operates based on a blacklist (negative security model) protects against known attacks. Think of a blacklist WAF as a club bouncer instructed to deny admittance to guests who don’t meet the dress code. Conversely, a WAF based on a whitelist (positive security model) only admits traffic that has been pre-approved. This is like the bouncer at an exclusive party, he or she only admits people who are on the list. Both blacklists and whitelists have their advantages and drawbacks, which is why many WAFs offer a hybrid security model, which implements both.
The WAF rules were created against known attacks, and there are hundreds of WAF bypass technics to evade WAF to attack the vulnerable web applications.
Today, we are going to review how WAF can be evaded, and how one most recent WordPress SQL Injection vulnerability can be leveraged. And finally, we will go through one new novel technology to mitigate the risk.
Photo Gallery is one WordPress plugin, more than 300K websites installed the plugin. Before 1.5.36, it contained one SQL injection vulnerability. We will demo how a small vulnerability can be used to make the website run out of service.
Here are more details on the vulnerability(CVE: 2019-16119, Date: 09-10-2019): https://www.exploitalert.com/view-details.html?id=34051
# Exploit Title: WordPress Plugin Photo Gallery by 10Web <= 1.5.34 - Blind SQL injection # inurl:"\wp-content\plugins\photo-gallery" # Date: 09-10-2019 # Exploit Author: MTK (http://mtk911.cf/) # Vendor Homepage: https://10web.io/ # Software Link: https://downloads.wordpress.org/plugin/photo-gallery.1.5.34.zip # Version: Up to v1.5.34 # Tested on: Apache2/WordPress 5.2.2 - Firefox/Windows - SQLMap # CVE : 2019-16119 # Software description: Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. # Technical Details & Impact: Through the SQL injection vulnerability, a malicious user could inject SQL code in order to steal information from the database, modify data from the database, even delete database or data from them. # POC In Gallery Group tab > Add new and in add galleries / Gallery groups. GET request going with parameter album_id is vulnerable to Time Based Blind SQL injection. Following is the POC, 1. http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=<SQLi+HERE>&width=785&height=550&bwg_nonce=9e367490cc& 2. http://127.0.0.1/wp-admin/admin-ajax.php?action=albumsgalleries_bwg&album_id=0 AND (SELECT 1 FROM (SELECT(SLEEP(10)))BLAH)&width=785&height=550&bwg_nonce=9e367490cc&
Follow the PoC, add new Gallery Groups.
And then click the button below which will trigger the vulnerability link.
The below image is the data we captured with Burp Suite.
We can use Burp Suite repeater to replay the request, everything works normally
Let’s try simple SQL injection like: or select(1), or sleep(10), etc.
We can see that for simple SQL injection attacks, WAF can identify and block as expected.
Let’s combine more WAF bypass ticks, still ok, but mainly because of sleep(10) pattern, easy to detect.
Let’s keep on tweaking the injection a little bit by adding /**/ into the sleep function. Now we can see that the WAF has been bypassed, and it took more than 10 seconds for the server to return the result due to the sleep(10). If we write one simple attack script to launch hundreds of instances in this pattern, all server processes will be in asleep, and the website will not be able to respond to other user’s normal request.
For the tricks being used in this article, one effort was made one year ago: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1181
But we can see how many combinations it can be (as this article did, just in 10 mins), and it is impossible to write complicate enough WAF rules to block all kinds of bypass completely.
- Please do not use the skills discussed in this article to attack websites, it is for technical discussion only
AppCalcium is one innovative solution to work inside the application, understand business logic, only allow the application to behave as designed.
For the same attack above, we can see AppCalcium successfully identify and blocked the behaviour anomaly and provided all the attack details about when/what/how/where/who/etc.
AppCalcium portal (https://app.oaxon.com) provided detail information about the attack
AppCalcium also provided detailed information about all kinds of events, attacks.
Are you using WordPress? Why not give it a try for the best protection?
The WordPress enhanced by AppCalcium can be launched in AWS easily.
See a quick video on how to launch the AWS EC2 instance.