Empathy List Archives

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Re: [WEB SECURITY] SQL Smuggling: New methods of SQL Smuggling

MustLive

Mon, Jan 31, 2011 4:45 PM

Robert!

I hope everything is good with the list after move to new hosting ;-).

You can test your payloads against the ModSecurity Core Rule Set here:

Josh!

Thanks for the link. But I never will be checking my bypass techniques on
own server of developers of the WAF :-) (as it must be clear from my
previous letter).

You don't need the backend server to be vulnerable to SQLi

I always prefer to check bypass techniques in real environment, so
vulnerable web apps are required for that. And for some cases, especially
when the attack payload is complex enough (like in cases which I mentioned
in my article about Advanced methods of SQL Smuggling) it's very important
to have vulnerable web app at the site with WAF. So in case if WAF is
blocking some attack and I'm modifying request "on the fly" to bypass it,
to see both responses of site and WAF, i.e. not only to bypass WAF, but to
do it with valid SQL code which makes valid SQLi attack.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message -----
From: "Josh Amishav-Zlatin" josh@ramat.cc
To: "MustLive" mustlive@websecurity.com.ua
Cc: "Michele Orru" antisnatchor@gmail.com; websecurity@webappsec.org
Sent: Wednesday, January 19, 2011 1:06 PM
Subject: Re: [WEB SECURITY] SQL Smuggling: New methods of SQL Smuggling

On Tue, Jan 18, 2011 at 11:34:45PM +0200, MustLive wrote:

Regarding SQL Injection, then I've bypassed some time ModSecurity for
SQLi
attacks (as with using methods mentioned in my series of articles about
SQL
Smuggling, as with using other methods which will not be made public).
Sometimes for full scale SQLi, sometimes for limited SQLi, but still
useful
for attacking purposes. I don't know about latest ModSecurity default
rules,
but you can give me a link to a site with such configuration and with SQL
Injection holes :-), and I'll check it and will tell if any of my

Hi,

You can test your payloads against the ModSecurity Core Rule Set here:
http://www.modsecurity.org/demo/crs-demo.html

You don't need the backend server to be vulnerable to SQLi, you only
want to check if the CRS identifies your payloads as malicious or not.

Josh

Robert! I hope everything is good with the list after move to new hosting ;-). > You can test your payloads against the ModSecurity Core Rule Set here: Josh! Thanks for the link. But I never will be checking my bypass techniques on own server of developers of the WAF :-) (as it must be clear from my previous letter). > You don't need the backend server to be vulnerable to SQLi I always prefer to check bypass techniques in real environment, so vulnerable web apps are required for that. And for some cases, especially when the attack payload is complex enough (like in cases which I mentioned in my article about Advanced methods of SQL Smuggling) it's very important to have vulnerable web app at the site with WAF. So in case if WAF is blocking some attack and I'm modifying request "on the fly" to bypass it, to see both responses of site and WAF, i.e. not only to bypass WAF, but to do it with valid SQL code which makes valid SQLi attack. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua ----- Original Message ----- From: "Josh Amishav-Zlatin" <josh@ramat.cc> To: "MustLive" <mustlive@websecurity.com.ua> Cc: "Michele Orru" <antisnatchor@gmail.com>; <websecurity@webappsec.org> Sent: Wednesday, January 19, 2011 1:06 PM Subject: Re: [WEB SECURITY] SQL Smuggling: New methods of SQL Smuggling > On Tue, Jan 18, 2011 at 11:34:45PM +0200, MustLive wrote: >> >> Regarding SQL Injection, then I've bypassed some time ModSecurity for >> SQLi >> attacks (as with using methods mentioned in my series of articles about >> SQL >> Smuggling, as with using other methods which will not be made public). >> Sometimes for full scale SQLi, sometimes for limited SQLi, but still >> useful >> for attacking purposes. I don't know about latest ModSecurity default >> rules, >> but you can give me a link to a site with such configuration and with SQL >> Injection holes :-), and I'll check it and will tell if any of my > > Hi, > > You can test your payloads against the ModSecurity Core Rule Set here: > http://www.modsecurity.org/demo/crs-demo.html > > You don't need the backend server to be vulnerable to SQLi, you only > want to check if the CRS identifies your payloads as malicious or not. > > -- > - Josh