SQL Injection and WAFs

Had a friend today test a site with multiple SQL injection points across the application. It was blind injection - no errors were being returned to the browser, but on a valid (true) statement you'd get content back, on a false statement and error you'd get nothing. One particular vulnerable page was quite basic (only one parameter, the result of which would display just one small text article), so we had a go at guessing the number of columns and the type of columns for a 'union select' injection.

No luck after a few minutes of guessing, but it could take a while to guess without errors, so we thought we'd go down the blind route (substring, waitfor etc). Before writing a custom script we fired some common tools at it - SQLMap being one. It detected the quoted injection point (' and '1'='1), but failed to enumerate the backend DBMS. Even with the correct DBMS selected on the command line, exploitation failed. No meaningful errors.

It was at this point we started digging. We didn't know whether or not a web application firewall (WAF) was in front of the application or not, but we found a neat but very basic way of checking...

http://somerandomsite.local/id=sometext'+and+'anion'='anion'-- worked fine
http://somerandomsite.local/id=sometext'+and+'union'='union'-- failed with a blank page.

At this stage you can obviously work out what keywords are filtered and ideas to bypass...

Nothing ground breaking, but a technique I hadn't used before. Have fun :)