Conditional Comments

Context

This article focuses on using conditional comments within SQL queries to bypass Web Application Firewalls (WAFs) during SQL injection attacks on MariaDB databases. It assumes the reader is familiar with SQL comments, conditional logic, and general MariaDB WAF bypass techniques.

Theory

Conditional Comments in SQL

Conditional comments are special types of SQL comments that execute certain code based on the specific database server version. Typically used for compatibility between different versions of SQL servers, they can be leveraged to bypass web application firewalls by embedding executable code within these comments, making it harder for WAFs to detect them.

MariaDB Version Control with Comments

MariaDB processes comments according to the server version, allowing certain SQL code to be conditionally executed. This functionality is particularly valuable in creating SQL injections that are stealthy and specifically targeted. By embedding SQL logic within comments, one can ensure that the logic only executes on particular versions of MariaDB, enhancing the effectiveness of the injection while avoiding detection by security mechanisms.

Execution Comments

Execution comments are a form of conditional comments where the embedded SQL code is executed based on server version conditions. For instance, a comment like /*!50000 SELECT * FROM users */ would only be executed if the MariaDB version is 5.0.0 or higher. This technique allows attackers to embed seemingly innocuous comments that, under specific conditions, execute potentially malicious SQL code.

Practice

Using Conditional Comments for WAF Bypass

To effectively use conditional comments for bypassing WAFs, follow these steps:

  • Execute Query for MariaDB Version 5.0.0 or Higher

    SELECT /*!50000 1,2,3*/ FROM dual;

    This query executes only if the MariaDB version is 5.0.0 or higher, allowing for version-specific logic to be embedded within SQL queries.

  • Execute Query for MariaDB Version 4.0.0 or Higher

    SELECT /*!40000 1,2,3*/ FROM dual;

    Similar to the previous step, but for an older version, this enables backward compatibility and targeted attacks on older systems.

  • Embed UNION SELECT in a Conditional Comment

    /*!50000 UNION SELECT username, password FROM users */

    By embedding the UNION SELECT statement in a comment, this query can effectively bypass WAF input validations, which often do not evaluate or block content hidden in comments.

Upon successful execution, these methods are expected to bypass WAF rules and retrieve data without triggering security defenses.

Tools

  • sqlmap
  • Burp Suite

These tools are quintessential for testing and deploying SQL injection attacks, particularly when experimenting with conditional comments to bypass WAFs effectively.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.