Schema Enumeration Bypass

Context

In this guide, we will explore techniques to bypass Web Application Firewall (WAF) protections for enumerating database schemas in MariaDB through advanced SQL injection methods. This guide assumes that you have an intermediate understanding of SQL databases, web application architecture, and MariaDB WAF bypass techniques.

Theory

Understanding Information Schema

The information schema is a crucial component of SQL databases, acting as a repository for metadata about the existing databases on a server. It contains a variety of tables like TABLES, COLUMNS, and SCHEMATA that provide descriptive data about the structure and organization of the databases. Accessing this information is vital for executing effective enumeration attacks.

WAF Detection Mechanisms

Web Application Firewalls (WAFs) serve as a line of defense, detecting and blocking attempts to execute unauthorized SQL commands, such as SQL injection attacks. These systems analyze incoming and outgoing traffic for known patterns indicative of malicious activity. Attackers, therefore, must craft their queries carefully to avoid detection while still achieving their objectives.

Bypassing Security Controls

Circumventing WAF security often involves leveraging inconspicuous methods to access the information schema without triggering detection mechanisms. Techniques such as utilizing alternative queries or SQL functions, or exploiting parsing inconsistencies, can succeed where direct attacks fail. Understanding the limitations and flaws of WAF implementations is key to executing successful bypasses.

Advanced SQL Injection Techniques

Exploiting vulnerabilities through SQL injection requires a deep understanding of the database engine's behavior. Advanced tactics include using unconventional queries and system tables, like mysql.innodb_table_stats and mysql.innodb_index_stats, which can provide indirect access to sensitive information while evading WAF rules. By understanding these protocols' weaknesses, attackers can effectively bypass security measures.

Practice

Schema Enumeration Bypass via mysql.innodb_table_stats

This technique involves using non-standard tables within the MariaDB system to achieve schema enumeration without triggering WAF protections. The table mysql.innodb_table_stats is particularly useful for this purpose.

• Extracting Table Statistics
  You can extract table statistics by querying the mysql.innodb_table_stats table for a specific database.

  SELECT * FROM mysql.innodb_table_stats WHERE database_name='target_db';
  

  This command retrieves statistics from tables within the specified database.

• Retrieving Table Names
  To directly enumerate the names of tables, execute:

  SELECT table_name FROM mysql.innodb_table_stats WHERE database_name='target_db';
  

  This query lists all the tables available in the target database, providing a map of the database's structure.

Information Schema Bypass using InnoDB Index Scan

Another method involves the use of InnoDB index statistics, offering an alternative path to bypass WAF controls.

• Standard Table Listing
  At its most basic, listing tables in a database looks like this:

  SELECT table_name FROM information_schema.tables WHERE table_schema='target_db' AND table_type='BASE TABLE';
  

  However, this standard query might be blocked by a WAF.

• Index Stats Approach
  By querying the mysql.innodb_index_stats, one can bypass standard detection:

  SELECT table_name FROM mysql.innodb_index_stats WHERE database_name='target_db';
  

  This command enables the listing of table names via their index statistics, a covert approach that often escapes WAF scrutiny.

Both techniques allow the extraction of table metadata from databases, aiding in subsequent phases of an attack by outlining the database architecture.

Tools

• sqlmap
• Burp Suite

These tools can facilitate the exploitation of vulnerabilities identified through the enumerations achieved by the outlined techniques.