You are here
SQL Injection Due to Unorthodox MSSQL Design Choice
Last update on 30. June 2023 - 11:14.
On June 21st, 2023 GoSecure published an article [1] on how they were able to exploit the lenient interpretation of MSSQL to bypass the AWS web application firewall.
Airlock Gateway and Microgateway is not affected
Details:
The filter bypass technique relates to SQL injection. The attack involves packing queries without whitespace or semicolons. A web application firewall may not filter such a payload because it does not detect valid SQL. However, because of the lenient way MSSQL interprets queries, the payload is accepted, executed and an attack is possible.
The following list shows the attack payloads from the article and the corresponding block information of Airlock (Deny Rule short name and security level). As can be seen, Airlock Gateway and Airlock Microgateway prevent such kinds of evasion techniques.
<standard (SQL_025A), strict (SQL_025A)> payload=use[tempdb]create/**/table[test]([id]int)insert[test]values(1)select[id]from[test]drop/**/table[test]
<basic (SQL_060A), standard (SQL_060A), strict (SQL_060A)> payload=admina'union select 1,'admin','testtest123'exec('select 1')--
<basic (SQL_030A), standard (SQL_005A,SQL_025A,SQL_030A), strict (SQL_005A,SQL_025A,SQL_030A)> payload=admin'exec('update[users]set[password]=''a''')--
<standard (SQL_005A,SQL_065A), strict (SQL_005A,SQL_065A)> payload=admin'exec('sp_configure''show advanced option'',''1''reconfigure')exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
<standard (SQL_005A,SQL_065A), strict (SQL_005A,SQL_065A)> payload=admin'exec('xp_cmdshell''echo "This is a test!" > C:\Temp\test.txt''')--
Airlock's Deny Rule filters provide an extremely high level of security, as they are constantly being improved and are tested 24x7 in a CTF-like bug bounty program. We are happy to accept any interested hacker into the program and reward any new bypass technique with money. Links to sign up: https://hackerone.com/airlock or https://www.bugbounty.ch/programs
No action required.
General advice: Make sure that Airlock's Deny Rules are properly configured, i.e.:
- Use the latest Airlock Gateway/Microgateway version to benefit from the lastest Deny Rules.
- Configure the rules in Strict mode to cover most vulnerabilities (recommended if the integration effort is reasonable) or in Standard mode. Basic mode should be used only in special cases.
- Consider creating additional Custom Deny Rules to validate parameters that should adhere to a well-defined format.
Additionally, as always, follow security and SQL best practices. For instance
- Practice a layered security approach.
- Follow the principle of least privilege.
- Use prepared SQL statements and validate the input.