Introduction

In May 2020, I discovered a CSRF vulnerability affecting the web administration panel of my home router. The router was provided to me by Fastweb, an Italian ISP company with which I have an active Internet subscription. The vulnerable router model is listed below, in the “System Affected” section.

The vulnerability

The administration web panel of the router is vulnerable to Cross Site Request Forgery (CVE 2020-13620).

As stated by the OWASP:

“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. …


Introduction

In this article I will show you a simple technique I learned following this talk about SQL injection obfuscation and optimization: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf

The talk is very interesting and I suggest you to give a look at the slides linked above.

During the talk, among other things, it’s explained how in some situations it can be very useful to write a little fuzzer for a DBMS (I will use MySQL in this exercise) in order to find some weird characters that may help you to bypass weak security filters or WAFs during a web security assessment.

Let’s simulate a situation where we have found an UNION based SQL injection vulnerability in a web site we are auditing but we noticed that some characters in our SQL payloads are blocked by the WAF. For example, let’s assume that the web application’s WAF implements the following security…


Introduction

SQLmap is a very useful tool when you want to automatize the exploitation of a SQL Injection vulnerability and extract protected data from a web site. Often, in order to defend against this type of attacks, developers introduce some keyword filters and/or use a WAF (Web Application Firewall) that blocks common SQL Injections payloads.

Most of the time, this type of filters are regex-based. Let’s see an example:

/AND|OR/i

This simple filter blocks the keywords OR and AND and is case insensitive (note the i at the end of the regex). So, classic payloads like:

' or 1=1#
' and 1=2#
' Or 5=5#
' AnD…

About

Luca Di Domenico

Penetration Tester. Interested in web security and privacy. He/him.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store