This document dives into advanced techniques for bypassing Web Application Firewalls (WAF) using SQLMap. As WAFs evolve, so too must the strategies to by pass them. These advanced methods cover payload manipulation, tamper script customization, and leveraging proxy techniques.
- 1. Combining Multiple Tamper Scripts SQL
- Map allows combining tamper scripts to better obfuscate the payloads.
- Example command: `sqlmap -u –tamper=space2comment.py,randomcase.py` Bypassing can be enhanced by chaining several scripts that manipulate spaces, cases, or comments.
- 2. Writing Custom Tamper Scripts
- In cases where predefined tamper scripts are insufficient, custom scripts can be written. A tamper script in SQLMap is a Python file that modifies the SQL payloads before they are sent to the target. For example, modifying all equal signs with ‘LIKE’ or introducing noise characters.
- 3. Advanced Encoding Techniques WAFs
- sometimes fail to decode payloads properly when using advanced encoding techniques.
- For example, double URL encoding or leveraging encoding like `char()` functions for payload execution: `sqlmap -u –tamper=charencode.py`
- 4. By passing Cloud-Based WAFs
- Cloud-based WAFs like Cloudflare and Akamai can present unique challenges. Techniques such as
out-of-band (OOB) SQL injections and the use of stacked queries (;) are helpful in bypassing these
filters. - 5.HTTP Parameter Pollution (HPP)
- HTTP Parameter Pollution involves injecting payloads across multiple parameters in the same request. This technique can sometimes trick WAFs by confusing their parameter handling logic.
- 6. Advanced Header Spoofing
- Some WAFs heavily analyze HTTP headers. By leveraging SQLMap’s advanced header manipulation capabilities, payloads can be injected via uncommon headers like `X-Forwarded-For`, `Referer`, or `User-Agent`. Example: `sqlmap -u –headers=’X-Forwarded-For: 127.0.0.1’`
- 7. Using SQLMap with Burp Suite SQL
- Map can be chained with Burp Suite for testing complex web applications behind WAFs. Burp Suite’s proxy functionality allows capturing and modifying traffic, while SQLMap can replay this traffic to detect vulnerabilities beyond standard filters.
Best Practices and Resources
When dealing with advanced WAF bypass techniques, always ensure that testing is performed
ethically and within legal boundaries. Keep the following in mind:- Always experiment with different tamper script combinations.- Test payloads with various encoding techniques.- Use a proxy like Burp Suite to analyze and manipulate HTTP traffic.
Resources:-
SQLMap official documentation: https://sqlmap.org- Burp Suite: https://portswigger.net/burp- OWASP WAF Bypass Techniques: https://owasp.org
