During a recent pentest, I encountered a WAF (CloudFlare in this case). I learned some interesting things about how to go about bypassing various filters.
Identifying What is Blocked
- Find an SQL injection.
- Use as simple of a test case as you can such that the WAF does not block your request.
- Use that as a base request for sqlmap (see documentation here).
- Proxy all sqlmap traffic through your proxy of choice (I like Burp).
- Start sqlmap and look at Burp to identify which requests are getting blocked.
- For each blocked request, compare them to the successful requests to find out what was different. Very likely, there is a slight change that the WAF is picking up. Simplify the request to identify what strings/patterns are blocked by the WAF. I use Burp Repeater for this.
Bypassing the WAF
- There are lots of good examples of how to bypass various WAF protections in the sqlmap tamper directory. Read through the code there to get some ideas.
- Other techniques include replacing single occurrences of spaces or plus signs with two of them (eg:
++). This makes it so things like
union+allstatements (blocked by some WAFs) can get through the WAF by using