Bypassing Web Application Firewalls with SQLMap Tamper Scripts

Bypassing Web Application Firewalls with SQLMap Tamper Scripts

Posted on August 26, 2011 by Roberto Salgado

Web Application Firewalls have become the new security solution for several businesses. Many companies often ignore the actual vulnerabilities and merely rely on the firewall for protection. Regrettably, most, if not all firewalls can be bypassed. In saying this, my post will demonstrate how to use some of SQLMap's new features to bypass WAFs/IDSs.

I have recently had the pleasure of working on a few tamper scripts for SQLMap, which can be found in the latest development version from the subversion repository.

svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

The focus of the tamper scripts is to modify the request in a way that will evade the detection of the WAF (Web Application Firewall) rules. In some cases, you might need to combine a few tamper scripts together in order to fool the WAF. For a complete list of the tamper scripts, you can refer to https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/

The first scripts I’ll demonstrate are space2hash.py and space2morehash.py which work with MySQL (still haven't gotten around to the MSSQL one). These scripts will convert all spaces to block comments with random text. The extended version of the script (space2morehash.py) will also add the comments in between certain function names and the parenthesis.

To get started using the tamper scripts, you use the --tamper switch followed by the script name. In my example I'm using the following command:

./sqlmap.py -u http://192.168.0.107/test.php?id=1 -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"

Figure 1: space2morehash.py tamper script in action



As shown in figure 1, the tamper script replaces the spaces in the injection with %23randomText%0A, which is of course URL encoded. The function's CHAR(), USER(), CONCAT() get changed to FUNCTION%23randomText%0A() since they aren't blacklisted in IGNORE_SPACE_AFFECTED_KEYWORDS. This is because of MySQL's Function Name Parsing and Resolution and how it treats function calls and identifiers.

Another two scripts that transform spaces are space2mssqlblank.py and space2mysqlblank.py. MySQL allows characters 09, 0A-0D, A0 to be used as whitespaces while MSSQL allows a much wider range, from 01-1F.

Figure 2: space2mssqlblank.py using different characters as whitespaces



Next up we have a few scripts that mess around with the encoding: charencode.py and chardoubleencode.py. These are useful to bypass different keyword filters, for example when table_name is being detected and there is no way around it.

Figure 3: charencode.py can be used to evade keyword detection



If the application URL decodes the request for some reason (some do), the chardoubleencode.py script can come in handy.

Figure 4: chardoubleencode.py can be used when the application decodes the request



Additionally, if the application is programmed in ASP/ASP.NET, the charunicodeencode.py and percentage.py scripts can be used to hide the true payload.

Figure 5: charunicodeencode.py obfuscating the injection with Unicode encoding



An interesting characteristic of ASP is the ability to add as many percentage signs as you want in between characters. For example, AND 1=%%%%%%%%1 is completely valid!

Figure 6: Percent signs in between each character is valid in ASP



In conclusion, I've shown just a few of many tamper scripts. I highly recommend testing them out as each one can be used in different situations. I will be working on a few more this month, so be sure to stay tuned.

References:
SQLMap
SQL Injection Pocket Reference


Latest Blog Entries

Panoptic
An overview of Panoptic, an open source penetration testing tool that automates the process of search and retrieval of common log and config files through LFI vulnerabilities.

Special discount code for "Nmap 6: Network Exploration and Security Auditing Cookbook"
PacktPub created a special discount code for our friends from HackerHalted

Mac2WepKey HHG5xx for iPhone
The famous app to obtain the default WiFi passwords for Huawei routers is now available for the iPhone iOS 5.

Latest News

Oct 01, 2013
Websec at DerbyCon 2013
A summary of Websec's participation at DerbyCon 2013 in Louisville, Kentucky.

Sep 16, 2013
Websec's participation at Black Hat, CSI and XCon
Websec is grateful to have been able to participate in the month of August at great conferences such as Black Hat, CSI and XCon.