Web Application Firewalls have become the new security solution for several businesses. Many companies often ignore the actual vulnerabilities and merely rely on the firewall for protection. Regrettably, most, if not all firewalls can be bypassed. In saying this, my post will demonstrate how to use some of SQLMap’s new features to bypass WAFs/IDSs.
I have recently had the pleasure of working on a few tamper scripts for SQLMap, which can be found in the latest development version from the subversion repository.
svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev
The focus of the tamper scripts is to modify the request in a way that will evade the detection of the WAF (Web Application Firewall) rules. In some cases, you might need to combine a few tamper scripts together in order to fool the WAF. For a complete list of the tamper scripts, you can refer to https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/
The first scripts I’ll demonstrate are space2hash.py and space2morehash.py which work with MySQL (still haven’t gotten around to the MSSQL one). These scripts will convert all spaces to block comments with random text. The extended version of the script (space2morehash.py) will also add the comments in between certain function names and the parenthesis.
To get started using the tamper scripts, you use the –tamper switch followed by the script name. In my example I’m using the following command:
./sqlmap.py -u http://192.168.0.107/test.php?id=1 -v 3 –dbms “MySQL” –technique U -p id –batch –tamper “space2morehash.py”
Figure 1: space2morehash.py tamper script in action
Read this whole blog, tamper scripts win.