SQL Injection: Filter Evasion with Sqlmap

Author: HollyGraceful    Published: 07 June 2021

We've previously written about many different techniques for Finding and Exploiting SQL Injection vulnerabilities. However, there are often restrictions and interim technologies such as Web Application Firewalls that can prevent certain payloads from being used. In some instances filters can be bypassed through common encoding mechanisms, however often these will be ineffective and other methods much be used.

SQL is a flexible language that allows for many alternative forms of payload to be crafted to bypass specific restrictions. For example in our posts about Blind SQL Injection, we discussed payloads such as ` AND 1=1 -- ` for determining if an input can be exploited using Boolean inference. However consider if parts of this payload were blocked and how we could create an alternative payload; for example if `AND` is filtered or blocked we could try changing the case, such as `aNd`. Of course this would only bypass a very naïve filter but it is just a simple initial example.

Where characters such as the equals sign are blocked we could use alternative such as LIKE syntax, or simply create an alternative Boolean true statement, such as::

' AND 3 > 2 --
' AND 2 < 3 --
' AND 2 <> 3 --
' AND 2 != 3 --

Where functions such as SUBSTRING() are filtered then alternative functions such as MID() could be used. Where characters are restricted alternatives could be used, for example if whitespace is restricted then it's often possible to use C-style comments, e.g. `/**/` as whitespace, such as:

'/**/AND/**/1=1/**/--/**/ 

When attempting to exploit these issues it's a good idea to practice restructuring queries to avoid common filters. However, these simple transforms can be also performed in an automated way with the common exploitation tool sqlmap. This tool has “tamper scripts” which alter the payloads sent to the server automatically and can achieve this type of evasion. A quick way to see what type of evasion options are available is to take a look at the current list of tamper scripts. Each script includes a brief description and example. Evasion using URI encoding could be achieved with the following sqlmap command:

python sqlmap.py --tamper=charencode

You can also enter more than one filter script on the same line, like this:

python sqlmap.py --tamper=charencode,appendnullbyte,escapequotes

That's it!