Main Content

Heya - HollyGraceful here, I make all of this content in my spare time, like it? Please support me :)
You can donate via Bitcoin or Patreon!

SQL Injection Filter Evasion with sqlmap

Whenever I find a SQL injection vulnerability I always throw sqlmap at the injection point. It’s a simple, easy to use tools that will not only prove the vulnerability but allow you to extract data, gain command execution, and generally push further on with your penetration test. If I come across a filter or a web application firewall then I’ll habitually break out Burp Suite and start working on filter evasion manually, however there’s often a simpler way.

Evading user input filters whilst trying to exploit SQL injection is often a case of trying to format the same payloads but with different characters. Take the following payload for example:

' AND 3>2 --

I could rewrite this payload in a number of ways depending on which part of the payload was being filtered, for example with the greater-than sign, I could replace it using an encoded character:

' AND 3%3E2 --
' AND 3%253E2 --
' AND 3%u003e2 --

Alternatively I could simply reformat the payload to achieve the same result, such as:

' AND 2<3 --
' AND 2<>3 --
' AND 2!=3 --

These simple transforms can be achieved in an automated way with the tool that we know and love, sqlmap. If you’re unfamiliar with this tool, then check out the Introduction to sqlmap post first If you’re comfortable with the interface though, you’ll be glad to know this tool has “tamper scripts” which alter the payloads sent to the server automatically and can achieve this type of evasion. A quick way to see what type of evasion options are available is to take a look at the current list of tamper scripts.Each script includes a brief description and example. Evasion using URI encoding could be achieved with the following sqlmap command:

python sqlmap.py --tamper=charencode

You can also enter more than one filter script on the same line, like this:

python sqlmap.py --tamper=charencode,appendnullbyte,escapequotes

 

Want to try this kind of evasion on a working application? Check out the GracefulSecurity’s VulnVM. You’ll find two SQL injection vulnerabilities hidden in that application which, on level 2, can be exploited using the right tamper script!

 

This article is part of a Series, there are more to read below!
Basics and Defence
Exploitation
Filter Evasion with SQLmap
MySQL Cheat Sheet
MSSQL Cheat Sheet
Out-of-band Exploitation