Use SQLMAP To Bypass Cloudflare WAF And Hack Website With SQL Injection

by Sunny Hoi


When SQLMAP alerts you that a target’s website is being shielded by a Web Application Firewall (WAF) such as Cloudflare, Intrusion Prevention System (IPS), Intrusion Detection System (IDS), SQL injections (SQLi) may become increasingly difficult to penetrate successfully through the adversary’s front-facing site.

When enterprises have implemented a WAF, the typical SQL injections and ordinary scripts will be rendered ineffective for web application security exploitation attempts.

Luckily, SQLMAP has a feature labelled “tamper script” which enables you to check whether the site is vulnerable to SQLi and potentially bypass the WAF’s signatures.

These methods are below.

NOTE 1: SQLMAP is an extremely effective tool that should be used only for penetration testing purposes. Even a beginner that uses SQLMAP can achieve a calamitous impact on the adversary’s enterprise system. The tool produces numerous queries which may significantly impact the adversary’s database when used improperly. For maximum effectiveness of this tool, it’s recommended to possess comprehensive knowledge of SQLi prior to usage. Therefore, it is a good idea to deploy SQLMap on non-production systems that are used for testing purposes only.

1. Check (Identify) The Website’s WAF That Is Protecting The Front-Facing Web Application

To check whether a target’s site is using Cloudflare’s WAF, ModSecurity, or some other well-known WAF like Sucuri/Incapsula/F5, use the following option along SQLMAP:

  • –identity-waf


  • –check-waf

Do not use “-=thread=” that is bigger than 1 since it could result in a 403 Forbidden Error which would indicate that your IP address has been banned.

Hence, it would be a necessity to deploy proxies to successfully reach the target and penetrate the site.

NOTE 2: If you haven’t downloaded SQLMAP already, you can do so from the official site.

NOTE 3: Too many 4xx/5xx HTTP error codes may indicate a WAF is in place in the target’s web application environment. Remember if all fails, retry again.

2. Using Tor Proxies For Anonymity

Tor proxies should be enabled to prevent attacker’s IP address from being banned and triggering a 403 Forbidden Error. Tor will provide a layer of anonymity and permit you to conceal your identity from the adversary, hiding the source where the traffic is originating from.

Use the following options along SQLMAP to assist with anonymity:

  • –tor          (Tor will be enabled as SQLMAP will attempt to apply the Tor proxy settings automatically.)
  • –tor-port           (Apply Tor proxy manually)
  • –tor-type           (Apply Tor proxy manually)

3. Enable Random Agent

Use the following option for random agent:

  • –random-agent

To check if Tor is working properly with SQLMAP, use the following option:

  • –check-tor

4. Finding The Python Scripts In SQLMAP Directory:

1. Go to the directory of SQLMAP.

2. Locate a directory labelled “tamper” which has the python scripts that you can use.

3. It’s important to keep track of the names of those files.

4. ADDITIONAL PYTHON SCRIPTS: Grab more python scripts for usage with the SQLMAP tamper option from here.

5. How To Easily Use SQLMAP Python Script

Deploying the tamper script is easy:

SQLMAP Tamper Script Examples:

For instance, in terms of MSSQLMySQL, and typical penetration testing – you can utilize the following tamper scripts:

  • between
  • randomcase
  • space2comment
  • charunicodeencode     (Discussed further in NOTE 4)
  • percentage         (Discussed further in NOTE 4)

For MySQL, you can deploy the following tamper scripts:

  • space2hash
  • space2mysqlblank
  • charunicodeencode         (Discussed further in NOTE 4)
  • percentage           (Discussed further in NOTE 4)

NOTE 4: To conceal payloads opposite to ASP & ASP.NET applications, use the following tamper scripts:

  • charunicodeencode
  • percentage

SQLMAP Tamper Script Option Command Examples:

Once you have verified that the target’s site is protected by a WAF like Cloudflare, you could choose to utilize one of the two following commands:



Of course, this SQLMAP tutorial is not merely limited to bypassing Cloudflare WAF protection, but also applies to other security solutions as well. The tool can reach its maximum potential under the hands of a professional penetration tester with extensive knowledge of SQLi and application security. Even a beginner can use the tool to create substantial effects.

Perhaps the most significant thing to keep in mind is the mindset of the penetration tester. If the pen testing appears to be failing whether, in some or every aspect, it’s imperative to retry and not give up. Is a particular Tor connection too slow? Is a WAF giving you a difficult time? Does this option work with the other? Fortunately, these problems have solutions. It’s all about consistency and patience.

If you are mentally ready, you are ready.

Related Posts