How I Bypassed a WAF with SQL Injection: A Step‑by‑Step Walkthrough

0x01 Basic Observation

We first identified that the target applies a generic filter and a WAF. Sending a simple payload revealed that the keywords select, from, and where are stripped from the request, as shown in the response screenshot.

0x02 Injection Detection

Using a detection plugin we sent crafted requests. The response differed when order by evaluated 1 versus 300, indicating that the order by clause is processed. Manual requests confirmed that a single column is allowed; exceeding the column count triggers a “column not found” error.

The parameter model is concatenated to a default table‑name prefix, so arbitrary values that do not correspond to an existing table cause a “table not found” error, effectively blocking injection.

When model is set to a non‑existent table name, the application returns a “table not found” error, preventing injection. The only viable value for model without error is the default news table.

0x03 Starting the Injection

Having confirmed keyword filtering, we tested whether the sleep function could be used. Most functions were blocked either by code‑level filters or the WAF.

Inline comments were also blocked outright.

0x04 Crafting the Payload

Detection showed that CASE WHEN expressions are allowed. We built a payload using ORDER BY CASE WHEN to trigger an error when the condition is true.

'+ORDER+BY+CASE+WHEN+(1=2)+THEN+exp(710)+ELSE+hits+END--+'

The initial test returned the same result for 1=1 and 1=2, indicating that the payload was being treated as a sorting injection rather than a boolean test.

We replaced the numeric constant with a string and forced the ELSE branch to return a legitimate column ( hits). The THEN branch used exp(710) to provoke an error, confirming that the injection point works.

We then identified a column name that exists in the error message (the column shown in the response). Using that column name in the payload produced the expected error when the condition was true.

Final payload:

'+ORDER+BY+CASE+WHEN+(1=2)+THEN+exp(710)+ELSE+hits+END--+'

Changing the condition to 1=1 caused the exp(710) branch to execute, resulting in the expected error.

0x05 Final Sprint

We tested the length function, which was not blocked by the WAF. The function returned the length of the database name (8), but a rapid request rate triggered a 302 redirect, indicating rate‑limiting on the WAF or application layer.

Adjusting the request speed avoided the 302 redirects, allowing us to retrieve the desired data.

With the injection chain working, we successfully extracted the target information.

All steps were performed for educational purposes only; the techniques should be used responsibly.