Advanced SQL injection payload obfuscation tool to bypass WAF and security filters.
| Technique | Description | Example |
|---|---|---|
| Char Encoding | URL encoding, Hex, Base64 | ' → %27 |
| Case Variation | Random case mixing | UNION → uNiOn |
| Comment Injection | Inline comments | UN/**/ION |
| Whitespace | Tabs, newlines, comments | UNION SELECT |
| Encoding Chars | HTML entities, Unicode | < → < |
| Double Encoding | Multiple URL encoding | %2527 |
| Type Casting | Implicit type changes | '=' → ''='' |
- Detect common WAFs (Cloudflare, Akamai, etc.)
- Test fingerprinting
- Bypass suggestions
- Custom payload builder
- Pre-defined payloads for each DB type
- Random mutation
- UNION-based
- Boolean-based blind
- Time-based blind
- Error-based
sqlbypass/
├── main.py # Entry point
├── core/
│ ├── obfuscator.py # Core obfuscation engine
│ ├── detector.py # WAF detection
│ └── payloads.py # Payload database
├── utils/
│ ├── encoder.py # Encoding utilities
│ └── fuzz.py # Fuzzing engine
└── tests/
└── test_obfuscation.py
# Basic obfuscation
python sqlbypass.py -p "UNION SELECT 1,2,3--"
# With WAF bypass
python sqlbypass.py -p "admin' OR '1'='1" --bypass-level=high
# Detect WAF first
python sqlbypass.py -u "http://target.com" --detect-waf- Console output
- Export to text/JSON
- Save to file
Created: 2026-04-08 For Educational Purposes Only!