Yeah exactly, in complex tasks you really notice the quality drop with quantized models. It’s slower in BF16 but accuracy matters more here :D
Have you tried Gemma 31B? After testing both on multiple prompts, I found Gemma slightly better than Qwen 27B overall, and it follows instructions more reliably
For my use case (a bot that answers questions by querying a huge MySQL database through tool calls), Qwen 3.6 27B (BF16) is clearly better than Mistral Medium 3.5 128B-NVFP4 . It generates more accurate and reliable SQL. After testing several models, Gemma 4 31B IT (BF16) has been the best performer for me so far
@Yassineaboukir Literally came back to bug bounty yesterday after 1+ year, found an SQLi last night, gave myself today to escalate impact and report it tonight. got fixed before I could submit 😀
Great job. I’ve faced similar challenges where SQLmap/Ghauri didn’t work, so I used to write my own Python scripts to exploit them. But since discovering the --eval option in SQLmap, things have become much easier, It lets me tweak payloads for specific situations, like bypassing WAF or handling unusual characters. For example, I’ve used it to replace spaces with #%0A (a super simple case 😄) when it helps bypass a WAF.
I’d recommend giving it a try
You can btw generate an animation from this sprite sheet using only HTML/CSS. The idea is to create a <div> with dimensions matching a single keyframe, set this image as the background, and then shift the background position in both X and Y directions at the right keyframes to cycle through the frames. Here's a quick demo I put together: https://t.co/Qs7kerI1oP
It needs some adjustments in positions and margins between keyframes, but this demonstrates the concept
First check if the id parameter is actually used in the query. If not, look for hidden params (cookies, headers, POST data) that might be part of it. If no user input affects the query, it's likely a static SQL error and not exploitable
@h4x0r_dz I regularly test various LLMs and compare their performance across tasks especially for a project focused on image processing (OCR, handwriting recognition), I found DeepSeek surprisingly poor in this area. Even local 1B models far outperform it in these tasks
The --eval option lets you dynamically modify any part of the HTTP request before it’s sent, including parameters, headers, and more. So yes, it allows you to edit or transform payloads on the fly, like adding prefixes, suffixes, or even converting them into formats that can bypass the WAF
Found and bypassed 2 SQLi in a target behind a WAF.
Even after they fixed it with additional WAF rules, I managed to bypass them. Feels like I’ve unlocked a new level of understanding for finding tricks to bypass WAF protections 😀
#bugbounty#bugbountytips
@mosab_4_u Thanks. I’m not sure yet, but I’ll try. I’m not the best at writing, and I tend to get a headache when I sit down to do it 😀. But I’ll give it a shot
I’ve only started using the --eval option recently, and it’s been a game changer for me. Before, when I found SQLi (boolean or time-based) that required complex WAF bypass payloads, I had to write custom Python scripts to retrieve the database name since sqlmap/ghauri couldn’t handle it. On top of that, I had the extra challenge with some triagers who rely only on sqlmap/ghauri for confirmation. But now with --eval, life’s so much easier. I don’t need to create scripts anymore, and I can work much more smoothly with triagers :D
1- In my experience, including the sqlmap command in my reports helps streamline the verification process. Often, triagers will ask for the specific command used to confirm the issue, and rather than spend unnecessary time in back and forth, I find it more efficient to include the command upfront
2- These SQLi were manually discovered and confirmed, and I used my own techniques for bypassing the WAF, which aren’t part of the default payloads in sqlmap. So I used the --eval option in sqlmap to inject custom, modified payloads that are tailored to bypass the WAF’s filtering mechanisms. This allows me to send payloads that I know will get past the rule