Jump to content
Nytro

SQLMap Tamper Scripts

By Nytro, in Securitate web

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

SQLMap Tamper Scripts

By Dana TaylorSeptember 24, 2014Pentestsqlmap, tamper scripts

When using SQLMap Tamper scripts while doing a pentest can be a bit confusing and a lot of work to figure out which scripts you need to use and when to use them. I have an upcoming pentest I need to perform and figured this is the perfect time to organize all of this.

First of all, not all scripts are created equal. Some work for general run-of-the mill sql injection attacks and others are for specific databases. Some are not actually sure if it works on all databases and some have only been officially tested against older versions of database applications. This is the very definition of hit and miss.

I reviewed each tamper script and tried to place them in boxes. If you have feedback on any of these boxes PLEASE don’t be shy! Let me know in the comment section. I want this to be a good resource and your help would be greatly appreciated.

The General Scripts section contains both non-specific database exploits as well as those that cover a wide range of databases. In my thoughts, this would be a good start script box to use as an initial hit on an application. Again, feedback appreciated.

I am going to include the syntax to run each section as well as one to run every script. SQLMap will organize them automatically. However, I captured traffic from running all scripts and it didn’t look familiar at all. not sure if it is a good idea to do this or not. Feedback welcome!

Jump to

general

Microsoft-Access

mssql

mysql

oracle

postresql

sap

sqlite

--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

General Scripts

--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

apostrophemask

Replaces apostrophe character with its UTF-8 full width counterpart

apostrophenullencode

Replaces apostrophe character with its illegal double unicode counterpart

base64encode

Base64 all characters in a given payload

between

Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’

Replaces equals operator (‘=’) with ‘BETWEEN # AND #’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the greater than character

* The BETWEEN clause is SQL standard. Hence, this tamper script

should work against all (?) databases

chardoubleencode

Double url-encodes all characters in a given payload (not processing

already encoded)

Notes:

* Useful to bypass some weak web application firewalls that do not

double url-decode the request before processing it through their

ruleset

charencode

Url-encodes all characters in a given payload (not processing already

encoded)

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak web application firewalls that do not

url-decode the request before processing it through their ruleset

* The web server will anyway pass the url-decoded version behind,

hence it should work against any DBMS

charunicodeencode

Unicode-url-encodes non-encoded characters in a given payload (not

processing already encoded)

Requirement:

* ASP

* ASP.NET

Tested against:

* Microsoft SQL Server 2000

* Microsoft SQL Server 2005

* MySQL 5.1.56

* PostgreSQL 9.0.3

Notes:

* Useful to bypass weak web application firewalls that do not

unicode url-decode the request before processing it through their

ruleset

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the equal character (‘=’)

* The LIKE operator is SQL standard. Hence, this tamper script

should work against all (?) databases

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the greater than character

* The GREATEST clause is a widespread SQL command. Hence, this

tamper script should work against majority of databases

ifnull2ifisnull

Replaces instances like ‘IFNULL(A,
B)
’ with ‘IF(ISNULL(A), B, A)’

Requirement:

* MySQL

* SQLite (possibly)

* SAP MaxDB (possibly)

Tested against:

* MySQL 5.0 and 5.5

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that filter the IFNULL() function

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

Reference:

nonrecursivereplacement

Replaces predefined SQL keywords with representations

suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:

* Useful to bypass very weak custom filters

randomcase

Replaces each keyword character with random case value

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

* This tamper script should work against all (?) databases

securesphere

Appends special crafted string

Notes:

* Useful for bypassing Imperva SecureSphere WAF

* Reference:

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:

* Is this any useful? The plus get’s url-encoded by sqlmap engine

invalidating the query afterwards

* This tamper script works against all databases

space2randomblank

Replaces space character (‘ ‘) with a random blank character from a

valid set of alternate characters

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass several web application firewalls

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with

generic comment at the end (to make it work)

Notes:

* Useful for bypassing magic_quotes/addslashes feature

Reference:

*

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass

WAF (usually application based) protection

Microsoft Access

--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

appendnullbyte

Appends encoded NULL byte character at the end of payload

Requirement:

* Microsoft Access

Notes:

* Useful to bypass weak web application firewalls when the back-end

database management system is Microsoft Access – further uses are

also possible

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the equal character (‘=’)

* The LIKE operator is SQL standard. Hence, this tamper script

should work against all (?) databases

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the greater than character

* The GREATEST clause is a widespread SQL command. Hence, this

tamper script should work against majority of databases

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

Reference:

nonrecursivereplacement

Replaces predefined SQL keywords with representations

suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:

* Useful to bypass very weak custom filters

randomcase

Replaces each keyword character with random case value

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

* This tamper script should work against all (?) databases

securesphere

Appends special crafted string

Notes:

* Useful for bypassing Imperva SecureSphere WAF

* Reference:

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:

* Is this any useful? The plus get’s url-encoded by sqlmap engine

invalidating the query afterwards

* This tamper script works against all databases

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with

generic comment at the end (to make it work)

Notes:

* Useful for bypassing magic_quotes/addslashes feature

Reference:

*

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass

WAF (usually application based) protection

Microsoft SQL Server

--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

between

Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’

Replaces equals operator (‘=’) with ‘BETWEEN # AND #’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the greater than character

* The BETWEEN clause is SQL standard. Hence, this tamper script

should work against all (?) databases

charencode

Url-encodes all characters in a given payload (not processing already

encoded)

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak web application firewalls that do not

url-decode the request before processing it through their ruleset

* The web server will anyway pass the url-decoded version behind,

hence it should work against any DBMS

charunicodeencode

Unicode-url-encodes non-encoded characters in a given payload (not

processing already encoded)

Requirement:

* ASP

* ASP.NET

Tested against:

* Microsoft SQL Server 2000

* Microsoft SQL Server 2005

* MySQL 5.1.56

* PostgreSQL 9.0.3

Notes:

* Useful to bypass weak web application firewalls that do not

unicode url-decode the request before processing it through their

ruleset

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the equal character (‘=’)

* The LIKE operator is SQL standard. Hence, this tamper script

should work against all (?) databases

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the greater than character

* The GREATEST clause is a widespread SQL command. Hence, this

tamper script should work against majority of databases

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

Reference:

nonrecursivereplacement

Replaces predefined SQL keywords with representations

suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:

* Useful to bypass very weak custom filters

percentage

Adds a percentage sign (‘%’) infront of each character

Requirement:

* ASP

Tested against:

* Microsoft SQL Server 2000, 2005

* MySQL 5.1.56, 5.5.11

* PostgreSQL 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls

randomcase

Replaces each keyword character with random case value

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

* This tamper script should work against all (?) databases

securesphere

Appends special crafted string

Notes:

* Useful for bypassing Imperva SecureSphere WAF

* Reference:

sp_password

Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs

Requirement:

* MSSQL

Notes:

* Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure

* Reference:

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls

space2dash

Replaces space character (‘ ‘) with a dash comment (‘–‘) followed by

a random string and a new line (‘\n’)

Requirement:

* MSSQL

* SQLite

Notes:

* Useful to bypass several web application firewalls

* Used during the ZeroNights SQL injection challenge,

space2mssqlblank

Replaces space character (‘ ‘) with a random blank character from a

valid set of alternate characters

Requirement:

* Microsoft SQL Server

Tested against:

* Microsoft SQL Server 2000

* Microsoft SQL Server 2005

Notes:

* Useful to bypass several web application firewalls

space2mysqldash

Replaces space character (‘ ‘) with a dash comment (‘–‘) followed by

a new line (‘\n’)

Requirement:

* MySQL

* MSSQL

Tested against:

Notes:

* Useful to bypass several web application firewalls.

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:

* Is this any useful? The plus get’s url-encoded by sqlmap engine

invalidating the query afterwards

* This tamper script works against all databases

space2randomblank

Replaces space character (‘ ‘) with a random blank character from a

valid set of alternate characters

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass several web application firewalls

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with

generic comment at the end (to make it work)

Notes:

* Useful for bypassing magic_quotes/addslashes feature

Reference:

*

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass

WAF (usually application based) protection

MySQL

--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

between

Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’

Replaces equals operator (‘=’) with ‘BETWEEN # AND #’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the greater than character

* The BETWEEN clause is SQL standard. Hence, this tamper script

should work against all (?) databases

bluecoat

Replaces space character after SQL statement with a valid random blank character.

Afterwards replace character = with LIKE operator

Requirement:

* Blue Coat SGOS with WAF activated as documented in

Tested against:

* MySQL 5.1, SGOS

Notes:

* Useful to bypass Blue Coat’s recommended WAF rule configuration

charencode

Url-encodes all characters in a given payload (not processing already

encoded)

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak web application firewalls that do not

url-decode the request before processing it through their ruleset

* The web server will anyway pass the url-decoded version behind,

hence it should work against any DBMS

charunicodeencode

Unicode-url-encodes non-encoded characters in a given payload (not

processing already encoded)

Requirement:

* ASP

* ASP.NET

Tested against:

* Microsoft SQL Server 2000

* Microsoft SQL Server 2005

* MySQL 5.1.56

* PostgreSQL 9.0.3

Notes:

* Useful to bypass weak web application firewalls that do not

unicode url-decode the request before processing it through their

ruleset

concat2concatws

Replaces instances like ‘CONCAT(A,
B)
’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A,
B)

Requirement:

* MySQL

Tested against:

* MySQL 5.0

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that filter the CONCAT() function

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the equal character (‘=’)

* The LIKE operator is SQL standard. Hence, this tamper script

should work against all (?) databases

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the greater than character

* The GREATEST clause is a widespread SQL command. Hence, this

tamper script should work against majority of databases

halfversionedmorekeywords

Adds versioned MySQL comment before each keyword

Requirement:

* MySQL < 5.1

Tested against:

* MySQL 4.0.18, 5.0.22

Notes:

* Useful to bypass several web application firewalls when the

back-end database management system is MySQL

* Used during the ModSecurity SQL injection challenge,

ifnull2ifisnull

Replaces instances like ‘IFNULL(A,
B)
’ with ‘IF(ISNULL(A), B, A)’

Requirement:

* MySQL

* SQLite (possibly)

* SAP MaxDB (possibly)

Tested against:

* MySQL 5.0 and 5.5

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that filter the IFNULL() function

modsecurityversioned

Embraces complete query with versioned comment

Requirement:

* MySQL

Tested against:

* MySQL 5.0

Notes:

* Useful to bypass ModSecurity WAF/IDS

modsecurityzeroversioned

Embraces complete query with zero-versioned comment

Requirement:

* MySQL

Tested against:

* MySQL 5.0

Notes:

* Useful to bypass ModSecurity WAF/IDS

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

Reference:

nonrecursivereplacement

Replaces predefined SQL keywords with representations

suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:

* Useful to bypass very weak custom filters

percentage

Adds a percentage sign (‘%’) infront of each character

Requirement:

* ASP

Tested against:

* Microsoft SQL Server 2000, 2005

* MySQL 5.1.56, 5.5.11

* PostgreSQL 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls

randomcase

Replaces each keyword character with random case value

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

* This tamper script should work against all (?) databases

securesphere

Appends special crafted string

Notes:

* Useful for bypassing Imperva SecureSphere WAF

* Reference:

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls

space2hash

Replaces space character (‘ ‘) with a pound character (‘#’) followed by

a random string and a new line (‘\n’)

Requirement:

* MySQL

Tested against:

* MySQL 4.0, 5.0

Notes:

* Useful to bypass several web application firewalls

* Used during the ModSecurity SQL injection challenge,

space2morehash

Replaces space character (‘ ‘) with a pound character (‘#’) followed by

a random string and a new line (‘\n’)

Requirement:

* MySQL >= 5.1.13

Tested against:

* MySQL 5.1.41

Notes:

* Useful to bypass several web application firewalls

* Used during the ModSecurity SQL injection challenge,

space2mysqldash

Replaces space character (‘ ‘) with a dash comment (‘–‘) followed by

a new line (‘\n’)

Requirement:

* MySQL

* MSSQL

Tested against:

Notes:

* Useful to bypass several web application firewalls.

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:

* Is this any useful? The plus get’s url-encoded by sqlmap engine

invalidating the query afterwards

* This tamper script works against all databases

space2randomblank

Replaces space character (‘ ‘) with a random blank character from a

valid set of alternate characters

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass several web application firewalls

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with

generic comment at the end (to make it work)

Notes:

* Useful for bypassing magic_quotes/addslashes feature

Reference:

*

versionedkeywords

Encloses each non-function keyword with versioned MySQL comment

Requirement:

* MySQL

Tested against:

* MySQL 4.0.18, 5.1.56, 5.5.11

Notes:

* Useful to bypass several web application firewalls when the

back-end database management system is MySQL

versionedmorekeywords

Encloses each keyword with versioned MySQL comment

Requirement:

* MySQL >= 5.1.13

Tested against:

* MySQL 5.1.56, 5.5.11

Notes:

* Useful to bypass several web application firewalls when the

back-end database management system is MySQL

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass

WAF (usually application based) protection

Oracle

--tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor

between

Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’

Replaces equals operator (‘=’) with ‘BETWEEN # AND #’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the greater than character

* The BETWEEN clause is SQL standard. Hence, this tamper script

should work against all (?) databases

charencode

Url-encodes all characters in a given payload (not processing already

encoded)

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak web application firewalls that do not

url-decode the request before processing it through their ruleset

* The web server will anyway pass the url-decoded version behind,

hence it should work against any DBMS

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the equal character (‘=’)

* The LIKE operator is SQL standard. Hence, this tamper script

should work against all (?) databases

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the greater than character

* The GREATEST clause is a widespread SQL command. Hence, this

tamper script should work against majority of databases

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

Reference:

nonrecursivereplacement

Replaces predefined SQL keywords with representations

suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:

* Useful to bypass very weak custom filters

randomcase

Replaces each keyword character with random case value

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

* This tamper script should work against all (?) databases

securesphere

Appends special crafted string

Notes:

* Useful for bypassing Imperva SecureSphere WAF

* Reference:

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:

* Is this any useful? The plus get’s url-encoded by sqlmap engine

invalidating the query afterwards

* This tamper script works against all databases

space2randomblank

Replaces space character (‘ ‘) with a random blank character from a

valid set of alternate characters

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass several web application firewalls

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with

generic comment at the end (to make it work)

Notes:

* Useful for bypassing magic_quotes/addslashes feature

Reference:

*

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass

WAF (usually application based) protection

PostgreSQL

--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor

between

Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’

Replaces equals operator (‘=’) with ‘BETWEEN # AND #’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the greater than character

* The BETWEEN clause is SQL standard. Hence, this tamper script

should work against all (?) databases

charencode

Url-encodes all characters in a given payload (not processing already

encoded)

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak web application firewalls that do not

url-decode the request before processing it through their ruleset

* The web server will anyway pass the url-decoded version behind,

hence it should work against any DBMS

charunicodeencode

Unicode-url-encodes non-encoded characters in a given payload (not

processing already encoded)

Requirement:

* ASP

* ASP.NET

Tested against:

* Microsoft SQL Server 2000

* Microsoft SQL Server 2005

* MySQL 5.1.56

* PostgreSQL 9.0.3

Notes:

* Useful to bypass weak web application firewalls that do not

unicode url-decode the request before processing it through their

ruleset

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the equal character (‘=’)

* The LIKE operator is SQL standard. Hence, this tamper script

should work against all (?) databases

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls that

filter the greater than character

* The GREATEST clause is a widespread SQL command. Hence, this

tamper script should work against majority of databases

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

Reference:

nonrecursivereplacement

Replaces predefined SQL keywords with representations

suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:

* Useful to bypass very weak custom filters

percentage

Adds a percentage sign (‘%’) infront of each character

Requirement:

* ASP

Tested against:

* Microsoft SQL Server 2000, 2005

* MySQL 5.1.56, 5.5.11

* PostgreSQL 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls

randomcase

Replaces each keyword character with random case value

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

* This tamper script should work against all (?) databases

securesphere

Appends special crafted string

Notes:

* Useful for bypassing Imperva SecureSphere WAF

* Reference:

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:

* Is this any useful? The plus get’s url-encoded by sqlmap engine

invalidating the query afterwards

* This tamper script works against all databases

space2randomblank

Replaces space character (‘ ‘) with a random blank character from a

valid set of alternate characters

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass several web application firewalls

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass

WAF (usually application based) protection

SAP MaxDB

ifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicquotes,xforwardedfor

ifnull2ifisnull

Replaces instances like ‘IFNULL(A,
B)
’ with ‘IF(ISNULL(A), B, A)’

Requirement:

* MySQL

* SQLite (possibly)

* SAP MaxDB (possibly)

Tested against:

* MySQL 5.0 and 5.5

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that filter the IFNULL() function

nonrecursivereplacement

Replaces predefined SQL keywords with representations

suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:

* Useful to bypass very weak custom filters

randomcase

Replaces each keyword character with random case value

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

* This tamper script should work against all (?) databases

securesphere

Appends special crafted string

Notes:

* Useful for bypassing Imperva SecureSphere WAF

* Reference:

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:

* Is this any useful? The plus get’s url-encoded by sqlmap engine

invalidating the query afterwards

* This tamper script works against all databases

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with

generic comment at the end (to make it work)

Notes:

* Useful for bypassing magic_quotes/addslashes feature

Reference:

*

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass

WAF (usually application based) protection

SQLite

ifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2plus,unionalltounion,unmagicquotes,xforwardedfor

ifnull2ifisnull

Replaces instances like ‘IFNULL(A,
B)
’ with ‘IF(ISNULL(A), B, A)’

Requirement:

* MySQL

* SQLite (possibly)

* SAP MaxDB (possibly)

Tested against:

* MySQL 5.0 and 5.5

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that filter the IFNULL() function

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

Reference:

nonrecursivereplacement

Replaces predefined SQL keywords with representations

suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:

* Useful to bypass very weak custom filters

randomcase

Replaces each keyword character with random case value

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass very weak and bespoke web application firewalls

that has poorly written permissive regular expressions

* This tamper script should work against all (?) databases

securesphere

Appends special crafted string

Notes:

* Useful for bypassing Imperva SecureSphere WAF

* Reference:

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

* Useful to bypass weak and bespoke web application firewalls

space2dash

Replaces space character (‘ ‘) with a dash comment (‘–‘) followed by

a random string and a new line (‘\n’)

Requirement:

* MSSQL

* SQLite

Notes:

* Useful to bypass several web application firewalls

* Used during the ZeroNights SQL injection challenge,

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:

* Is this any useful? The plus get’s url-encoded by sqlmap engine

invalidating the query afterwards

* This tamper script works against all databases

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with

generic comment at the end (to make it work)

Notes:

* Useful for bypassing magic_quotes/addslashes feature

Reference:

*

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass

WAF (usually application based) protection

Sursa: SQLMap Tamper Scripts | NI @RooT

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...