Nytro Posted December 3, 2014 Report Share Posted December 3, 2014 SQLMap Tamper ScriptsBy Dana TaylorSeptember 24, 2014Pentestsqlmap, tamper scripts When using SQLMap Tamper scripts while doing a pentest can be a bit confusing and a lot of work to figure out which scripts you need to use and when to use them. I have an upcoming pentest I need to perform and figured this is the perfect time to organize all of this. First of all, not all scripts are created equal. Some work for general run-of-the mill sql injection attacks and others are for specific databases. Some are not actually sure if it works on all databases and some have only been officially tested against older versions of database applications. This is the very definition of hit and miss. I reviewed each tamper script and tried to place them in boxes. If you have feedback on any of these boxes PLEASE don’t be shy! Let me know in the comment section. I want this to be a good resource and your help would be greatly appreciated. The General Scripts section contains both non-specific database exploits as well as those that cover a wide range of databases. In my thoughts, this would be a good start script box to use as an initial hit on an application. Again, feedback appreciated. I am going to include the syntax to run each section as well as one to run every script. SQLMap will organize them automatically. However, I captured traffic from running all scripts and it didn’t look familiar at all. not sure if it is a good idea to do this or not. Feedback welcome! Jump to generalMicrosoft-Accessmssqlmysqloraclepostresqlsapsqlite --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords General Scripts --tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes apostrophemask Replaces apostrophe character with its UTF-8 full width counterpartapostrophenullencodeReplaces apostrophe character with its illegal double unicode counterpartbase64encodeBase64 all characters in a given payloadbetweenReplaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The BETWEEN clause is SQL standard. Hence, this tamper scriptshould work against all (?) databaseschardoubleencodeDouble url-encodes all characters in a given payload (not processingalready encoded) Notes:* Useful to bypass some weak web application firewalls that do notdouble url-decode the request before processing it through theirrulesetcharencodeUrl-encodes all characters in a given payload (not processing alreadyencoded) Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0Notes:* Useful to bypass very weak web application firewalls that do noturl-decode the request before processing it through their ruleset* The web server will anyway pass the url-decoded version behind,hence it should work against any DBMScharunicodeencodeUnicode-url-encodes non-encoded characters in a given payload (notprocessing already encoded) Requirement:* ASP* ASP.NET Tested against:* Microsoft SQL Server 2000* Microsoft SQL Server 2005* MySQL 5.1.56* PostgreSQL 9.0.3 Notes:* Useful to bypass weak web application firewalls that do notunicode url-decode the request before processing it through theirrulesetequaltolikeReplaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the equal character (‘=’)* The LIKE operator is SQL standard. Hence, this tamper scriptshould work against all (?) databases greatestReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against:* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The GREATEST clause is a widespread SQL command. Hence, thistamper script should work against majority of databasesifnull2ifisnullReplaces instances like ‘IFNULL(A, ’ with ‘IF(ISNULL(A), B, A)’ Requirement:* MySQL* SQLite (possibly)* SAP MaxDB (possibly) Tested against:* MySQL 5.0 and 5.5 Notes:* Useful to bypass very weak and bespoke web application firewallsthat filter the IFNULL() functionmultiplespacesAdds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.pptnonrecursivereplacementReplaces predefined SQL keywords with representationssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes:* Useful to bypass very weak custom filtersrandomcaseReplaces each keyword character with random case value Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions* This tamper script should work against all (?) databasessecuresphereAppends special crafted stringNotes:* Useful for bypassing Imperva SecureSphere WAF* Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypassspace2commentReplaces space character (‘ ‘) with comments ‘/**/’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewallsspace2plusReplaces space character (‘ ‘) with plus (‘+’) Notes:* Is this any useful? The plus get’s url-encoded by sqlmap engineinvalidating the query afterwards* This tamper script works against all databasesspace2randomblankReplaces space character (‘ ‘) with a random blank character from avalid set of alternate characters Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass several web application firewallsunionalltounionReplaces UNION ALL SELECT with UNION SELECTunmagicquotesReplaces quote character (‘) with a multi-byte combo %bf%27 together withgeneric comment at the end (to make it work) Notes:* Useful for bypassing magic_quotes/addslashes feature Reference:* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-stringxforwardedforAppend a fake HTTP header ‘X-Forwarded-For’ to bypassWAF (usually application based) protectionMicrosoft Access --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords appendnullbyteAppends encoded NULL byte character at the end of payload Requirement:* Microsoft Access Notes:* Useful to bypass weak web application firewalls when the back-enddatabase management system is Microsoft Access – further uses arealso possibleequaltolikeReplaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the equal character (‘=’)* The LIKE operator is SQL standard. Hence, this tamper scriptshould work against all (?) databasesgreatestReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against:* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The GREATEST clause is a widespread SQL command. Hence, thistamper script should work against majority of databasesmultiplespacesAdds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt nonrecursivereplacementReplaces predefined SQL keywords with representationssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes:* Useful to bypass very weak custom filters randomcaseReplaces each keyword character with random case value Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions* This tamper script should work against all (?) databases securesphereAppends special crafted stringNotes:* Useful for bypassing Imperva SecureSphere WAF* Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypassspace2commentReplaces space character (‘ ‘) with comments ‘/**/’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls space2plusReplaces space character (‘ ‘) with plus (‘+’) Notes:* Is this any useful? The plus get’s url-encoded by sqlmap engineinvalidating the query afterwards* This tamper script works against all databasesunionalltounionReplaces UNION ALL SELECT with UNION SELECT unmagicquotesReplaces quote character (‘) with a multi-byte combo %bf%27 together withgeneric comment at the end (to make it work) Notes:* Useful for bypassing magic_quotes/addslashes feature Reference:* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-stringxforwardedforAppend a fake HTTP header ‘X-Forwarded-For’ to bypassWAF (usually application based) protection Microsoft SQL Server --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes betweenReplaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The BETWEEN clause is SQL standard. Hence, this tamper scriptshould work against all (?) databasescharencodeUrl-encodes all characters in a given payload (not processing alreadyencoded) Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0Notes:* Useful to bypass very weak web application firewalls that do noturl-decode the request before processing it through their ruleset* The web server will anyway pass the url-decoded version behind,hence it should work against any DBMScharunicodeencodeUnicode-url-encodes non-encoded characters in a given payload (notprocessing already encoded) Requirement:* ASP* ASP.NET Tested against:* Microsoft SQL Server 2000* Microsoft SQL Server 2005* MySQL 5.1.56* PostgreSQL 9.0.3 Notes:* Useful to bypass weak web application firewalls that do notunicode url-decode the request before processing it through theirrulesetequaltolikeReplaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the equal character (‘=’)* The LIKE operator is SQL standard. Hence, this tamper scriptshould work against all (?) databasesgreatestReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against:* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The GREATEST clause is a widespread SQL command. Hence, thistamper script should work against majority of databasesmultiplespacesAdds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt nonrecursivereplacementReplaces predefined SQL keywords with representationssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes:* Useful to bypass very weak custom filterspercentageAdds a percentage sign (‘%’) infront of each character Requirement:* ASP Tested against:* Microsoft SQL Server 2000, 2005* MySQL 5.1.56, 5.5.11* PostgreSQL 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls randomcaseReplaces each keyword character with random case value Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions* This tamper script should work against all (?) databases securesphereAppends special crafted stringNotes:* Useful for bypassing Imperva SecureSphere WAF* Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypasssp_passwordAppends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logsRequirement:* MSSQLNotes:* Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure* Reference: The SQL Injection Knowledge Base space2commentReplaces space character (‘ ‘) with comments ‘/**/’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewallsspace2dashReplaces space character (‘ ‘) with a dash comment (‘–‘) followed bya random string and a new line (‘\n’) Requirement:* MSSQL* SQLite Notes:* Useful to bypass several web application firewalls* Used during the ZeroNights SQL injection challenge,https://proton.onsec.ru/contest/space2mssqlblankReplaces space character (‘ ‘) with a random blank character from avalid set of alternate characters Requirement:* Microsoft SQL Server Tested against:* Microsoft SQL Server 2000* Microsoft SQL Server 2005 Notes:* Useful to bypass several web application firewallsspace2mysqldashReplaces space character (‘ ‘) with a dash comment (‘–‘) followed bya new line (‘\n’) Requirement:* MySQL* MSSQL Tested against: Notes:* Useful to bypass several web application firewalls. space2plusReplaces space character (‘ ‘) with plus (‘+’) Notes:* Is this any useful? The plus get’s url-encoded by sqlmap engineinvalidating the query afterwards* This tamper script works against all databasesspace2randomblankReplaces space character (‘ ‘) with a random blank character from avalid set of alternate characters Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass several web application firewallsunionalltounionReplaces UNION ALL SELECT with UNION SELECTunmagicquotesReplaces quote character (‘) with a multi-byte combo %bf%27 together withgeneric comment at the end (to make it work) Notes:* Useful for bypassing magic_quotes/addslashes feature Reference:* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-stringxforwardedforAppend a fake HTTP header ‘X-Forwarded-For’ to bypassWAF (usually application based) protection MySQL --tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor betweenReplaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The BETWEEN clause is SQL standard. Hence, this tamper scriptshould work against all (?) databasesbluecoatReplaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator Requirement:* Blue Coat SGOS with WAF activated as documented in https://kb.bluecoat.com/index?page=content&id=FAQ2147 Tested against:* MySQL 5.1, SGOS Notes:* Useful to bypass Blue Coat’s recommended WAF rule configurationcharencodeUrl-encodes all characters in a given payload (not processing alreadyencoded) Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0Notes:* Useful to bypass very weak web application firewalls that do noturl-decode the request before processing it through their ruleset* The web server will anyway pass the url-decoded version behind,hence it should work against any DBMScharunicodeencodeUnicode-url-encodes non-encoded characters in a given payload (notprocessing already encoded) Requirement:* ASP* ASP.NET Tested against:* Microsoft SQL Server 2000* Microsoft SQL Server 2005* MySQL 5.1.56* PostgreSQL 9.0.3 Notes:* Useful to bypass weak web application firewalls that do notunicode url-decode the request before processing it through theirrulesetconcat2concatwsReplaces instances like ‘CONCAT(A, ’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, ’ Requirement:* MySQL Tested against:* MySQL 5.0 Notes:* Useful to bypass very weak and bespoke web application firewallsthat filter the CONCAT() functionequaltolikeReplaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the equal character (‘=’)* The LIKE operator is SQL standard. Hence, this tamper scriptshould work against all (?) databasesgreatestReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against:* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The GREATEST clause is a widespread SQL command. Hence, thistamper script should work against majority of databaseshalfversionedmorekeywordsAdds versioned MySQL comment before each keyword Requirement:* MySQL < 5.1 Tested against:* MySQL 4.0.18, 5.0.22 Notes:* Useful to bypass several web application firewalls when theback-end database management system is MySQL* Used during the ModSecurity SQL injection challenge, ModSecurity: Open Source Web Application Firewallifnull2ifisnullReplaces instances like ‘IFNULL(A, ’ with ‘IF(ISNULL(A), B, A)’ Requirement:* MySQL* SQLite (possibly)* SAP MaxDB (possibly) Tested against:* MySQL 5.0 and 5.5 Notes:* Useful to bypass very weak and bespoke web application firewallsthat filter the IFNULL() functionmodsecurityversionedEmbraces complete query with versioned comment Requirement:* MySQLTested against:* MySQL 5.0 Notes:* Useful to bypass ModSecurity WAF/IDSmodsecurityzeroversionedEmbraces complete query with zero-versioned comment Requirement:* MySQL Tested against:* MySQL 5.0 Notes:* Useful to bypass ModSecurity WAF/IDSmultiplespacesAdds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.pptnonrecursivereplacementReplaces predefined SQL keywords with representationssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes:* Useful to bypass very weak custom filterspercentageAdds a percentage sign (‘%’) infront of each character Requirement:* ASP Tested against:* Microsoft SQL Server 2000, 2005* MySQL 5.1.56, 5.5.11* PostgreSQL 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls randomcaseReplaces each keyword character with random case value Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions* This tamper script should work against all (?) databases securesphereAppends special crafted stringNotes:* Useful for bypassing Imperva SecureSphere WAF* Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypassspace2commentReplaces space character (‘ ‘) with comments ‘/**/’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewallsspace2hashReplaces space character (‘ ‘) with a pound character (‘#’) followed bya random string and a new line (‘\n’) Requirement:* MySQL Tested against:* MySQL 4.0, 5.0 Notes:* Useful to bypass several web application firewalls* Used during the ModSecurity SQL injection challenge,ModSecurity: Open Source Web Application Firewallspace2morehashReplaces space character (‘ ‘) with a pound character (‘#’) followed bya random string and a new line (‘\n’) Requirement:* MySQL >= 5.1.13 Tested against:* MySQL 5.1.41 Notes:* Useful to bypass several web application firewalls* Used during the ModSecurity SQL injection challenge,ModSecurity: Open Source Web Application Firewall space2mysqldashReplaces space character (‘ ‘) with a dash comment (‘–‘) followed bya new line (‘\n’) Requirement:* MySQL* MSSQL Tested against: Notes:* Useful to bypass several web application firewalls.space2plusReplaces space character (‘ ‘) with plus (‘+’) Notes:* Is this any useful? The plus get’s url-encoded by sqlmap engineinvalidating the query afterwards* This tamper script works against all databases space2randomblankReplaces space character (‘ ‘) with a random blank character from avalid set of alternate characters Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass several web application firewallsunionalltounionReplaces UNION ALL SELECT with UNION SELECT unmagicquotesReplaces quote character (‘) with a multi-byte combo %bf%27 together withgeneric comment at the end (to make it work) Notes:* Useful for bypassing magic_quotes/addslashes feature Reference:* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-stringversionedkeywordsEncloses each non-function keyword with versioned MySQL comment Requirement:* MySQL Tested against:* MySQL 4.0.18, 5.1.56, 5.5.11 Notes:* Useful to bypass several web application firewalls when theback-end database management system is MySQLversionedmorekeywordsEncloses each keyword with versioned MySQL comment Requirement:* MySQL >= 5.1.13 Tested against:* MySQL 5.1.56, 5.5.11 Notes:* Useful to bypass several web application firewalls when theback-end database management system is MySQLxforwardedforAppend a fake HTTP header ‘X-Forwarded-For’ to bypassWAF (usually application based) protection Oracle --tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor betweenReplaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The BETWEEN clause is SQL standard. Hence, this tamper scriptshould work against all (?) databasescharencodeUrl-encodes all characters in a given payload (not processing alreadyencoded) Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0Notes:* Useful to bypass very weak web application firewalls that do noturl-decode the request before processing it through their ruleset* The web server will anyway pass the url-decoded version behind,hence it should work against any DBMSequaltolikeReplaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the equal character (‘=’)* The LIKE operator is SQL standard. Hence, this tamper scriptshould work against all (?) databases greatestReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against:* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The GREATEST clause is a widespread SQL command. Hence, thistamper script should work against majority of databasesmultiplespacesAdds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt nonrecursivereplacementReplaces predefined SQL keywords with representationssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes:* Useful to bypass very weak custom filtersrandomcaseReplaces each keyword character with random case value Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions* This tamper script should work against all (?) databases securesphereAppends special crafted stringNotes:* Useful for bypassing Imperva SecureSphere WAF* Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypass space2commentReplaces space character (‘ ‘) with comments ‘/**/’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls space2plusReplaces space character (‘ ‘) with plus (‘+’) Notes:* Is this any useful? The plus get’s url-encoded by sqlmap engineinvalidating the query afterwards* This tamper script works against all databasesspace2randomblankReplaces space character (‘ ‘) with a random blank character from avalid set of alternate characters Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass several web application firewalls unionalltounionReplaces UNION ALL SELECT with UNION SELECT unmagicquotesReplaces quote character (‘) with a multi-byte combo %bf%27 together withgeneric comment at the end (to make it work) Notes:* Useful for bypassing magic_quotes/addslashes feature Reference:* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string xforwardedforAppend a fake HTTP header ‘X-Forwarded-For’ to bypassWAF (usually application based) protection PostgreSQL --tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor betweenReplaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The BETWEEN clause is SQL standard. Hence, this tamper scriptshould work against all (?) databasescharencodeUrl-encodes all characters in a given payload (not processing alreadyencoded) Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0Notes:* Useful to bypass very weak web application firewalls that do noturl-decode the request before processing it through their ruleset* The web server will anyway pass the url-decoded version behind,hence it should work against any DBMScharunicodeencodeUnicode-url-encodes non-encoded characters in a given payload (notprocessing already encoded) Requirement:* ASP* ASP.NET Tested against:* Microsoft SQL Server 2000* Microsoft SQL Server 2005* MySQL 5.1.56* PostgreSQL 9.0.3 Notes:* Useful to bypass weak web application firewalls that do notunicode url-decode the request before processing it through theirrulesetequaltolikeReplaces all occurances of operator equal (‘=’) with operator ‘LIKE’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the equal character (‘=’)* The LIKE operator is SQL standard. Hence, this tamper scriptshould work against all (?) databases greatestReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart Tested against:* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The GREATEST clause is a widespread SQL command. Hence, thistamper script should work against majority of databasesmultiplespacesAdds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.pptnonrecursivereplacementReplaces predefined SQL keywords with representationssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes:* Useful to bypass very weak custom filterspercentageAdds a percentage sign (‘%’) infront of each character Requirement:* ASP Tested against:* Microsoft SQL Server 2000, 2005* MySQL 5.1.56, 5.5.11* PostgreSQL 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls randomcaseReplaces each keyword character with random case value Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions* This tamper script should work against all (?) databases securesphereAppends special crafted stringNotes:* Useful for bypassing Imperva SecureSphere WAF* Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypassspace2commentReplaces space character (‘ ‘) with comments ‘/**/’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls space2plusReplaces space character (‘ ‘) with plus (‘+’) Notes:* Is this any useful? The plus get’s url-encoded by sqlmap engineinvalidating the query afterwards* This tamper script works against all databasesspace2randomblankReplaces space character (‘ ‘) with a random blank character from avalid set of alternate characters Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass several web application firewalls xforwardedforAppend a fake HTTP header ‘X-Forwarded-For’ to bypassWAF (usually application based) protection SAP MaxDB ifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicquotes,xforwardedfor ifnull2ifisnullReplaces instances like ‘IFNULL(A, ’ with ‘IF(ISNULL(A), B, A)’ Requirement:* MySQL* SQLite (possibly)* SAP MaxDB (possibly) Tested against:* MySQL 5.0 and 5.5 Notes:* Useful to bypass very weak and bespoke web application firewallsthat filter the IFNULL() functionnonrecursivereplacementReplaces predefined SQL keywords with representationssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes:* Useful to bypass very weak custom filtersrandomcaseReplaces each keyword character with random case value Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions* This tamper script should work against all (?) databases securesphereAppends special crafted stringNotes:* Useful for bypassing Imperva SecureSphere WAF* Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypassspace2commentReplaces space character (‘ ‘) with comments ‘/**/’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewalls space2plusReplaces space character (‘ ‘) with plus (‘+’) Notes:* Is this any useful? The plus get’s url-encoded by sqlmap engineinvalidating the query afterwards* This tamper script works against all databases unionalltounionReplaces UNION ALL SELECT with UNION SELECT unmagicquotesReplaces quote character (‘) with a multi-byte combo %bf%27 together withgeneric comment at the end (to make it work) Notes:* Useful for bypassing magic_quotes/addslashes feature Reference:* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-stringxforwardedforAppend a fake HTTP header ‘X-Forwarded-For’ to bypassWAF (usually application based) protection SQLite ifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2plus,unionalltounion,unmagicquotes,xforwardedfor ifnull2ifisnullReplaces instances like ‘IFNULL(A, ’ with ‘IF(ISNULL(A), B, A)’ Requirement:* MySQL* SQLite (possibly)* SAP MaxDB (possibly) Tested against:* MySQL 5.0 and 5.5 Notes:* Useful to bypass very weak and bespoke web application firewallsthat filter the IFNULL() functionmultiplespacesAdds multiple spaces around SQL keywords Notes: * Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt nonrecursivereplacementReplaces predefined SQL keywords with representationssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters Notes:* Useful to bypass very weak custom filtersrandomcaseReplaces each keyword character with random case value Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions* This tamper script should work against all (?) databases securesphereAppends special crafted stringNotes:* Useful for bypassing Imperva SecureSphere WAF* Reference: Full Disclosure: Imperva SecureSphere - SQL injection filter bypassspace2commentReplaces space character (‘ ‘) with comments ‘/**/’ Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 Notes:* Useful to bypass weak and bespoke web application firewallsspace2dashReplaces space character (‘ ‘) with a dash comment (‘–‘) followed bya random string and a new line (‘\n’) Requirement:* MSSQL* SQLite Notes:* Useful to bypass several web application firewalls* Used during the ZeroNights SQL injection challenge,https://proton.onsec.ru/contest/ space2plusReplaces space character (‘ ‘) with plus (‘+’) Notes:* Is this any useful? The plus get’s url-encoded by sqlmap engineinvalidating the query afterwards* This tamper script works against all databases unionalltounionReplaces UNION ALL SELECT with UNION SELECTunmagicquotesReplaces quote character (‘) with a multi-byte combo %bf%27 together withgeneric comment at the end (to make it work) Notes:* Useful for bypassing magic_quotes/addslashes feature Reference:* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-stringxforwardedforAppend a fake HTTP header ‘X-Forwarded-For’ to bypassWAF (usually application based) protectionSursa: SQLMap Tamper Scripts | NI @RooT Quote Link to comment Share on other sites More sharing options...
