SQLmap tamper script for bypassing WAF

Tamper injection data

Option: –tamper

sqlmap itself does no obfuscation of the payload sent, except for strings between single quotes replaced by their CHAR()-alike representation. More information about programming you can find on Thoughtsoncloud.

This option can be very useful and powerful in situations where there is a weak input validation mechanism between you and the back-end database management system. This mechanism usually is a self-developed input validation routine called by the application source code, an expensive enterprise-grade IPS appliance or a web application firewall (WAF). All buzzwords to define the same concept, implemented in a different way and costing lots of money, usually.

To take advantage of this option, provide sqlmap with a comma-separated list of tamper scripts and this will process the payload and return it transformed. You can define your own tamper scripts, use sqlmap ones from the tamper/ folder or edit them as long as you concatenate them comma-separated as a value of the option --tamper (e.g. --tamper="between,randomcase").

Here are the list tamper injection data

1. apostrophemask.py replace single quote character in UTF-8-byte characters
2. apostrophenullencode.py replace single-quote character with an illegal double-byte Unicode characters
3. appendnullbyte.py, add a null character at the end of payload encoding
4. base64encode.py use Base64 encoding for a given payload all characters
5. between.py, “the BETWEEN the AND # #” is replaced with “NOT BETWEEN 0 AND #” replace greater-than sign “>” equal sign “=”
6. bluecoat.py After the SQL statements replace spaces with valid random whitespace, followed by “the LIKE” Alternatively equal sign “=”
7. chardoubleencode.py use double URL encoding for a given payload all characters (not handle characters already encoded)
8. charencode.py use URL encoding for a given payload all characters (not handle characters already encoded)
9. charunicodeencode.py use Unicode URL encoding for a given payload of non-coded character (the character does not handle already encoded)
10. concat2concatws.py with Examples “CONCAT_WS (MID (CHAR (0 ), 0, 0), A, B)” replacement image “CONCAT (A, B)” is
11. equaltolike.py with “the LIKE” operator replace all equal sign “=”
12. greatest.py Alternatively greater than “>” use “GREATEST” function
13. halfversionedmorekeywords.py add MySQL comments before each keyword
14. ifnull2ifisnull.py with “IF (ISNULL (A), B, A)” replacement image “IFNULL (A, B)” Examples
15. lowercase.py replace the value of each keyword character lowercase
16. modsecurityversioned.py surrounded by complete query with a comment
17. modsecurityzeroversioned.py comments with zero digits of which is surrounded by a full inquiry
18. multiplespaces.py add more spaces around SQL keywords
19. nonrecursivereplacement.py replace the predefined keywords using SQL representations, a filter suitable for
20. overlongutf8.py conversion to all characters in a given payload among
21. percentage.py add a percent sign before each character
22. randomcase.py random character case conversion for each keyword
23. randomcomments.py insert random comments to SQL keywords
24. securesphere.py add the string through a special configuration
25. sp_password.py Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs
26. space2comment.py replace spaces with “/ ** /”
27. space2dash.py dash comment character “-” followed by a linefeed a random string of characters and replace the space character
28. space2hash.py pounds comment character “#” followed by a linefeed a random string of characters and replace the space character
29. space2morehash.py pounds comment character “#” followed by a linefeed a random string of characters and replace the space character
30. space2mssqlblank.py replace spaces with a set of valid candidate among the set of random character whitespace
31. space2mssqlhash.py pounds comment symbol “#” followed by a space character to replace newline
32. space2mysqlblank.py replace spaces with a set of valid candidate among the set of random character whitespace
33. space2mysqldash.py dash comment character “-” followed by a linefeed character replace spaces
34. space2plus.py a plus “+” with spaces
35. space2randomblank.py replace spaces with a set of valid candidate among the set of random character whitespace
36. unionalltounion.py Replaces UNION ALL SELECT with UNION SELECT
37. unmagicquotes.py use a combination of multi-byte% bf% 27 and the end of general note replaced with spaces
38. varnish.py add an HTTP header “X-originating-IP” to bypass WAF
39. versionedkeywords.py surrounding each non-comment function key with MySQL
40. versionedmorekeywords.py surrounded by each keyword with a MySQL Notes

Usage

MSSQL:

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

 

MySQL:

 tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

 

General Tamper testing:

tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

 

Example:

sqlmap -u 'http://www.site.com:80/search.cmd?form_state=1’ --level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

 

Reference:

• https://github.com/sqlmapproject/sqlmap/tree/master/tamper
• https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423