Skip to content

Instantly share code, notes, and snippets.

@v3rlly
Forked from castexyz/sqlmapTamperScripts.md
Created May 14, 2018 08:44
Show Gist options
  • Save v3rlly/6a81e4cb1de1ce00dc30890adf5db0cd to your computer and use it in GitHub Desktop.
Save v3rlly/6a81e4cb1de1ce00dc30890adf5db0cd to your computer and use it in GitHub Desktop.
Sqlmap TamperScripts
************General Scripts
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
apostrophemask
Replaces apostrophe character with its UTF-8 full width counterpart
apostrophenullencode
Replaces apostrophe character with its illegal double unicode counterpart
base64encode
Base64 all characters in a given payload
between
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases
chardoubleencode
Double url-encodes all characters in a given payload (not processing
already encoded)
Notes:
* Useful to bypass some weak web application firewalls that do not
double url-decode the request before processing it through their
ruleset
charencode
Url-encodes all characters in a given payload (not processing already
encoded)
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMS
charunicodeencode
Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)
Requirement:
* ASP
* ASP.NET
Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3
Notes:
* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through their
ruleset
equaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases
greatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases
ifnull2ifisnull
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’
Requirement:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)
Tested against:
* MySQL 5.0 and 5.5
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() function
multiplespaces
Adds multiple spaces around SQL keywords
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacement
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:
* Useful to bypass very weak custom filters
randomcase
Replaces each keyword character with random case value
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
securesphere
Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163
space2comment
Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls
space2plus
Replaces space character (‘ ‘) with plus (‘+’)
Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases
space2randomblank
Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass several web application firewalls
unionalltounion
Replaces UNION ALL SELECT with UNION SELECT
unmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)
Notes:
* Useful for bypassing magic_quotes/addslashes feature
Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
xforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection
Microsoft Access
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
appendnullbyte
Appends encoded NULL byte character at the end of payload
Requirement:
* Microsoft Access
Notes:
* Useful to bypass weak web application firewalls when the back-end
database management system is Microsoft Access – further uses are
also possible
equaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases
greatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases
multiplespaces
Adds multiple spaces around SQL keywords
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacement
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:
* Useful to bypass very weak custom filters
randomcase
Replaces each keyword character with random case value
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
securesphere
Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163
space2comment
Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls
space2plus
Replaces space character (‘ ‘) with plus (‘+’)
Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases
unionalltounion
Replaces UNION ALL SELECT with UNION SELECT
unmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)
Notes:
* Useful for bypassing magic_quotes/addslashes feature
Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
xforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection
Microsoft SQL Server
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
between
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases
charencode
Url-encodes all characters in a given payload (not processing already
encoded)
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMS
charunicodeencode
Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)
Requirement:
* ASP
* ASP.NET
Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3
Notes:
* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through their
ruleset
equaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases
greatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases
multiplespaces
Adds multiple spaces around SQL keywords
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacement
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:
* Useful to bypass very weak custom filters
percentage
Adds a percentage sign (‘%’) infront of each character
Requirement:
* ASP
Tested against:
* Microsoft SQL Server 2000, 2005
* MySQL 5.1.56, 5.5.11
* PostgreSQL 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls
randomcase
Replaces each keyword character with random case value
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
securesphere
Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163
sp_password
Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs
Requirement:
* MSSQL
Notes:
* Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure
* Reference: http://websec.ca/kb/sql_injection
space2comment
Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls
space2dash
Replaces space character (‘ ‘) with a dash comment (‘–’) followed by
a random string and a new line (‘\n’)
Requirement:
* MSSQL
* SQLite
Notes:
* Useful to bypass several web application firewalls
* Used during the ZeroNights SQL injection challenge,
https://proton.onsec.ru/contest/
space2mssqlblank
Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters
Requirement:
* Microsoft SQL Server
Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
Notes:
* Useful to bypass several web application firewalls
space2mysqldash
Replaces space character (‘ ‘) with a dash comment (‘–’) followed by
a new line (‘\n’)
Requirement:
* MySQL
* MSSQL
Tested against:
Notes:
* Useful to bypass several web application firewalls.
space2plus
Replaces space character (‘ ‘) with plus (‘+’)
Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases
space2randomblank
Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass several web application firewalls
unionalltounion
Replaces UNION ALL SELECT with UNION SELECT
unmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)
Notes:
* Useful for bypassing magic_quotes/addslashes feature
Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
xforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection
MySQL
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
between
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases
bluecoat
Replaces space character after SQL statement with a valid random blank character.
Afterwards replace character = with LIKE operator
Requirement:
* Blue Coat SGOS with WAF activated as documented in
https://kb.bluecoat.com/index?page=content&id=FAQ2147
Tested against:
* MySQL 5.1, SGOS
Notes:
* Useful to bypass Blue Coat’s recommended WAF rule configuration
charencode
Url-encodes all characters in a given payload (not processing already
encoded)
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMS
charunicodeencode
Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)
Requirement:
* ASP
* ASP.NET
Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3
Notes:
* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through their
ruleset
concat2concatws
Replaces instances like ‘CONCAT(A, B)’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’
Requirement:
* MySQL
Tested against:
* MySQL 5.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the CONCAT() function
equaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases
greatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases
halfversionedmorekeywords
Adds versioned MySQL comment before each keyword
Requirement:
* MySQL < 5.1
Tested against:
* MySQL 4.0.18, 5.0.22
Notes:
* Useful to bypass several web application firewalls when the
back-end database management system is MySQL
* Used during the ModSecurity SQL injection challenge,
http://modsecurity.org/demo/challenge.html
ifnull2ifisnull
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’
Requirement:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)
Tested against:
* MySQL 5.0 and 5.5
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() function
modsecurityversioned
Embraces complete query with versioned comment
Requirement:
* MySQL
Tested against:
* MySQL 5.0
Notes:
* Useful to bypass ModSecurity WAF/IDS
modsecurityzeroversioned
Embraces complete query with zero-versioned comment
Requirement:
* MySQL
Tested against:
* MySQL 5.0
Notes:
* Useful to bypass ModSecurity WAF/IDS
multiplespaces
Adds multiple spaces around SQL keywords
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacement
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:
* Useful to bypass very weak custom filters
percentage
Adds a percentage sign (‘%’) infront of each character
Requirement:
* ASP
Tested against:
* Microsoft SQL Server 2000, 2005
* MySQL 5.1.56, 5.5.11
* PostgreSQL 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls
randomcase
Replaces each keyword character with random case value
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
securesphere
Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163
space2comment
Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls
space2hash
Replaces space character (‘ ‘) with a pound character (‘#’) followed by
a random string and a new line (‘\n’)
Requirement:
* MySQL
Tested against:
* MySQL 4.0, 5.0
Notes:
* Useful to bypass several web application firewalls
* Used during the ModSecurity SQL injection challenge,
http://modsecurity.org/demo/challenge.html
space2morehash
Replaces space character (‘ ‘) with a pound character (‘#’) followed by
a random string and a new line (‘\n’)
Requirement:
* MySQL >= 5.1.13
Tested against:
* MySQL 5.1.41
Notes:
* Useful to bypass several web application firewalls
* Used during the ModSecurity SQL injection challenge,
http://modsecurity.org/demo/challenge.html
space2mysqldash
Replaces space character (‘ ‘) with a dash comment (‘–’) followed by
a new line (‘\n’)
Requirement:
* MySQL
* MSSQL
Tested against:
Notes:
* Useful to bypass several web application firewalls.
space2plus
Replaces space character (‘ ‘) with plus (‘+’)
Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases
space2randomblank
Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass several web application firewalls
unionalltounion
Replaces UNION ALL SELECT with UNION SELECT
unmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)
Notes:
* Useful for bypassing magic_quotes/addslashes feature
Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
versionedkeywords
Encloses each non-function keyword with versioned MySQL comment
Requirement:
* MySQL
Tested against:
* MySQL 4.0.18, 5.1.56, 5.5.11
Notes:
* Useful to bypass several web application firewalls when the
back-end database management system is MySQL
versionedmorekeywords
Encloses each keyword with versioned MySQL comment
Requirement:
* MySQL >= 5.1.13
Tested against:
* MySQL 5.1.56, 5.5.11
Notes:
* Useful to bypass several web application firewalls when the
back-end database management system is MySQL
xforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection
Oracle
--tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor
between
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases
charencode
Url-encodes all characters in a given payload (not processing already
encoded)
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMS
equaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases
greatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases
multiplespaces
Adds multiple spaces around SQL keywords
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacement
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:
* Useful to bypass very weak custom filters
randomcase
Replaces each keyword character with random case value
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
securesphere
Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163
space2comment
Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls
space2plus
Replaces space character (‘ ‘) with plus (‘+’)
Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases
space2randomblank
Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass several web application firewalls
unionalltounion
Replaces UNION ALL SELECT with UNION SELECT
unmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)
Notes:
* Useful for bypassing magic_quotes/addslashes feature
Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
xforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection
PostgreSQL
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor
between
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases
charencode
Url-encodes all characters in a given payload (not processing already
encoded)
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMS
charunicodeencode
Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)
Requirement:
* ASP
* ASP.NET
Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3
Notes:
* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through their
ruleset
equaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases
greatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases
multiplespaces
Adds multiple spaces around SQL keywords
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacement
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:
* Useful to bypass very weak custom filters
percentage
Adds a percentage sign (‘%’) infront of each character
Requirement:
* ASP
Tested against:
* Microsoft SQL Server 2000, 2005
* MySQL 5.1.56, 5.5.11
* PostgreSQL 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls
randomcase
Replaces each keyword character with random case value
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
securesphere
Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163
space2comment
Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls
space2plus
Replaces space character (‘ ‘) with plus (‘+’)
Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases
space2randomblank
Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass several web application firewalls
xforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection
SAP MaxDB
ifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicquotes,xforwardedfor
ifnull2ifisnull
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’
Requirement:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)
Tested against:
* MySQL 5.0 and 5.5
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() function
nonrecursivereplacement
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:
* Useful to bypass very weak custom filters
randomcase
Replaces each keyword character with random case value
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
securesphere
Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163
space2comment
Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls
space2plus
Replaces space character (‘ ‘) with plus (‘+’)
Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases
unionalltounion
Replaces UNION ALL SELECT with UNION SELECT
unmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)
Notes:
* Useful for bypassing magic_quotes/addslashes feature
Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
xforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection
SQLite
ifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2plus,unionalltounion,unmagicquotes,xforwardedfor
ifnull2ifisnull
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’
Requirement:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)
Tested against:
* MySQL 5.0 and 5.5
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() function
multiplespaces
Adds multiple spaces around SQL keywords
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacement
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:
* Useful to bypass very weak custom filters
randomcase
Replaces each keyword character with random case value
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
securesphere
Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163
space2comment
Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls
space2dash
Replaces space character (‘ ‘) with a dash comment (‘–’) followed by
a random string and a new line (‘\n’)
Requirement:
* MSSQL
* SQLite
Notes:
* Useful to bypass several web application firewalls
* Used during the ZeroNights SQL injection challenge,
https://proton.onsec.ru/contest/
space2plus
Replaces space character (‘ ‘) with plus (‘+’)
Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases
unionalltounion
Replaces UNION ALL SELECT with UNION SELECT
unmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)
Notes:
* Useful for bypassing magic_quotes/addslashes feature
Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
xforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment