-
-
Save 1337in/e0c802cb24d688966ec0c73acfab64c2 to your computer and use it in GitHub Desktop.
Sqlmap TamperScripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
************General Scripts | |
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes | |
apostrophemask | |
Replaces apostrophe character with its UTF-8 full width counterpart | |
apostrophenullencode | |
Replaces apostrophe character with its illegal double unicode counterpart | |
base64encode | |
Base64 all characters in a given payload | |
between | |
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’ | |
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the greater than character | |
* The BETWEEN clause is SQL standard. Hence, this tamper script | |
should work against all (?) databases | |
chardoubleencode | |
Double url-encodes all characters in a given payload (not processing | |
already encoded) | |
Notes: | |
* Useful to bypass some weak web application firewalls that do not | |
double url-decode the request before processing it through their | |
ruleset | |
charencode | |
Url-encodes all characters in a given payload (not processing already | |
encoded) | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak web application firewalls that do not | |
url-decode the request before processing it through their ruleset | |
* The web server will anyway pass the url-decoded version behind, | |
hence it should work against any DBMS | |
charunicodeencode | |
Unicode-url-encodes non-encoded characters in a given payload (not | |
processing already encoded) | |
Requirement: | |
* ASP | |
* ASP.NET | |
Tested against: | |
* Microsoft SQL Server 2000 | |
* Microsoft SQL Server 2005 | |
* MySQL 5.1.56 | |
* PostgreSQL 9.0.3 | |
Notes: | |
* Useful to bypass weak web application firewalls that do not | |
unicode url-decode the request before processing it through their | |
ruleset | |
equaltolike | |
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the equal character (‘=’) | |
* The LIKE operator is SQL standard. Hence, this tamper script | |
should work against all (?) databases | |
greatest | |
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart | |
Tested against: | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the greater than character | |
* The GREATEST clause is a widespread SQL command. Hence, this | |
tamper script should work against majority of databases | |
ifnull2ifisnull | |
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’ | |
Requirement: | |
* MySQL | |
* SQLite (possibly) | |
* SAP MaxDB (possibly) | |
Tested against: | |
* MySQL 5.0 and 5.5 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that filter the IFNULL() function | |
multiplespaces | |
Adds multiple spaces around SQL keywords | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | |
nonrecursivereplacement | |
Replaces predefined SQL keywords with representations | |
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters | |
Notes: | |
* Useful to bypass very weak custom filters | |
randomcase | |
Replaces each keyword character with random case value | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
* This tamper script should work against all (?) databases | |
securesphere | |
Appends special crafted string | |
Notes: | |
* Useful for bypassing Imperva SecureSphere WAF | |
* Reference: http://seclists.org/fulldisclosure/2011/May/163 | |
space2comment | |
Replaces space character (‘ ‘) with comments ‘/**/’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls | |
space2plus | |
Replaces space character (‘ ‘) with plus (‘+’) | |
Notes: | |
* Is this any useful? The plus get’s url-encoded by sqlmap engine | |
invalidating the query afterwards | |
* This tamper script works against all databases | |
space2randomblank | |
Replaces space character (‘ ‘) with a random blank character from a | |
valid set of alternate characters | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass several web application firewalls | |
unionalltounion | |
Replaces UNION ALL SELECT with UNION SELECT | |
unmagicquotes | |
Replaces quote character (‘) with a multi-byte combo %bf%27 together with | |
generic comment at the end (to make it work) | |
Notes: | |
* Useful for bypassing magic_quotes/addslashes feature | |
Reference: | |
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string | |
xforwardedfor | |
Append a fake HTTP header ‘X-Forwarded-For’ to bypass | |
WAF (usually application based) protection | |
Microsoft Access | |
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords | |
appendnullbyte | |
Appends encoded NULL byte character at the end of payload | |
Requirement: | |
* Microsoft Access | |
Notes: | |
* Useful to bypass weak web application firewalls when the back-end | |
database management system is Microsoft Access – further uses are | |
also possible | |
equaltolike | |
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the equal character (‘=’) | |
* The LIKE operator is SQL standard. Hence, this tamper script | |
should work against all (?) databases | |
greatest | |
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart | |
Tested against: | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the greater than character | |
* The GREATEST clause is a widespread SQL command. Hence, this | |
tamper script should work against majority of databases | |
multiplespaces | |
Adds multiple spaces around SQL keywords | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | |
nonrecursivereplacement | |
Replaces predefined SQL keywords with representations | |
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters | |
Notes: | |
* Useful to bypass very weak custom filters | |
randomcase | |
Replaces each keyword character with random case value | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
* This tamper script should work against all (?) databases | |
securesphere | |
Appends special crafted string | |
Notes: | |
* Useful for bypassing Imperva SecureSphere WAF | |
* Reference: http://seclists.org/fulldisclosure/2011/May/163 | |
space2comment | |
Replaces space character (‘ ‘) with comments ‘/**/’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls | |
space2plus | |
Replaces space character (‘ ‘) with plus (‘+’) | |
Notes: | |
* Is this any useful? The plus get’s url-encoded by sqlmap engine | |
invalidating the query afterwards | |
* This tamper script works against all databases | |
unionalltounion | |
Replaces UNION ALL SELECT with UNION SELECT | |
unmagicquotes | |
Replaces quote character (‘) with a multi-byte combo %bf%27 together with | |
generic comment at the end (to make it work) | |
Notes: | |
* Useful for bypassing magic_quotes/addslashes feature | |
Reference: | |
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string | |
xforwardedfor | |
Append a fake HTTP header ‘X-Forwarded-For’ to bypass | |
WAF (usually application based) protection | |
Microsoft SQL Server | |
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes | |
between | |
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’ | |
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the greater than character | |
* The BETWEEN clause is SQL standard. Hence, this tamper script | |
should work against all (?) databases | |
charencode | |
Url-encodes all characters in a given payload (not processing already | |
encoded) | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak web application firewalls that do not | |
url-decode the request before processing it through their ruleset | |
* The web server will anyway pass the url-decoded version behind, | |
hence it should work against any DBMS | |
charunicodeencode | |
Unicode-url-encodes non-encoded characters in a given payload (not | |
processing already encoded) | |
Requirement: | |
* ASP | |
* ASP.NET | |
Tested against: | |
* Microsoft SQL Server 2000 | |
* Microsoft SQL Server 2005 | |
* MySQL 5.1.56 | |
* PostgreSQL 9.0.3 | |
Notes: | |
* Useful to bypass weak web application firewalls that do not | |
unicode url-decode the request before processing it through their | |
ruleset | |
equaltolike | |
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the equal character (‘=’) | |
* The LIKE operator is SQL standard. Hence, this tamper script | |
should work against all (?) databases | |
greatest | |
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart | |
Tested against: | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the greater than character | |
* The GREATEST clause is a widespread SQL command. Hence, this | |
tamper script should work against majority of databases | |
multiplespaces | |
Adds multiple spaces around SQL keywords | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | |
nonrecursivereplacement | |
Replaces predefined SQL keywords with representations | |
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters | |
Notes: | |
* Useful to bypass very weak custom filters | |
percentage | |
Adds a percentage sign (‘%’) infront of each character | |
Requirement: | |
* ASP | |
Tested against: | |
* Microsoft SQL Server 2000, 2005 | |
* MySQL 5.1.56, 5.5.11 | |
* PostgreSQL 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls | |
randomcase | |
Replaces each keyword character with random case value | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
* This tamper script should work against all (?) databases | |
securesphere | |
Appends special crafted string | |
Notes: | |
* Useful for bypassing Imperva SecureSphere WAF | |
* Reference: http://seclists.org/fulldisclosure/2011/May/163 | |
sp_password | |
Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs | |
Requirement: | |
* MSSQL | |
Notes: | |
* Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure | |
* Reference: http://websec.ca/kb/sql_injection | |
space2comment | |
Replaces space character (‘ ‘) with comments ‘/**/’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls | |
space2dash | |
Replaces space character (‘ ‘) with a dash comment (‘–’) followed by | |
a random string and a new line (‘\n’) | |
Requirement: | |
* MSSQL | |
* SQLite | |
Notes: | |
* Useful to bypass several web application firewalls | |
* Used during the ZeroNights SQL injection challenge, | |
https://proton.onsec.ru/contest/ | |
space2mssqlblank | |
Replaces space character (‘ ‘) with a random blank character from a | |
valid set of alternate characters | |
Requirement: | |
* Microsoft SQL Server | |
Tested against: | |
* Microsoft SQL Server 2000 | |
* Microsoft SQL Server 2005 | |
Notes: | |
* Useful to bypass several web application firewalls | |
space2mysqldash | |
Replaces space character (‘ ‘) with a dash comment (‘–’) followed by | |
a new line (‘\n’) | |
Requirement: | |
* MySQL | |
* MSSQL | |
Tested against: | |
Notes: | |
* Useful to bypass several web application firewalls. | |
space2plus | |
Replaces space character (‘ ‘) with plus (‘+’) | |
Notes: | |
* Is this any useful? The plus get’s url-encoded by sqlmap engine | |
invalidating the query afterwards | |
* This tamper script works against all databases | |
space2randomblank | |
Replaces space character (‘ ‘) with a random blank character from a | |
valid set of alternate characters | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass several web application firewalls | |
unionalltounion | |
Replaces UNION ALL SELECT with UNION SELECT | |
unmagicquotes | |
Replaces quote character (‘) with a multi-byte combo %bf%27 together with | |
generic comment at the end (to make it work) | |
Notes: | |
* Useful for bypassing magic_quotes/addslashes feature | |
Reference: | |
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string | |
xforwardedfor | |
Append a fake HTTP header ‘X-Forwarded-For’ to bypass | |
WAF (usually application based) protection | |
MySQL | |
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor | |
between | |
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’ | |
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the greater than character | |
* The BETWEEN clause is SQL standard. Hence, this tamper script | |
should work against all (?) databases | |
bluecoat | |
Replaces space character after SQL statement with a valid random blank character. | |
Afterwards replace character = with LIKE operator | |
Requirement: | |
* Blue Coat SGOS with WAF activated as documented in | |
https://kb.bluecoat.com/index?page=content&id=FAQ2147 | |
Tested against: | |
* MySQL 5.1, SGOS | |
Notes: | |
* Useful to bypass Blue Coat’s recommended WAF rule configuration | |
charencode | |
Url-encodes all characters in a given payload (not processing already | |
encoded) | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak web application firewalls that do not | |
url-decode the request before processing it through their ruleset | |
* The web server will anyway pass the url-decoded version behind, | |
hence it should work against any DBMS | |
charunicodeencode | |
Unicode-url-encodes non-encoded characters in a given payload (not | |
processing already encoded) | |
Requirement: | |
* ASP | |
* ASP.NET | |
Tested against: | |
* Microsoft SQL Server 2000 | |
* Microsoft SQL Server 2005 | |
* MySQL 5.1.56 | |
* PostgreSQL 9.0.3 | |
Notes: | |
* Useful to bypass weak web application firewalls that do not | |
unicode url-decode the request before processing it through their | |
ruleset | |
concat2concatws | |
Replaces instances like ‘CONCAT(A, B)’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’ | |
Requirement: | |
* MySQL | |
Tested against: | |
* MySQL 5.0 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that filter the CONCAT() function | |
equaltolike | |
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the equal character (‘=’) | |
* The LIKE operator is SQL standard. Hence, this tamper script | |
should work against all (?) databases | |
greatest | |
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart | |
Tested against: | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the greater than character | |
* The GREATEST clause is a widespread SQL command. Hence, this | |
tamper script should work against majority of databases | |
halfversionedmorekeywords | |
Adds versioned MySQL comment before each keyword | |
Requirement: | |
* MySQL < 5.1 | |
Tested against: | |
* MySQL 4.0.18, 5.0.22 | |
Notes: | |
* Useful to bypass several web application firewalls when the | |
back-end database management system is MySQL | |
* Used during the ModSecurity SQL injection challenge, | |
http://modsecurity.org/demo/challenge.html | |
ifnull2ifisnull | |
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’ | |
Requirement: | |
* MySQL | |
* SQLite (possibly) | |
* SAP MaxDB (possibly) | |
Tested against: | |
* MySQL 5.0 and 5.5 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that filter the IFNULL() function | |
modsecurityversioned | |
Embraces complete query with versioned comment | |
Requirement: | |
* MySQL | |
Tested against: | |
* MySQL 5.0 | |
Notes: | |
* Useful to bypass ModSecurity WAF/IDS | |
modsecurityzeroversioned | |
Embraces complete query with zero-versioned comment | |
Requirement: | |
* MySQL | |
Tested against: | |
* MySQL 5.0 | |
Notes: | |
* Useful to bypass ModSecurity WAF/IDS | |
multiplespaces | |
Adds multiple spaces around SQL keywords | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | |
nonrecursivereplacement | |
Replaces predefined SQL keywords with representations | |
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters | |
Notes: | |
* Useful to bypass very weak custom filters | |
percentage | |
Adds a percentage sign (‘%’) infront of each character | |
Requirement: | |
* ASP | |
Tested against: | |
* Microsoft SQL Server 2000, 2005 | |
* MySQL 5.1.56, 5.5.11 | |
* PostgreSQL 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls | |
randomcase | |
Replaces each keyword character with random case value | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
* This tamper script should work against all (?) databases | |
securesphere | |
Appends special crafted string | |
Notes: | |
* Useful for bypassing Imperva SecureSphere WAF | |
* Reference: http://seclists.org/fulldisclosure/2011/May/163 | |
space2comment | |
Replaces space character (‘ ‘) with comments ‘/**/’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls | |
space2hash | |
Replaces space character (‘ ‘) with a pound character (‘#’) followed by | |
a random string and a new line (‘\n’) | |
Requirement: | |
* MySQL | |
Tested against: | |
* MySQL 4.0, 5.0 | |
Notes: | |
* Useful to bypass several web application firewalls | |
* Used during the ModSecurity SQL injection challenge, | |
http://modsecurity.org/demo/challenge.html | |
space2morehash | |
Replaces space character (‘ ‘) with a pound character (‘#’) followed by | |
a random string and a new line (‘\n’) | |
Requirement: | |
* MySQL >= 5.1.13 | |
Tested against: | |
* MySQL 5.1.41 | |
Notes: | |
* Useful to bypass several web application firewalls | |
* Used during the ModSecurity SQL injection challenge, | |
http://modsecurity.org/demo/challenge.html | |
space2mysqldash | |
Replaces space character (‘ ‘) with a dash comment (‘–’) followed by | |
a new line (‘\n’) | |
Requirement: | |
* MySQL | |
* MSSQL | |
Tested against: | |
Notes: | |
* Useful to bypass several web application firewalls. | |
space2plus | |
Replaces space character (‘ ‘) with plus (‘+’) | |
Notes: | |
* Is this any useful? The plus get’s url-encoded by sqlmap engine | |
invalidating the query afterwards | |
* This tamper script works against all databases | |
space2randomblank | |
Replaces space character (‘ ‘) with a random blank character from a | |
valid set of alternate characters | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass several web application firewalls | |
unionalltounion | |
Replaces UNION ALL SELECT with UNION SELECT | |
unmagicquotes | |
Replaces quote character (‘) with a multi-byte combo %bf%27 together with | |
generic comment at the end (to make it work) | |
Notes: | |
* Useful for bypassing magic_quotes/addslashes feature | |
Reference: | |
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string | |
versionedkeywords | |
Encloses each non-function keyword with versioned MySQL comment | |
Requirement: | |
* MySQL | |
Tested against: | |
* MySQL 4.0.18, 5.1.56, 5.5.11 | |
Notes: | |
* Useful to bypass several web application firewalls when the | |
back-end database management system is MySQL | |
versionedmorekeywords | |
Encloses each keyword with versioned MySQL comment | |
Requirement: | |
* MySQL >= 5.1.13 | |
Tested against: | |
* MySQL 5.1.56, 5.5.11 | |
Notes: | |
* Useful to bypass several web application firewalls when the | |
back-end database management system is MySQL | |
xforwardedfor | |
Append a fake HTTP header ‘X-Forwarded-For’ to bypass | |
WAF (usually application based) protection | |
Oracle | |
--tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor | |
between | |
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’ | |
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the greater than character | |
* The BETWEEN clause is SQL standard. Hence, this tamper script | |
should work against all (?) databases | |
charencode | |
Url-encodes all characters in a given payload (not processing already | |
encoded) | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak web application firewalls that do not | |
url-decode the request before processing it through their ruleset | |
* The web server will anyway pass the url-decoded version behind, | |
hence it should work against any DBMS | |
equaltolike | |
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the equal character (‘=’) | |
* The LIKE operator is SQL standard. Hence, this tamper script | |
should work against all (?) databases | |
greatest | |
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart | |
Tested against: | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the greater than character | |
* The GREATEST clause is a widespread SQL command. Hence, this | |
tamper script should work against majority of databases | |
multiplespaces | |
Adds multiple spaces around SQL keywords | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | |
nonrecursivereplacement | |
Replaces predefined SQL keywords with representations | |
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters | |
Notes: | |
* Useful to bypass very weak custom filters | |
randomcase | |
Replaces each keyword character with random case value | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
* This tamper script should work against all (?) databases | |
securesphere | |
Appends special crafted string | |
Notes: | |
* Useful for bypassing Imperva SecureSphere WAF | |
* Reference: http://seclists.org/fulldisclosure/2011/May/163 | |
space2comment | |
Replaces space character (‘ ‘) with comments ‘/**/’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls | |
space2plus | |
Replaces space character (‘ ‘) with plus (‘+’) | |
Notes: | |
* Is this any useful? The plus get’s url-encoded by sqlmap engine | |
invalidating the query afterwards | |
* This tamper script works against all databases | |
space2randomblank | |
Replaces space character (‘ ‘) with a random blank character from a | |
valid set of alternate characters | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass several web application firewalls | |
unionalltounion | |
Replaces UNION ALL SELECT with UNION SELECT | |
unmagicquotes | |
Replaces quote character (‘) with a multi-byte combo %bf%27 together with | |
generic comment at the end (to make it work) | |
Notes: | |
* Useful for bypassing magic_quotes/addslashes feature | |
Reference: | |
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string | |
xforwardedfor | |
Append a fake HTTP header ‘X-Forwarded-For’ to bypass | |
WAF (usually application based) protection | |
PostgreSQL | |
--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor | |
between | |
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’ | |
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the greater than character | |
* The BETWEEN clause is SQL standard. Hence, this tamper script | |
should work against all (?) databases | |
charencode | |
Url-encodes all characters in a given payload (not processing already | |
encoded) | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak web application firewalls that do not | |
url-decode the request before processing it through their ruleset | |
* The web server will anyway pass the url-decoded version behind, | |
hence it should work against any DBMS | |
charunicodeencode | |
Unicode-url-encodes non-encoded characters in a given payload (not | |
processing already encoded) | |
Requirement: | |
* ASP | |
* ASP.NET | |
Tested against: | |
* Microsoft SQL Server 2000 | |
* Microsoft SQL Server 2005 | |
* MySQL 5.1.56 | |
* PostgreSQL 9.0.3 | |
Notes: | |
* Useful to bypass weak web application firewalls that do not | |
unicode url-decode the request before processing it through their | |
ruleset | |
equaltolike | |
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the equal character (‘=’) | |
* The LIKE operator is SQL standard. Hence, this tamper script | |
should work against all (?) databases | |
greatest | |
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart | |
Tested against: | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls that | |
filter the greater than character | |
* The GREATEST clause is a widespread SQL command. Hence, this | |
tamper script should work against majority of databases | |
multiplespaces | |
Adds multiple spaces around SQL keywords | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | |
nonrecursivereplacement | |
Replaces predefined SQL keywords with representations | |
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters | |
Notes: | |
* Useful to bypass very weak custom filters | |
percentage | |
Adds a percentage sign (‘%’) infront of each character | |
Requirement: | |
* ASP | |
Tested against: | |
* Microsoft SQL Server 2000, 2005 | |
* MySQL 5.1.56, 5.5.11 | |
* PostgreSQL 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls | |
randomcase | |
Replaces each keyword character with random case value | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
* This tamper script should work against all (?) databases | |
securesphere | |
Appends special crafted string | |
Notes: | |
* Useful for bypassing Imperva SecureSphere WAF | |
* Reference: http://seclists.org/fulldisclosure/2011/May/163 | |
space2comment | |
Replaces space character (‘ ‘) with comments ‘/**/’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls | |
space2plus | |
Replaces space character (‘ ‘) with plus (‘+’) | |
Notes: | |
* Is this any useful? The plus get’s url-encoded by sqlmap engine | |
invalidating the query afterwards | |
* This tamper script works against all databases | |
space2randomblank | |
Replaces space character (‘ ‘) with a random blank character from a | |
valid set of alternate characters | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass several web application firewalls | |
xforwardedfor | |
Append a fake HTTP header ‘X-Forwarded-For’ to bypass | |
WAF (usually application based) protection | |
SAP MaxDB | |
ifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicquotes,xforwardedfor | |
ifnull2ifisnull | |
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’ | |
Requirement: | |
* MySQL | |
* SQLite (possibly) | |
* SAP MaxDB (possibly) | |
Tested against: | |
* MySQL 5.0 and 5.5 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that filter the IFNULL() function | |
nonrecursivereplacement | |
Replaces predefined SQL keywords with representations | |
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters | |
Notes: | |
* Useful to bypass very weak custom filters | |
randomcase | |
Replaces each keyword character with random case value | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
* This tamper script should work against all (?) databases | |
securesphere | |
Appends special crafted string | |
Notes: | |
* Useful for bypassing Imperva SecureSphere WAF | |
* Reference: http://seclists.org/fulldisclosure/2011/May/163 | |
space2comment | |
Replaces space character (‘ ‘) with comments ‘/**/’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls | |
space2plus | |
Replaces space character (‘ ‘) with plus (‘+’) | |
Notes: | |
* Is this any useful? The plus get’s url-encoded by sqlmap engine | |
invalidating the query afterwards | |
* This tamper script works against all databases | |
unionalltounion | |
Replaces UNION ALL SELECT with UNION SELECT | |
unmagicquotes | |
Replaces quote character (‘) with a multi-byte combo %bf%27 together with | |
generic comment at the end (to make it work) | |
Notes: | |
* Useful for bypassing magic_quotes/addslashes feature | |
Reference: | |
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string | |
xforwardedfor | |
Append a fake HTTP header ‘X-Forwarded-For’ to bypass | |
WAF (usually application based) protection | |
SQLite | |
ifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2plus,unionalltounion,unmagicquotes,xforwardedfor | |
ifnull2ifisnull | |
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’ | |
Requirement: | |
* MySQL | |
* SQLite (possibly) | |
* SAP MaxDB (possibly) | |
Tested against: | |
* MySQL 5.0 and 5.5 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that filter the IFNULL() function | |
multiplespaces | |
Adds multiple spaces around SQL keywords | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | |
nonrecursivereplacement | |
Replaces predefined SQL keywords with representations | |
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters | |
Notes: | |
* Useful to bypass very weak custom filters | |
randomcase | |
Replaces each keyword character with random case value | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass very weak and bespoke web application firewalls | |
that has poorly written permissive regular expressions | |
* This tamper script should work against all (?) databases | |
securesphere | |
Appends special crafted string | |
Notes: | |
* Useful for bypassing Imperva SecureSphere WAF | |
* Reference: http://seclists.org/fulldisclosure/2011/May/163 | |
space2comment | |
Replaces space character (‘ ‘) with comments ‘/**/’ | |
Tested against: | |
* Microsoft SQL Server 2005 | |
* MySQL 4, 5.0 and 5.5 | |
* Oracle 10g | |
* PostgreSQL 8.3, 8.4, 9.0 | |
Notes: | |
* Useful to bypass weak and bespoke web application firewalls | |
space2dash | |
Replaces space character (‘ ‘) with a dash comment (‘–’) followed by | |
a random string and a new line (‘\n’) | |
Requirement: | |
* MSSQL | |
* SQLite | |
Notes: | |
* Useful to bypass several web application firewalls | |
* Used during the ZeroNights SQL injection challenge, | |
https://proton.onsec.ru/contest/ | |
space2plus | |
Replaces space character (‘ ‘) with plus (‘+’) | |
Notes: | |
* Is this any useful? The plus get’s url-encoded by sqlmap engine | |
invalidating the query afterwards | |
* This tamper script works against all databases | |
unionalltounion | |
Replaces UNION ALL SELECT with UNION SELECT | |
unmagicquotes | |
Replaces quote character (‘) with a multi-byte combo %bf%27 together with | |
generic comment at the end (to make it work) | |
Notes: | |
* Useful for bypassing magic_quotes/addslashes feature | |
Reference: | |
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string | |
xforwardedfor | |
Append a fake HTTP header ‘X-Forwarded-For’ to bypass | |
WAF (usually application based) protection |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment