When using SQLMap Tamper scripts while doing a pentest can be a bit confusing and a lot of work to figure out which scripts you need to use and when to use them. I have an upcoming pentest I need to perform and figured this is the perfect time to organize all of this.

First of all, not all scripts are created equal. Some work for general run-of-the mill sql injection attacks and others are for specific databases. Some are not actually sure if it works on all databases and some have only been officially tested against older versions of database applications. This is the very definition of hit and miss.

I reviewed each tamper script and tried to place them in boxes. If you have feedback on any of these boxes PLEASE don’t be shy! Let me know in the comment section. I want this to be a good resource and your help would be greatly appreciated.

The General Scripts section contains both non-specific database exploits as well as those that cover a wide range of databases. In my thoughts, this would be a good start script box to use as an initial hit on an application. Again, feedback appreciated.

I am going to include the syntax to run each section as well as one to run every script. SQLMap will organize them automatically. However, I captured traffic from running all scripts and it didn’t look familiar at all.

Jump to

general
Microsoft-Access
mssql
mysql
oracle
postresql
sap
sqlite

--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
General Scripts

 

--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

apostrophemask

Replaces apostrophe character with its UTF-8 full width counterpart

apostrophenullencode

Replaces apostrophe character with its illegal double unicode counterpart

base64encode

Base64 all characters in a given payload

between

Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases

chardoubleencode

Double url-encodes all characters in a given payload (not processing
already encoded)

Notes:
* Useful to bypass some weak web application firewalls that do not
double url-decode the request before processing it through their
ruleset

charencode

Url-encodes all characters in a given payload (not processing already
encoded)

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMS

charunicodeencode

Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)

Requirement:
* ASP
* ASP.NET

Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3

Notes:
* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through their
ruleset

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases

 

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases

ifnull2ifisnull

Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’

Requirement:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)

Tested against:
* MySQL 5.0 and 5.5

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() function

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions

Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

nonrecursivereplacement

Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:
* Useful to bypass very weak custom filters

randomcase

Replaces each keyword character with random case value

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases

securesphere

Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases

space2randomblank

Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass several web application firewalls

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)

Notes:
* Useful for bypassing magic_quotes/addslashes feature

Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection

Microsoft Access

--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

appendnullbyte

Appends encoded NULL byte character at the end of payload

Requirement:
* Microsoft Access

Notes:
* Useful to bypass weak web application firewalls when the back-end
database management system is Microsoft Access – further uses are
also possible

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions

Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

 

nonrecursivereplacement

Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:
* Useful to bypass very weak custom filters

 

randomcase

Replaces each keyword character with random case value

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases

 

securesphere

Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

 

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

 

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)

Notes:
* Useful for bypassing magic_quotes/addslashes feature

Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection

 

Microsoft SQL Server

--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

between

Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases

charencode

Url-encodes all characters in a given payload (not processing already
encoded)

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMS

charunicodeencode

Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)

Requirement:
* ASP
* ASP.NET

Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3

Notes:
* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through their
ruleset

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions

Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

 

nonrecursivereplacement

Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:
* Useful to bypass very weak custom filters

percentage

Adds a percentage sign (‘%’) infront of each character

Requirement:
* ASP

Tested against:
* Microsoft SQL Server 2000, 2005
* MySQL 5.1.56, 5.5.11
* PostgreSQL 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

 

randomcase

Replaces each keyword character with random case value

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases

 

securesphere

Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163

sp_password

Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs
Requirement:
* MSSQL
Notes:
* Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure
* Reference: http://websec.ca/kb/sql_injection

 

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

space2dash

Replaces space character (‘ ‘) with a dash comment (‘–’) followed by
a random string and a new line (‘\n’)

Requirement:
* MSSQL
* SQLite

Notes:
* Useful to bypass several web application firewalls
* Used during the ZeroNights SQL injection challenge,
https://proton.onsec.ru/contest/

space2mssqlblank

Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters

Requirement:
* Microsoft SQL Server

Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005

Notes:
* Useful to bypass several web application firewalls

space2mysqldash

Replaces space character (‘ ‘) with a dash comment (‘–’) followed by
a new line (‘\n’)

Requirement:
* MySQL
* MSSQL

Tested against:

Notes:
* Useful to bypass several web application firewalls.

 

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases

space2randomblank

Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass several web application firewalls

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)

Notes:
* Useful for bypassing magic_quotes/addslashes feature

Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection

 

MySQL

--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

between

Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases

bluecoat

Replaces space character after SQL statement with a valid random blank character.
Afterwards replace character = with LIKE operator

Requirement:
* Blue Coat SGOS with WAF activated as documented in

https://kb.bluecoat.com/index?page=content&id=FAQ2147

Tested against:
* MySQL 5.1, SGOS

Notes:
* Useful to bypass Blue Coat’s recommended WAF rule configuration

charencode

Url-encodes all characters in a given payload (not processing already
encoded)

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMS

charunicodeencode

Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)

Requirement:
* ASP
* ASP.NET

Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3

Notes:
* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through their
ruleset

concat2concatws

Replaces instances like ‘CONCAT(A, B)’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’

Requirement:
* MySQL

Tested against:
* MySQL 5.0

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the CONCAT() function

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases

halfversionedmorekeywords

Adds versioned MySQL comment before each keyword

Requirement:
* MySQL < 5.1

Tested against:
* MySQL 4.0.18, 5.0.22

Notes:
* Useful to bypass several web application firewalls when the
back-end database management system is MySQL
* Used during the ModSecurity SQL injection challenge,

http://modsecurity.org/demo/challenge.html

ifnull2ifisnull

Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’

Requirement:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)

Tested against:
* MySQL 5.0 and 5.5

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() function

modsecurityversioned

Embraces complete query with versioned comment

Requirement:
* MySQL
Tested against:
* MySQL 5.0

Notes:
* Useful to bypass ModSecurity WAF/IDS

modsecurityzeroversioned

Embraces complete query with zero-versioned comment

Requirement:
* MySQL

Tested against:
* MySQL 5.0

Notes:
* Useful to bypass ModSecurity WAF/IDS

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions

Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

nonrecursivereplacement

Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:
* Useful to bypass very weak custom filters

percentage

Adds a percentage sign (‘%’) infront of each character

Requirement:
* ASP

Tested against:
* Microsoft SQL Server 2000, 2005
* MySQL 5.1.56, 5.5.11
* PostgreSQL 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

 

randomcase

Replaces each keyword character with random case value

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases

 

securesphere

Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

space2hash

Replaces space character (‘ ‘) with a pound character (‘#’) followed by
a random string and a new line (‘\n’)

Requirement:
* MySQL

Tested against:
* MySQL 4.0, 5.0

Notes:
* Useful to bypass several web application firewalls
* Used during the ModSecurity SQL injection challenge,
http://modsecurity.org/demo/challenge.html

space2morehash

Replaces space character (‘ ‘) with a pound character (‘#’) followed by
a random string and a new line (‘\n’)

Requirement:
* MySQL >= 5.1.13

Tested against:
* MySQL 5.1.41

Notes:
* Useful to bypass several web application firewalls
* Used during the ModSecurity SQL injection challenge,
http://modsecurity.org/demo/challenge.html

 

space2mysqldash

Replaces space character (‘ ‘) with a dash comment (‘–’) followed by
a new line (‘\n’)

Requirement:
* MySQL
* MSSQL

Tested against:

Notes:
* Useful to bypass several web application firewalls.

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases

 

space2randomblank

Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass several web application firewalls

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

 

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)

Notes:
* Useful for bypassing magic_quotes/addslashes feature

Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

versionedkeywords

Encloses each non-function keyword with versioned MySQL comment

Requirement:
* MySQL

Tested against:
* MySQL 4.0.18, 5.1.56, 5.5.11

Notes:
* Useful to bypass several web application firewalls when the
back-end database management system is MySQL

versionedmorekeywords

Encloses each keyword with versioned MySQL comment

Requirement:
* MySQL >= 5.1.13

Tested against:
* MySQL 5.1.56, 5.5.11

Notes:
* Useful to bypass several web application firewalls when the
back-end database management system is MySQL

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection

 

Oracle

--tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor

between

Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases

charencode

Url-encodes all characters in a given payload (not processing already
encoded)

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMS

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases

 

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions

Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

 

nonrecursivereplacement

Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:
* Useful to bypass very weak custom filters

randomcase

Replaces each keyword character with random case value

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases

 

securesphere

Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163

 

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

 

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases

space2randomblank

Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass several web application firewalls

 

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

 

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)

Notes:
* Useful for bypassing magic_quotes/addslashes feature

Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

 

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection

 

PostgreSQL

--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor

between

Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases

charencode

Url-encodes all characters in a given payload (not processing already
encoded)

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak web application firewalls that do not
url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMS

charunicodeencode

Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)

Requirement:
* ASP
* ASP.NET

Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3

Notes:
* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through their
ruleset

equaltolike

Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the equal character (‘=’)
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases

 

greatest

Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart

Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions

Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

nonrecursivereplacement

Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:
* Useful to bypass very weak custom filters

percentage

Adds a percentage sign (‘%’) infront of each character

Requirement:
* ASP

Tested against:
* Microsoft SQL Server 2000, 2005
* MySQL 5.1.56, 5.5.11
* PostgreSQL 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

 

randomcase

Replaces each keyword character with random case value

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases

 

securesphere

Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

 

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases

space2randomblank

Replaces space character (‘ ‘) with a random blank character from a
valid set of alternate characters

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass several web application firewalls

 

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection

 

SAP MaxDB

ifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicquotes,xforwardedfor

ifnull2ifisnull

Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’

Requirement:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)

Tested against:
* MySQL 5.0 and 5.5

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() function

nonrecursivereplacement

Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:
* Useful to bypass very weak custom filters

randomcase

Replaces each keyword character with random case value

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases

 

securesphere

Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

 

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases

 

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

 

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)

Notes:
* Useful for bypassing magic_quotes/addslashes feature

Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection

 

SQLite

ifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2plus,unionalltounion,unmagicquotes,xforwardedfor

ifnull2ifisnull

Replaces instances like ‘IFNULL(A, B)’ with ‘IF(ISNULL(A), B, A)’

Requirement:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)

Tested against:
* MySQL 5.0 and 5.5

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() function

multiplespaces

Adds multiple spaces around SQL keywords

Notes:

* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions

Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

 

nonrecursivereplacement

Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters

Notes:
* Useful to bypass very weak custom filters

randomcase

Replaces each keyword character with random case value

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases

 

securesphere

Appends special crafted string
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163

space2comment

Replaces space character (‘ ‘) with comments ‘/**/’

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

Notes:
* Useful to bypass weak and bespoke web application firewalls

space2dash

Replaces space character (‘ ‘) with a dash comment (‘–’) followed by
a random string and a new line (‘\n’)

Requirement:
* MSSQL
* SQLite

Notes:
* Useful to bypass several web application firewalls
* Used during the ZeroNights SQL injection challenge,
https://proton.onsec.ru/contest/

 

space2plus

Replaces space character (‘ ‘) with plus (‘+’)

Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases

 

unionalltounion

Replaces UNION ALL SELECT with UNION SELECT

unmagicquotes

Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)

Notes:
* Useful for bypassing magic_quotes/addslashes feature

Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

xforwardedfor

Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection