SQLMap Tamper Script Collection

The goal of the tamper scripts is to change the request in a way that will obstruct the Web Application Firewall (WAF) rules from detecting it. Depending upon the target database and implemented firewall, the tamper scripts are used to bypass it and achieve SQL Injection.

Hello folks, if you are new to SQL Injection vulnerability and SQL Map I suggest you to read this post SQL Injection Explained from Scratch and Automated tools to find SQL Injection.

Tamper Script for All Databases

--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

General Purpose Tamper Script

--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MS Access Database

--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

MSSQL Database

--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL Database

--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

Oracle Database

--tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor

PostgreSQL Database

--tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor

SQLite Database

--tamper=ifnull2ifisnull,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2dash,space2plus,unionalltounion,unmagicquotes,xforwardedfor

SAP MaxDB

--tamper=ifnull2ifisnull,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,unionalltounion,unmagicquotes,xforwardedfor

If you encounter problems during the use of tamper scripts such as shown below. Then we have to remove the scripts which are incompatible and not intended for the targeted database.

image 9
SQLMap tamper script error.

What is SQLMap?

An open-source penetration testing tool called sqlmap automates the process of finding and exploiting SQL injection vulnerabilities and controlling database servers. Sqlmap can even write to a specific database under a certain set of circumstances. Sqlmap has a strong detection engine and a number of switches that make it easier to carry out effective attacks.

Impacts of SQL Injection

An attacker can inject SQL Query / Commands through an input form field after he or she determines that a system is susceptible to SQL Injection. This is the same as giving the attacker access to your database and letting him run any SQL command, including DROP TABLE, on it! An attacker can automate the data extraction process using various tools and can harm organizations by dumping huge information.

The vulnerable system is open to SQL statements executed by an attacker. Your database’s integrity could be jeopardized, and/or private data could be made public. SQL injection flaws give the attacker varied degrees of access to data and the system, depending on the back-end database being used. Existing queries may be changed, arbitrary data may be UNIONed (used to choose data from two tables that are linked), sub-selects may be used, and new searches may be appended.

In the context of further exploitation, an attacker can gain OS shell access, overwrite system files, and upload a backdoor or a web shell in a server. Gaining an OS shell lets an attacker execute any system on an affected server. With the help of a sqlmap it is very easy to gain meterpreter shell as well.

Preventing SQL Injection Vulnerability

Firewalls and other intrusion detection systems don’t offer much protection against sophisticated web attacks. Security procedures will permit public web traffic to communicate with your database servers using web apps because your website must be accessible to the whole public.
Although important, patching your servers, databases, programming languages, and operating systems is not the most effective technique to stop SQL Injection Attacks.

1. Use of Prepared Statements

A technique to guarantee secure input is to utilize prepared statements. In fact, prepared statements have placeholders for input data that the drivers then escape and pass. Using placeholders and PHP methods to fill them out allows us to give data to the SQL query rather than directly passing it.

2. User Input Sanitization

We must validate the user inputs in our application to filter our special characters. Detecting special characters that may break the query and can be used to construct SQL queries should be filtered or handled carefully.

3. Use of Application Firewall

The integration application firewall is another best practice to prevent SQL Injection vulnerability. The application filter or blocks pre-defined keywords that helps in executing SQL Injection.

3. Least user privilege

Users must be created with very specific or minimal rights in the DBMS system. We must make sure that the user who queries the database only has the necessary or least rights.

1 Comment

Leave a Reply

Your email address will not be published. Required fields are marked *