How to write custom tamper scripts for sqlmap

Introduction

SQLmap is a very useful tool when you want to automatize the exploitation of a SQL Injection vulnerability and extract protected data from a web site. Often, in order to defend against this type of attacks, developers introduce some keyword filters and/or use a WAF (Web Application Firewall) that blocks common SQL Injections payloads.

Most of the time, this type of filters are regex-based. Let’s see an example:

This simple filter blocks the keywords OR and AND and is case insensitive (note the i at the end of the regex). So, classic payloads like:

do not work against the web application.

If filters are weak, it is possible to bypass this kind of filters, for example in this case we can replace OR and AND keywords in our payload with their logical counterpart, || and &&. So, we can rewrite classic payloads that bypass this filters as:

However, payloads that sqlmap sends during the exploitation phase are more complex than this one above. We can see the payloads sent by sqlmap by adding the -v3 switch to the command line:

Some of the payloads sent by sqlmap. Note the presence of AND keyword.
Some of the payloads sent by sqlmap. Note the presence of the AND keyword.

Suppose that http://www.example.com?param=test is vulnerable to SQL injection in the param parameter (We may have discovered the vulnerability by simply passing a single quote ‘ as the param value and observed that the application response contains SQL syntax errors).

In order to exploit the vulnerability we have previously found, bypass the filters we have seen above, and dump all the data from the Database we need to tell to sqlmap to replace the keyword AND and OR with their logical operators counterparts: || and &&. To do this, we will write a tamper script in Python (because sqlmap is written in Python).

Writing the script

This is the template we will use for the tamper script, we will call it tamper.py:

The __priority__ field tells sqlmap what is the priority of execution of the tamper script when it is used in concatenation with other tamper scripts. If we launch sqlmap against a target and pass more than one script to the tamper option, sqlmap will reorder the scripts based on this field and will call the script with higher priority first. The PRIORITY enum is defined in the file <sqlmap installation directory>/lib/core/enums.py.

Content of the file /usr/share/sqlmap/lib/core/enums.py.

You can ignore the dependencies() function. The function we are interested in is the tamper() function, because it is that function that modifies the SQL payload.

It is a convention to insert a description of what the payload does inside the tamper() function, so we will follow this conventions too. Let’s see the implementation of the function:

The function code is very simple and does not need too much explanation. You have to point attention to 2 things:

  • Put the keyword you want to replace inside a regex word boundary (the sequence “\b”). This is done in order to avoid replacing of the keyword inside another SQL keyword (For example the MySql function ORD);
  • escape the backslash character “\” inside the python string with another backslash. Eg. \ becomes \\. If you do not do this the python interpreter will escape the character “b” and the regex will not be valid (I.e “\b” becomes “b”).

The complete tamper script is:

Save this script tamper.py inside a directory of your choice and create an empty file called __init__.py inside that directory. Than run sqlmap again:

As you can see the AND keyword in the image before now is correctly replaced with the logical && operator.

As we can see in the screenshot above, now sqlmap replaces AND with &&, successfully bypassing the SQL filter that blocks the AND and OR keywords.

Please note that good WAFs are a lot more difficult to bypass, the objective of this article is to explain how to write a custom tamper script for sqlmap, not to demonstrate how to bypass a Web Application Firewall.

During security assessment, you’ll need to chain various tamper scripts and manually investigate what characters are allowed to be in the payload (I.e are not blocked by WAF/filters).

That’s all. Thanks for reading and see you in the next article.

References

Web Security, Application Security and Bug Bounty things. I’m a software security consultant. Follow me on Twitter! @luca_dd7