Week 9 - SQLMap Tamper Scripts
Last updated
Last updated
Well, it’s Monday which means another Web App Hacking Tip! In week 9 we’ll be covering custom SQLMap Tamper scripts. SQL Injection is a common vulnerability found in web applications and depending on the app, exploitation usually means bypassing some kind of Web Application Firewall (WAF). SQLMap has default tamper scripts that are useful (space2comment, charencode, randomcase), but they don’t always get the job done. I’ve found the most useful solution is to just write your own! To start off, I recommend proxying your SQLMap traffic through Burp Suite (see below images). This will allow you to see exactly what the WAF is blocking, and how the app responds. From there, you can craft your script to replace any characters/words that trigger the Firewall. In the below images, the tamper script replaces the ‘=’ sign with ‘LIKE’, and the ‘AND’ operator with ‘&&’. This tip pairs extremely well with Week 7’s Custom Payload creation, so I highly recommend checking that out if you enjoy SQL Injections!