Introduction
In this lab, you will explore how to use sqlmap's powerful tamper scripts to bypass common web application filters. Many web applications implement basic input validation and filtering to prevent SQL injection attacks. These filters might block common SQL keywords, spaces, or other characters. sqlmap's tamper scripts can automatically modify the SQL injection payloads to evade these filters, making your attacks more effective. You will learn to identify scenarios where evasion is needed, list available tamper scripts, apply a specific script, and observe its effect on the generated payloads.
Identify a Scenario Requiring Evasion
In this step, you will understand why tamper scripts are necessary. Web applications often employ basic filters to prevent common SQL injection patterns. For example, a filter might block spaces or replace them with other characters, or it might block keywords like UNION or SELECT. When sqlmap's default payloads are blocked, you need to modify them to bypass these filters.
Consider a hypothetical scenario where a web application filters out spaces in user input. If sqlmap tries to inject a payload like ' OR 1=1--, the filter might transform it into 'OR1=1--, rendering the payload ineffective. Tamper scripts help sqlmap generate alternative payloads that can bypass such restrictions.
To simulate a basic sqlmap scan without any evasion techniques, we will use a dummy URL. This will help us later compare the payloads generated with and without tamper scripts.
Execute the following sqlmap command to initiate a basic scan against a dummy target. Note that this target is not actually vulnerable, but it allows us to observe sqlmap's behavior and generated payloads.
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dump --batch --forms --level 1 --risk 1 --parse-errors --technique=U --eta --output-dir=/tmp/sqlmap_output_no_tamper
This command will attempt to perform a basic SQL injection scan. The --dump option is used to dump data, --batch runs in non-interactive mode, --forms checks forms, --level 1 --risk 1 sets the detection level and risk, --parse-errors parses error messages, --technique=U specifies UNION query SQL injection, --eta shows estimated time of arrival, and --output-dir specifies the output directory.
Observe the output. While this specific command might not find vulnerabilities on the given URL (as it's a general test site and not specifically configured for this lab's purpose), the goal is to see sqlmap's initial attempt and understand that sometimes, these attempts might be blocked by filters.
List Available Tamper Scripts with --list-tampers
In this step, you will learn how to list all available tamper scripts in sqlmap. sqlmap comes with a wide variety of tamper scripts, each designed to bypass specific types of filters or WAFs (Web Application Firewalls). Knowing which scripts are available is crucial for selecting the right one for your evasion needs.
To list all available tamper scripts, use the --list-tampers option with sqlmap.
sqlmap --list-tampers
This command will output a list of all .py files located in sqlmap's tamper directory. Each file represents a different tamper script. For example, you might see scripts like space2comment.py, unionalltostring.py, apostrophemask.py, etc. Each script has a specific purpose, such as replacing spaces with comments, converting UNION ALL to string concatenation, or masking apostrophes.
Review the list and try to understand the purpose of a few scripts based on their names. For instance, space2comment.py is designed to replace spaces with SQL comments, which can bypass filters that block spaces.
Select and Apply a Tamper Script with --tamper=space2comment
In this step, you will select and apply a specific tamper script to your sqlmap scan. For this lab, we will use the space2comment tamper script. This script replaces spaces in the SQL injection payload with /**/ (multi-line comment) sequences. This technique is effective against filters that block or remove spaces but allow SQL comments.
To apply a tamper script, you use the --tamper option followed by the name of the script (without the .py extension).
Execute the following sqlmap command, this time including the space2comment tamper script:
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dump --batch --forms --level 1 --risk 1 --parse-errors --technique=U --eta --tamper=space2comment --output-dir=/tmp/sqlmap_output_with_tamper
Notice the addition of --tamper=space2comment. This tells sqlmap to process all generated payloads through this specific tamper script before sending them to the target.
While the output might look similar to the previous step, internally, sqlmap is now modifying its payloads. In the next step, we will examine the difference in the generated payloads.
Execute a Scan with the Selected Tamper Script
In this step, you have already executed the sqlmap command with the space2comment tamper script in the previous step. The purpose of this step is to reinforce the execution and prepare for payload comparison.
The command you ran was:
sqlmap -u "http://testphp.vulnweb.com/listproducts.php?cat=1" --dump --batch --forms --level 1 --risk 1 --parse-errors --technique=U --eta --tamper=space2comment --output-dir=/tmp/sqlmap_output_with_tamper
This command instructs sqlmap to perform a scan, but this time, it will modify its payloads using the space2comment tamper script. For example, a payload like UNION SELECT might be transformed into UNION/**/SELECT. This subtle change can often bypass simple space-filtering mechanisms.
The --output-dir=/tmp/sqlmap_output_with_tamper option ensures that sqlmap's output, including any generated payloads or logs, is stored in a separate directory. This will be useful for comparing the payloads in the next step.
Allow the sqlmap scan to complete. Even if it doesn't find a vulnerability on the dummy target, the key is that sqlmap has attempted to use tampered payloads.
Compare Payloads With and Without the Tamper Script
In this final step, you will compare the payloads generated by sqlmap with and without the space2comment tamper script. This comparison will visually demonstrate how tamper scripts modify the injection payloads to evade filters.
sqlmap logs its activities, including the payloads it sends, in the output directory. We specified different output directories for the scans in Step 1 and Step 3.
First, let's try to find some log files that might contain the payloads. sqlmap typically stores HTTP requests in files within its output directory.
Navigate to the output directories and look for request logs. The exact file names might vary, but they are usually under log/ or directly in the target's directory.
Let's try to find a common log file that contains the requests. sqlmap often creates a session.log or similar files.
Use grep to search for common SQL keywords in the log files from both runs.
Compare the payloads by looking for differences in how spaces are handled.
echo "--- Payloads without tamper script ---"
grep -r "UNION" /tmp/sqlmap_output_no_tamper/ | head -n 5
echo ""
echo "--- Payloads with tamper script ---"
grep -r "UNION" /tmp/sqlmap_output_with_tamper/ | head -n 5
You should observe that in the "Payloads with tamper script" output, spaces within SQL keywords (like UNION SELECT) are replaced with /**/ comments, while in the "Payloads without tamper script" output, regular spaces are used. This clearly illustrates the effect of the space2comment tamper script.
This comparison highlights the effectiveness of tamper scripts in modifying payloads to bypass basic filtering mechanisms, making sqlmap a more versatile tool for penetration testing.
Summary
In this lab, you successfully learned how to use sqlmap's tamper scripts to bypass basic web application filters. You started by understanding the need for evasion techniques when facing input filters. You then explored how to list the available tamper scripts using --list-tampers and selected the space2comment script for a practical demonstration. Finally, you executed sqlmap with and without the tamper script and compared the generated payloads, clearly observing how the space2comment script modified spaces into /**/ comments. This hands-on experience has equipped you with a fundamental skill for enhancing your SQL injection testing capabilities by evading common filtering mechanisms.
