SANS Penetration Testing

SQLMAP Tamper Scripts for The Win


During a recent penetration test BURP Suite identified some blind SQL Injection vulnerabilities in a target website. Pointing SQLMAP at the website showed us no love and simply said it was unable to exploit the website. I had mentioned the SQLi issues to the customer and he said that previous penetration testers said they were unexploitable. We decided to take a closer look anyway. The URLs for the website looked rather odd. I can't talk specifically about the website in question, but the URIs looked something like this:






You'll notice that the field names (underlined in RED) have very strange names. At first I thought that these were just weird field names. Maybe the developer has some codenames for fields that I just didn't understand. But then I noticed that the values (underlined in BLUE) were also very odd. None of the information on the URL made any sense to me. I grabbed a coworker and we spent some time trying to figure out what kind of weird encoding was being used. The web application had some useful functionality that make the translation pretty easy to figure out. If we put "AAAAAAAAA" into the ACCOUNT NUMBER field in the websites search page we saw that it redirected us to a web page with a URI containing 'QnnyBZ4_ZB6qvm=QQQQQQQQQ'. When we searched for an ACCOUNT NUMBER of 'BBBBBBBBB" it took us to web page with a URI containing 'QnnyBZ4_ZB6qvm=qqqqqqqqq'. There was obviously some type of character substitution cipher being used on the URL. The maximum size for an account number was 9 characters. But with a few queries I could figure out the entire character set mapping. I searched for an ACCOUNT NUMBER of "ABCDEFGHI" and found a URI containing 'QnnyBZ4_ZB6qvm=QqnPvka03'. I searched for 'JKLMNOPQR' and found a URI containing 'QnnyBZ4_ZB6qvm=wMU6Zybjm'. I repeated this process for every upper, lower and numeric character and soon I had the following mapping of characters.

Normal Letters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'

Encrypted Letters = 'QqnPvka03wMU6ZybjmK4BRSEWdVishgClpI1AouFNOJ9zrtL2Yef7Tc8GxDHX5'

Python makes translating between two sets of characters easy. Using Python 3 we can do the following:




This translated the word "HELLO" into "OvUUy" using the character mapping specified. The arguments for maketrans are the "FROM STRING" followed by the "TO STRING". Going in the other direction is simply a matter of reversing the parameters passed to str.maketrans() and passing (encrypted_letter, normal_letters)




In Python2 you have to import the string module because the maketrans function is stored there. But otherwise the syntax is the same.



Now I can decode the URLs! So we tried in on the URL we saw earlier.



Awesome. Now that is something I can understand. Now that we can freely encode and decode our attacks we had a bit more success with manual exploitation. But I'm lazy! I want SQLMAP to automate my attacks for me! If I don't tell SQLMAP how to encode its injections it will not work against the website. SQLMAP tamper scripts are designed to do exactly that. SQLMAP is distributed with a set of "TAMPER" scripts to perform tasks like add a NULL byte to the end of injections or randomize the case of the letters in your query. Creating a custom tamper script to do our character transposition is pretty simple. SQLMAP is using Python2 so we will have to import the string module. But Looking at one of the other tamper scripts and using it as an example we quickly wrote the following:



We saved this new file a "" and placed it inside SQLMAP's "tamper" directory. Then we pass the name of our script to the -tamper argument.

python -u "https://www.example.tgt/webapp.php? QnnyBZ4_ZB6qvm=xxxTcTc&k3mK4_ZQ6v=6V9A&UQK4_ZQ6v=qVllgrr" -dump


Then sit back and watch SQLMAP's barrage of winning. A few lines of custom Python code took this vulnerability from "an unexploitable false positive" to a significant vulnerability that requires immediate attention. After using the tamper script we are able to access everything in the database with SQLMAP saving us hours of manual exploitation and encoding. And all it took was plugging 3 lines of custom Python code into an existing tamper script template.

Python is awesome and having the ability to use it and customize tools to meet your demands is incredibly powerful. Come check out SEC573: Automating Information Security with Python.

The SQLMAP Tamper Script

  • Mark Baggett


Upcoming SANS Special Event - 2018 Holiday Hack Challenge


SANS Holiday Hack Challenge - KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more:
  • Play previous versions from free 24/7/365:

Player Feedback!

  • "On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team." - @mikehodges
  • "#SANSHolidayHack Confession — I have never used python or scapy before. I got started with both today because of this game! Yay!" - @tww2b
  • "Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa" - @dnlongen


Posted November 28, 2017 at 1:32 PM | Permalink | Reply


Great Information. Thanks for Sharing this.

Posted February 27, 2018 at 10:12 PM | Permalink | Reply


Thanks, actually this topic inspired me to build "tamper-api" which is basically an SQLMap tamper api to accept tamper scripts from all languages
Repository Link:

Posted June 2, 2019 at 5:45 PM | Permalink | Reply

Dawood Khan

I downloaded sqlmap an hour ago and was searching for something relevant on tampering. Awesome post! Thank you for sharing.

Post a Comment


* Indicates a required field.