search

πŸŒ€Custom Payloads Directly in SQLMap

SQLMap allows you to specify your own SQL queries using the `--sql-query option`. This is particularly useful when you want to inject specific payloads to test for SQL injection vulnerabilities.

You can add custom payloads directly within the SQLMap syntax using the --sql-query option or by customizing the payloads through tamper scripts. Below, I will show you how to add custom payloads directly using SQLMap as well as through tamper scripts.

hashtag
Adding Custom Payloads Directly in SQLMap

SQLMap allows you to specify your own SQL queries using the --sql-query option. This is particularly useful when you want to inject specific payloads to test for SQL injection.

Example: Using --sql-query

  1. Simple Custom Payload

    sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="SELECT version()"

  2. Union-Based Custom Payload

    sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="UNION SELECT null, database(), user(), version()"

hashtag
----------------------------------------------------------------

hashtag
Customizing Payloads with Tamper Scripts

If you need more flexibility and want to systematically apply custom payloads, you can create a tamper script that modifies the default payloads used by SQLMap.

Example: Custom Tamper Script

  1. Create a Custom Tamper Script

    Create a new Python file in the tamper directory of your SQLMap installation, for example, custom_payload_tamper.py.

    #!/usr/bin/env python
import random
__priority__ = 1
def dependencies():
    pass
def tamper(payload):
    """
    Custom tamper script to inject custom payloads
    """
    if payload:
        # Example of replacing spaces with comments and adding a custom payload
        payload = payload.replace(" ", "/**/")
        if "SELECT" in payload.upper():
            payload = payload.replace("SELECT", "SELECT/**/custom_function(),")
    return payload

  2. Save the Script

    Save this script in the tamper directory of SQLMap.

  3. Use the Tamper Script with SQLMap

    Run SQLMap with your custom tamper script to apply your modifications to the payloads.

    sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=custom_payload_tamper

hashtag
----------------------------------------------------------------

hashtag
Advanced Example with Multiple Payloads

You can combine multiple payloads and tamper scripts to create more complex injection tests. Below is an advanced example where custom payloads are systematically applied to the requests.

Example: Combining Multiple Techniques

  1. Create a Complex Tamper Script

  2. Save and Use the Script

    Save this script as complex_tamper.py in the tamper directory.

  3. Run SQLMap with the Complex Tamper Script

hashtag
----------------------------------------------------------------

hashtag
Leveraging SQLMap's --sql-query Option

The --sql-query option allows you to directly specify SQL queries to be executed. This is useful for precise injection testing.

Examples: Custom Queries with --sql-query

  1. Direct Version Query

    This command checks the version of the database:

    Copy

  2. Union-Based Query

    This command retrieves multiple pieces of information such as the database name, current user, and database version:

  3. Subquery Injection

    This command uses a subquery to extract table names:

hashtag
----------------------------------------------------------------

hashtag
Using --sql-shell for Interactive Injection

SQLMap's --sql-shell provides an interactive SQL shell for executing arbitrary SQL commands.

Example: Starting SQL Shell

  1. Interactive Shell

    Start an interactive SQL shell to manually execute SQL commands:

  2. Executing Commands in Shell

    Execute commands in the SQL shell to retrieve information:

hashtag
----------------------------------------------------------------

hashtag
Creating Custom Tamper Scripts

Tamper scripts can modify payloads dynamically to bypass WAFs and other security measures.

Example: Advanced Custom Tamper Script

  1. Script to Add Random Comments

    Create a script random_comment_tamper.py:

  2. Save and Use the Script

    Save this script in the tamper directory of SQLMap and use it:

hashtag
----------------------------------------------------------------

hashtag
Custom Payloads with --prefix and --suffix

You can use --prefix and --suffix to add custom SQL snippets before and after the payload.

Examples: Using --prefix and --suffix

  1. Adding Prefix and Suffix

    Add custom snippets before and after the payload:

  2. Injecting with Custom Wrappers

    Wrap the payload with custom conditions:

hashtag
----------------------------------------------------------------

hashtag
Using SQLMap's --eval Option

The --eval option allows for evaluating Python code before sending requests, which can be used for dynamic payload generation.

Example: Dynamic Payload Generation with --eval

  1. Dynamic Generation

    Generate a dynamic payload using Python code:

hashtag
----------------------------------------------------------------

hashtag
Combining Techniques for Automated Testing

You can combine multiple techniques for comprehensive automated testing.

Example: Full Automated Test with Custom Payloads

  1. Advanced Custom Payloads in Combination

    Combine various methods to create a comprehensive testing command:

Example of an Advanced Tamper Script for Automated Testing

Example: Randomized Time-Based Injection

  1. Script random_time_tamper.py

    Create a script to add random time-based delays to the payload:

  2. Use with SQLMap

    Use the script with SQLMap:

hashtag
----------------------------------------------------------------

PreviousWAF Bypass for SQL InjectionNextRecognize DB to Manual SQL injection

Last updated