🔄Adding Custom Payloads Directly in SQLMap Syntax
SQLMap allows you to specify your own SQL queries using the `--sql-query option`. This is particularly useful when you want to inject specific payloads to test for SQL injection vulnerabilities.
You can add custom payloads directly within the SQLMap syntax using the --sql-query
option or by customizing the payloads through tamper scripts. Below, I will show you how to add custom payloads directly using SQLMap as well as through tamper scripts.
Adding Custom Payloads Directly in SQLMap
SQLMap allows you to specify your own SQL queries using the --sql-query
option. This is particularly useful when you want to inject specific payloads to test for SQL injection.
Example: Using --sql-query
Simple Custom Payload
Union-Based Custom Payload
Customizing Payloads with Tamper Scripts
If you need more flexibility and want to systematically apply custom payloads, you can create a tamper script that modifies the default payloads used by SQLMap.
Example: Custom Tamper Script
Create a Custom Tamper Script
Create a new Python file in the
tamper
directory of your SQLMap installation, for example,custom_payload_tamper.py
.Save the Script
Save this script in the
tamper
directory of SQLMap.Use the Tamper Script with SQLMap
Run SQLMap with your custom tamper script to apply your modifications to the payloads.
Advanced Example with Multiple Payloads
You can combine multiple payloads and tamper scripts to create more complex injection tests. Below is an advanced example where custom payloads are systematically applied to the requests.
Example: Combining Multiple Techniques
Create a Complex Tamper Script
Save and Use the Script
Save this script as
complex_tamper.py
in thetamper
directory.Run SQLMap with the Complex Tamper Script
Leveraging SQLMap's --sql-query
Option
--sql-query
OptionThe --sql-query
option allows you to directly specify SQL queries to be executed. This is useful for precise injection testing.
Examples: Custom Queries with --sql-query
Direct Version Query
This command checks the version of the database:
Union-Based Query
This command retrieves multiple pieces of information such as the database name, current user, and database version:
Subquery Injection
This command uses a subquery to extract table names:
Using --sql-shell
for Interactive Injection
--sql-shell
for Interactive InjectionSQLMap's --sql-shell
provides an interactive SQL shell for executing arbitrary SQL commands.
Example: Starting SQL Shell
Interactive Shell
Start an interactive SQL shell to manually execute SQL commands:
Executing Commands in Shell
Execute commands in the SQL shell to retrieve information:
Creating Custom Tamper Scripts
Tamper scripts can modify payloads dynamically to bypass WAFs and other security measures.
Example: Advanced Custom Tamper Script
Script to Add Random Comments
Create a script
random_comment_tamper.py
:Save and Use the Script
Save this script in the
tamper
directory of SQLMap and use it:
Custom Payloads with --prefix
and --suffix
--prefix
and --suffix
You can use --prefix
and --suffix
to add custom SQL snippets before and after the payload.
Examples: Using --prefix
and --suffix
Adding Prefix and Suffix
Add custom snippets before and after the payload:
Injecting with Custom Wrappers
Wrap the payload with custom conditions:
Using SQLMap's --eval
Option
--eval
OptionThe --eval
option allows for evaluating Python code before sending requests, which can be used for dynamic payload generation.
Example: Dynamic Payload Generation with --eval
Dynamic Generation
Generate a dynamic payload using Python code:
Combining Techniques for Automated Testing
You can combine multiple techniques for comprehensive automated testing.
Example: Full Automated Test with Custom Payloads
Advanced Custom Payloads in Combination
Combine various methods to create a comprehensive testing command:
Example of an Advanced Tamper Script for Automated Testing
Example: Randomized Time-Based Injection
Script
random_time_tamper.py
Create a script to add random time-based delays to the payload:
Use with SQLMap
Use the script with SQLMap:
Last updated