It's an extension for SQLmap tamper scripts allows you to use your favorite programming language to write your tamper scripts.
This extension is a bypass for SQLmap limitation of accepting only python scripts to write tamper scripts.
taper-api.py
script sends the payload and kwargs to the foreign language tamper script's STDIN as two STDIN arguments. From there the foreign script evaluates and process all inputs then send it to STDOUT where tamper-api.py
reads it evaluates then sends it to SQLmap.
- payload object type is string
- kwargs object type is dictionary Both will be send to STDOUT as strings.
Recommend to add symlink/shortcut for tamper-api.py
in sqlmap/tamper directory
No matter what language you use, this going to be valid for you. Since tamper-api.py
sends two arguments, you have to evaluate/parse kwargs
to process. In Ruby case, we parse it as JSON and deal with it as a hash then convert it to JSON format which identical to Python dictionary format.
The payload
argument is string and sqlmap expects string as well.
The final output (from the foreign script) is STDOUT contains [PAYLOAD]|||[KWARGS]
.
since the |||
is just a separator for tamper-api
to split between the 'payload' and 'kwargs' returned values. (Note: tamper-api
expects that format to parse the output so stick with it)
Example
#!/usr/bin/env ruby
#
# Author: KING SABRI | @KINGSABRI
# Description: Base64 encoding all characters in a given payload
# Requirements: None
#
require 'json'
require 'base64'
@payload = ARGV[0] # first arg
@kwargs = eval(ARGV[1]) # second arg evaluated to be a hash for ruby
print "#{Base64.urlsafe_encode64(@payload)}|||#{@kwargs.to_json}"
So to summarize, there will be a static part for each language to grantee the compatibility with the way tamper-api
works which tunned to work for sqlmap properly.
Please check tamper-scripts/[YOUR_LANGUAGE]
for practical examples.
sqlmap -u http://example.com/pages.php?page=1 --tamper tamper-api base64encode.rb
- Fork
- Clone :
https://github.com/[USERNAME]/sqlmap-multi-language-tamper.git
- Create a new branch:
git checkout -b YourBranch
- Commit changes:
git add * && git commit 'description'
- Create Pull Request(PR)
Or, open an issue for new requests and bugs reporting!