Code Review: tamper

What is tamper?

The tamper module in sqlmap modifies the payload in order to bypass WAF. The syntax is:

sqlmap -u <url> --tamper <tamper_script>

There are 53 official tamper scripts provided by sqlmap, which can be found on its Github repo:

And we can write our own tamper scripts in some cases, just follow the template and write the def tamper(payload, **kwargs) function.

Template

#!/usr/bin/env python

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
 
    retVal = payload

    # tamper the payload
    if payload:
        pass

    return retVal

Reference

PreviousCode Review: Initialization NextCross-Site Scripting (XSS)

Last updated 3 years ago

Was this helpful?