SQLi Query Tampering

Sqlmap is a great automated tool for SQL vulnerabilities but it can be a little noisy when you perform pentesting or bug hunting! One of the cool part of Sqlmap is Tampering. Tampering gives us some functions/techniques to evade filters and WAF's.

SQLi Query Tampering gives you the flexibility of manual testing with many powerful evasion techniques. This extension has two part:

1. Generator:
   • You are able to add your customized payloads
   • All evasion techniques grouped by DBMS type
   • Tampered payloads can be used as a Generator in Intruder or saved to clipboard/file
2. Processor:
   • You have the ability to choose on of the tamper techniques as your processor
   • The processor can be added as a Payload Processor
   • You can add your payloads and tamper them based on the selected technique. Write one payload per line.

Usage notes:

• All Tampered Queries (in Generator/Processor) returned in URL-Encoded
• You can add a decode rule in Payload Processing section if you need URL-decoded payloads