mgeeky-Penetration-Testing-.../web/sqlmap-tamper-scripts-evaluation.md

4.0 KiB

SQLMap Tamper scripts evaluation against F5 Big-IP ASM WAF

The below table represents results of tests launched against F5 Big-IP ASM WAF appliance in it's XX version of YY and ZZ version of XY

Below names are to be passed to the --tamper= parameter of sqlmap.

The column Violation Rating represents most dominant rating of topmost 20 Requests observed by F5 in it's Security>>Event Logs:Application:Requests view.

The scale is 0-5.

Tamper script(s) used Violation Rating
apostrophemask 3-5
apostrophenullencode 4
appendnullbyte 5
base64encode 3
between 4
bluecoat 4
chardoubleencode 4
charencode 4
charunicodeencode 4
charunicodeescape 4
commalesslimit 3-4
commalessmid 4
concat2concatws 4
equaltolike 4
greatest 4
halfversionedmorekeywords 4
htmlencode 4
ifnull2ifisnull 4
informationschemacomment 4
least 4
lowercase 4
modsecurityversioned 4
modsecurityzeroversioned 3-4
multiplespaces 4
nonrecursivereplacement 1-3
overlongutf8 3
overlongutf8more 3
percentage 2
plus2concat 4
plus2fnconcat 4
randomcase 4
randomcomments 2-3
securesphere 4
space2comment 4
space2dash 3-4
space2hash 1-3
space2morecomment 4
space2morehash 1
space2mssqlblank 2-4
space2mssqlhash 4
space2mysqlblank 3-4
space2mysqldash 4
space2plus 3-4
space2randomblank 4
symboliclogical 4
sp_password 4
unionalltounion 4
unmagicquotes 4
uppercase 4
varnish 4
versionedkeywords 2
versionedmorekeywords 4
xforwardedfor 4
nonrecursivereplacement,space2morehash,space2hash 1

Among longer combinations:

Tamper script(s) used Violation Rating
apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzerovers 1
between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor 1
apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes 1
apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,charunicodeescape,commalesslimit,commalessmid,commentbeforeparentheses,concat2concatws,equaltolike,escapequotes,greatest,halfversionedmorekeywords,htmlencode,ifnull2casewhenisnull,ifnull2ifisnull,informationschemacomment,least,lowercase,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,overlongutf8,overlongutf8more,percentage,plus2concat,plus2fnconcat,randomcase,randomcomments,securesphere,sp_password,space2comment,space2dash,space2hash,space2morecomment,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,symboliclogical,unionalltounion,unmagicquotes,uppercase,varnish,versionedkeywords,versionedmorekeywords,xforwardedfor 5

The last row represents all of tamper scripts used at once score. It looks like, it's not a good idea to use them all at once.

From tamper scripts that did best in this evaluation, we can point out:

  • nonrecursivereplacement
  • space2morehash
  • space2hash

Although, they had not been tested against actual vulnerability, therefore this evalution does not take in account whether SQLMap was able to attack the vulnerability at all.