SQLi Query Tampering extends and adds custom Payload Generator/Processor in Burp Suite's Intruder.
Sqlmap is a great automated tool for SQL vulnerabilities but it can be a little noisy when you perform pentesting or bug hunting! One of the cool part of Sqlmap is Tampering. Tampering gives us some functions/techniques to evade filters and WAF's.
SQLi Query Tampering gives you the flexibility of manual testing with many powerful evasion techniques. This extension has two part:
The list of Evasion Techniques:
apostrophemask, apostrophenullencode, appendnullbyte, between, bluecoat, chardoubleencode, charencode, charunicodeencode, charunicodeescape, commalesslimit, commalessmid, commentbeforeparentheses, concat2concatws, equaltolike, escapequotes, greatest, halfversionedmorekeywords, hex2char, htmlencode, ifnull2casewhenisnull, ifnull2ifisnull, informationschemacomment, least, lowercase, modsecurityversioned, modsecurityzeroversioned, multiplespaces, overlongutf8, overlongutf8more, percentage, plus2concat, plus2fnconcat, randomcase, randomcomments, sp_password, space2comment, space2dash, space2hash, space2morecomment, space2morehash, space2mssqlblank, space2mssqlhash, space2mysqlblank, space2mysqldash, space2plus, space2randomblank, symboliclogical, unionalltounion, unmagicquotes, uppercase, versionedkeywords, versionedmorekeywords, 0eunion, misunion, schemasplit, binary, dunion, equaltorlike
Extension Typeto Python
Feel free to submit issues and enhancement requests.
We appreciate all forms of contribution. When contributing to this repository, please first discuss the change you wish to make via issue, email, or any other method with the owners of this repository before making a change. Contribution can include adding new feature,tampering technique based on your experience/articles/sqlmap repo, making typo corrections and much more. In general, we follow the "fork-and-pull" Git workflow.
http://testphp.vulnweb.com/artists.php?artist=1url as target and make sure the extension works properly.
NOTE: Be sure to merge the latest from "upstream" before making a pull request!
Loadbutton in User-Defined Payloads section.