ByPassTamperPlus: Enhanced SQLMap Tamper Scripts for Advanced WAF Bypass

Enhanced SQLMap tamper scripts, developed with Python 3.10, leverage specific database version features and advanced obfuscation techniques to bypass modern Web Application Firewalls.

Directory structure

MSSQL : Scripts for SQL Server 2000 through 2025.

MySQL : Scripts for MySQL 5.0 through 8.0.

Oracle : Scripts for Oracle 11g through 23ai.

MSSQL

Supported versions : 2000, 2005, 2008, 2012, 2014, 2016, 2017, 2019, 2022, 2025.

General techniques : case randomization, whitespace substitution, comment splitting.

Version‑specific techniques :

2000 – uses TEXTPTR and READTEXT functions.

2005+ – leverages XML path and CTE.

2016+ – employs JSON functions ( OPENJSON, JSON_VALUE) for data extraction and logic obfuscation.

2019+ – utilizes intelligent query processing features and approximate count functions.

2025 – simulates AI‑related functions such as AI_PREDICT and VECTOR_DISTANCE for semantic bypass.

MySQL

Supported versions : 5.0, 5.1, 5.5, 5.6, 5.7, 8.0.

General techniques : inline comments ( /*!...*/), keyword substitution ( &&, ||), regex replacement ( REGEXP).

Version‑specific techniques :

5.0/5.1 – XML functions ( ExtractValue, UpdateXML) for error‑based injection obfuscation.

5.5/5.6 – time‑based blind injection optimization using TO_SECONDS instead of SLEEP, GTID‑related function obfuscation.

5.7 – JSON functions ( JSON_EXTRACT, JSON_OBJECT) for obfuscation.

8.0 – common table expressions ( WITH RECURSIVE), window functions ( ROW_NUMBER), and replacing SELECT with TABLE statements.

Oracle

Supported versions : 11g, 12c, 18c, 19c, 21c, 23ai.

General techniques : string concatenation ( || CHR(...)), double‑quoted identifiers, advanced whitespace noise.

Version‑specific techniques :

11g – XMLType data extraction, NUMTOYMINTERVAL delay.

12c – JSON_VALUE wrapping, multi‑tenant view ( V$PDBS), private temporary table naming.

18c/19c – JSON dual view ( JSON_SERIALIZE), SQL macros ( LISTAGG), polymorphic table function simulation.

21c – native JSON type construction, simulated DBMS_PYTHON calls.

23ai – uses AI_SQL_GENERATE for natural‑language query generation and vector similarity comparison via VECTOR_DISTANCE.

General applicability

Bypass capability is not absolute : Effectiveness depends on the target WAF’s version, rule configuration, and deployment architecture. Simpler or outdated WAFs may be bypassed with higher probability, while advanced WAFs employing deep semantic analysis or AI‑driven detection present uncertain results.

Usability is not guaranteed : The tool is under continuous development and lacks extensive real‑world testing data. In scenarios such as unusual database types, complex SQL structures, or custom application‑level filters, payload transformation may conflict with normal SQL syntax, potentially causing execution failures or unexpected system responses.

Repository:

https://github.com/Tas9er/ByPassTamperPlus