$filter = ['conv', 'code', 'hex', 'ha', 'b', 'x', '_', '`', '\'', '"', '@','into','outfile','load','file', 'date', 'co','ca', 'b', 'g', 'h', 'j', 'k', 'q', 'v', 'x', 'z', 'date', 'make'];
If filters are like that, how can I inject successfully? I will show you some gadgets can bypass the hard filter.
string function filter bypass with gadgets
ascii, bin, char, concat, hex, oct, ord, conv, etc…
you can easily make the string with the following crypto functions.
[link]mysql crypt functions
But usually most of detectors also filtered underbar since prevent to access *_schema. There are two ways to generate arbitrary characters.
- Use dayname function.
- Use encrypt function with salt.
The first one is well-known bypass technic. Bypass with date and time functions. The result of now() (timestamp) is integer, so we can subtract and add other integer to make everyday name.
But this way only can make “a, e, d, f, i, h, m, o, n, s, r, u, t, w, y” 15 alphabets. Let’s check out the solution 2.
Or hash functions like md5, sha1, … are only contains hexadecimal characters.. We need more alphabets !!!!
There aren’t any references or cheat sheets of
When you run
encrypt function the output is different each time. Since Mysql’s
encrypt function is based system’s
crypt function. So
encrypt auto generates salt. This is why you saw the different output each time.
If you pass the
salt parameter, you will get a fixed output result.
Encrypts str using the Unix crypt() system call and returns a binary string. The salt argument must be a string with at least two characters or the result will be NULL. If no salt argument is given, a random value is used.
Note: The ENCRYPT() function is deprecated as of MySQL 5.7.6, will be removed in a future MySQL release, and should no longer be used. Consider using AES_ENCRYPT() instead.
# with no salt
# with salt
select encrypt(12, 99); # (any types, twocharacter or 2 digit number
Here is very good wargame challenge. Pwn it !!!
Here are some interesting bypass cheat sheets.
Link SQLI Cheat Sheets 1(English)
Link SQLI Cheat Sheets 2(Korean)
If u have any questions please contact email or reply the comments.