mysql - Site has been hacked via SQL Injection - Stack Overflow
As a result, they just used `NULL values to populate those columns. The real confusion is in the CONCAT(). They are combining 126, 39, database name as hex value, 39, and 126. -- is a mysql comment - it ignores the rest of your query after. Judging from this attack...
Шпаргалка по SQL инъекциям | DefconRU
Синтаксис: 0xHEX_ЧИСЛО (SM): SELECT CHAR(0x66) (S) SELECT 0x5045 (это не число, а
ASCII chart | ascii codes and their escape sequences
nul null byte \0 (zero) bel bel character \a bs backspace \b ht horizontal tab \t np formfeed \f nl newline \n cr carriage return \r. common ascii codes to know.
Функции CAST и CONVERT (Transact-SQL) - SQL... | Microsoft Docs
SELECT CONVERT(char(8), 0x4E616d65, 0) AS [Style 0, binary to character]
A technique that a lot of SQL injection beginners don’t know
Query: ?param=’ AND 1=2 UNION ALL SELECT 1,(SELECT CAST(GROUP_CONCAT(schema_name,0x0a) as CHAR(4096)) FROM (SELECT * FROM information_schema.schemata)a),3,4,5,6,7,8,9
Обозреватель блокчейна - искать блокчейн | BTC | ETH | BCH
901025b63b81fa0631f358c9be3ee6fdd7473ba6f08a14f4575ba4c2bce7d23bc37f5. Выходы. Индекс.
SQL injeCtion : ByPassing WAF (Web Application Firewall) - CyberNinjas
cyb3rninjas.blogspot.com
Instead of union UnIoN In some basic WAF’s this will work.
MySQL CONCAT() Function | Definition and Usage
SELECT CONCAT("SQL ", "Tutorial ", "is ", "fun!") AS ConcatenatedString; Try it Yourself ». Definition and Usage. The CONCAT() function adds two or more expressions together. Note: Also look at the CONCAT_WS() function.