In MySQL and MariaDB the official methods of commenting would be
-- # /* comment */
The ‘#’ is also known as a “fragment identifier” and is typically used to identify a portion of an HTML document that sits within a fully qualified URL.
When passing ‘#’ inside a URL to the back-end database we can use ‘%23’.
This is the unofficial syntax:
;[NULL] ;%00 ;\x00
By ‘;’ indicating the end of statement and by appending a NULL character, the rest of the string is ignored by the MySQL server. However using stdin we are unable to paste this NULL character. But by url encoding the character and passing to the server or by writing the NULL character to file we can witness this.
In here I am passing the NULL character by url encoding.
http://localhost/dvwa/vulnerabilities/sqli/? id=-1' union select 1,version();%00 &Submit=Submit#
Another way to witness this is by writing to a file and passing to the MySQL server.
query = 'select version();\x00 from information_schema.tables;' with open('sql.sql', 'w') as f: f.write(query) f.close();
After that we redirect the file to ‘mysql.exe’.
mysql.exe < sql.sql
I think this is because in MySQL the user input of a string is terminated by the NULL character – \x00, \0, 0x00. This might come handy in bypassing filters 🙂
Another tricky way of commenting would be the follows, But this depends on the back-end query. If query uses single quotes you can use single quotes, if the query uses double quotes you can use double quotes. You can pair them up too and comment. The backtick would work most of the time, no matter single or double quotes used.
` ' "
If the query has brackets, for example (‘$id’) then you could comment like this too. Note that instead of ‘or’ you can use ||, |, and, &&, &, >>, <<, ^, xor, <, , >=, , *, mul, /, div, -, +, %, mod.
or (' or ("