Article directory
1. The equal sign is filtered
- 1. Like, rlike statements, where rlike is a regular expression
- 2. Greater than sign >, less than sign <
- 3. Symbols <>: <> means not equal to !=
- 4. Use the regexp function
- 5、in
- 6、between
2. substr, mid, etc. are filtered
-
1、
substring、substrB
-
2.
locate(str1,str2)
Return the position where str1 string first appears in str2, if not, return 0;
-
- locate(str1,str2,
pos
)
returns the position where pos (starting position) of str1 string appears in str2, if not, returns 0;
pos must be greater than the first occurrence position to display the second occurrence position.
- locate(str1,str2,
-
3.
position(str1 in str2)
The usage is similar to locate. It returns the position where str1 string appears in str2. Otherwise, 0 is returned.
-
4.
instr( string1, string2 )
#string1: Source string, search in this string.
#string2: The string to be found in string1.
-
5.
lpad(string , length , pad_string)
,rpad(string , length , pad_string)
#string: the filled string, length: the length of the returned string, pad_string: the filled string, is an optional parameter
3. Commas are filtered
-
1. Use %EF%BC%8C
%EF%BC%8C. This is the Chinese comma. Most of it cannot be used, but some functions can be used. -
2. Using from xx for xx
can generally be used in mid and substr functions.
4. and/or is filtered
- Use &&, || or like
5. Spaces are filtered
-
1. Comment character bypass:
//, -- , /**/, #, --+, -- -, ;,%00,--a,/*!*/
.
-
- 1.1.
/*!*/
It is an inline comment. As long as the number inside is larger than your data version, it will be distorted.
My version here is 5.7.26,
as shown in the picture / !23232user() / The user() in it will be executed. But when it is changed to 63232, it is larger than the version and cannot be executed.这方法可以用来绕waf
.
- 1.1.
-
2. Bypass newline, for example, use %0a
-
3. Logical bracket bypassing
5. Other bypass methods
-
1. Case bypassing, such as User(), dAtaBASE(), SelEct, etc.
-
2. When filtering only once, double keywords such as selselectect, ununionion, oorr, etc. are bypassed.
-
3. When and/or+space is replaced by empty, andand+space (oror+space) is bypassed.
-
4. Encoding bypass: such as URLEncode encoding, ASCII, HEX, and unicode encoding bypass.