Black & White Path

Apr 16, 2026 · Information Security

Bypassing Alibaba Cloud WAF on a Financial Site via MySQL Chain Comparison

During an authorized penetration test of a financial institution’s website protected by Alibaba Cloud WAF, the author discovered a SQL injection point, used MySQL’s chain‑comparison feature to close the injection, identified the database type, and crafted boolean‑based payloads—including POSITION and binary tricks—to extract the current user name character by character.