web application – SQLi Filter Bypass with banned table/column names

I’ve studying and practicing different approach to SQLi filter bypass and I faced a challenge. What if the WAF filters look for specific strings rather than SQL keywords?


Filter: /UNION/

Filter: /UNION/i
SQLi: un/**/ion

Filter: /UNION/i and no comments
SQLi: un%0bion

So far, so good. There are lots of valid articles that explain how to surpass filters based on keywords. What if the banned string is a table/column name, or a part of it?

Filter: /user/i
SQLi: SELECT username FROM users; # deny. username matches /user/i

Filter: /or/i
SQLi: SELECT password from users; # deny. passwORd matches /or/i

I tried with double encoding, unicode encoding, splitting the column names use``rname (which doesn’t work) but no approach seems to be working. Mostly because my understanding is that it’s the web application that decodes the input before it’s passed to the Mysql database and, therefore, the syntax must be correct before the query is processed by the database, but still encoded at the time the WAF Filters are applied.

Is there a generic approach to deal with this scenarios?