Where is the SQL injection detection payload, preferably bypass WAF