% 69d analysis bypass anti-injection-maple leaf anti-Injection

Original: lake2, respect copyright!
Anti-injection for maple leaf. Check the Code:
Dim Fy_Url, Fy_a, Fy_x, Fy_Cs (), Fy_Cl, Fy_Ts, Fy_Zx
Fy_Cl = 2 Processing Method: 1 = prompt information, 2 = Turn to page, 3 = Prompt before turning
Fy_Zx = "../" indicates the page to be redirected when an error occurs.
On Error Resume Next
Fy_Url = Request. ServerVariables ("QUERY_STRING ")
Fy_a = split (Fy_Url ,"&")
Redim Fy_Cs (ubound (Fy_a ))
On Error Resume Next
For Fy_x = 0 to ubound (Fy_a)
Fy_Cs (Fy_x) = left (Fy_a (Fy_x), instr (Fy_a (Fy_x), "=")-1)
Next
For Fy_x = 0 to ubound (Fy_Cs)
If Fy_Cs (Fy_x) <> "" Then
If Instr (LCase (Request (Fy_Cs (Fy_x), "") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "and ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "select") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x ))), "update") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "chr ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "delete % 20 from ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), ";") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x ))), "insert") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "mid ") <> 0 Or Instr (LCase (Request (Fy_Cs (Fy_x), "master. ") <> 0 Then
Select Case Fy_Cl
Omit part of the code...

This anti-injection system seems to be very popular on the Internet, but it is faulty. The key is this sentence: Fy_Url = Request. ServerVariables ("QUERY_STRING"), the data obtained by Request. ServerVariables is unchanged and URL Decoding is not performed. This causes URL encoding to bypass anti-injection. The following is an analysis of the Code in lake2:
"The idea is to first obtain the submitted data, obtain and process the name/value group based on" & ", and then determine whether the value contains the defined keywords (this is simple, I only left "and"). If yes, It is injection.
At first glance, the value is checked, and it seems that there is no problem. Well, yes, there is no problem with the value, but what about the name?
Its name/value group value comes from Request. ServerVariables ("QUERY_STRING"). Sorry, there is a problem. Request. serverVariables ("QUERY_STRING") is the string submitted by the client. The url encoding is not automatically converted here. Haha, If we encode the name and submit it again, then you can bypass the check. For example, if the parameter is ph4nt0m = lake2 and lis0, the program can detect it. If you submit % 50h4nt0m = lake2 and lis0 (url encoding for p ), the program will judge the value of % 50h4nt0m, and % 50h4nt0m will be converted to ph4nt0m, so the value of % 50h4nt0m is null, so it bypasses the detection.
Wait, why can't value be bypassed since name cannot be decoded? Because the value is obtained from Request (Fy_Cs (Fy_x), the server will decode it.
How can we improve the program? You only need to obtain the decoded data submitted by the client. Change the name statement to For Each SubmitName In Request. QueryString ."

Construct the following address:
Http://www.xxx.com/xxxasp? Action_key_order = big & shopxpbe _ % 69d = 79