% 69d analysis bypass anti-injection-maple leaf anti-Injection

Source: Internet
Author: User

Original: lake2, respect copyright!
Anti-injection for maple leaf. Check the Code:
Dim Fy_Url, Fy_a, Fy_x, Fy_Cs (), Fy_Cl, Fy_Ts, Fy_Zx
Fy_Cl = 2 Processing Method: 1 = prompt information, 2 = Turn to page, 3 = Prompt before turning
Fy_Zx = "../" indicates the page to be redirected when an error occurs.
On Error Resume Next
Fy_Url = Request. ServerVariables ("QUERY_STRING ")
Fy_a = split (Fy_Url ,"&")
Redim Fy_Cs (ubound (Fy_a ))
On Error Resume Next
For Fy_x = 0 to ubound (Fy_a)
Fy_Cs (Fy_x) = left (Fy_a (Fy_x), instr (Fy_a (Fy_x), "=")-1)
Next
For Fy_x = 0 to ubound (Fy_Cs)
If Fy_Cs (Fy_x) <> "" Then
If Instr (LCase (Request (Fy_Cs (Fy_x), "") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "and ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "select") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x ))), "update") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "chr ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "delete % 20 from ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), ";") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x ))), "insert") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "mid ") <> 0 Or Instr (LCase (Request (Fy_Cs (Fy_x), "master. ") <> 0 Then
Select Case Fy_Cl
Omit part of the code...


This anti-injection system seems to be very popular on the Internet, but it is faulty. The key is this sentence: Fy_Url = Request. ServerVariables ("QUERY_STRING"), the data obtained by Request. ServerVariables is unchanged and URL Decoding is not performed. This causes URL encoding to bypass anti-injection. The following is an analysis of the Code in lake2:
"The idea is to first obtain the submitted data, obtain and process the name/value group based on" & ", and then determine whether the value contains the defined keywords (this is simple, I only left "and"). If yes, It is injection.
At first glance, the value is checked, and it seems that there is no problem. Well, yes, there is no problem with the value, but what about the name?
Its name/value group value comes from Request. ServerVariables ("QUERY_STRING"). Sorry, there is a problem. Request. serverVariables ("QUERY_STRING") is the string submitted by the client. The url encoding is not automatically converted here. Haha, If we encode the name and submit it again, then you can bypass the check. For example, if the parameter is ph4nt0m = lake2 and lis0, the program can detect it. If you submit % 50h4nt0m = lake2 and lis0 (url encoding for p ), the program will judge the value of % 50h4nt0m, and % 50h4nt0m will be converted to ph4nt0m, so the value of % 50h4nt0m is null, so it bypasses the detection.
Wait, why can't value be bypassed since name cannot be decoded? Because the value is obtained from Request (Fy_Cs (Fy_x), the server will decode it.
How can we improve the program? You only need to obtain the decoded data submitted by the client. Change the name statement to For Each SubmitName In Request. QueryString ."

Construct the following address:
Http://www.xxx.com/xxxasp? Action_key_order = big & shopxpbe _ % 69d = 79

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.