A summary of anti-injection code bypass Learning

If it is not original, it will not be written.
The idea of the article is to record the learning process ......
There are no innovative things, and they are the things of their predecessors. My own summary ......
There were a lot of holes in the system during the last few minutes. First, let's look at how he wrote them. below is what he found in his admin_conn.asp file.

Sss = LCase (request. servervariables ("QUERY_STRING "))
If instr (sss, "select") <> 0 or instr (sss, "inster") <> 0 or instr (sss, "delete") <> 0 or

Instr (sss, "(") <> 0 or instr (sss, "'or") <> 0 then
Response. write "your website is invalid"
Response. end
End if

The Code uses the request. servervariables method to obtain the passed data and then assigns it to sss. Then, determine whether the passed sss variables contain sensitive strings such as select and inster, and end the program as long as they exist. It causes a lot of trouble for normal injection, and new things need to appear to break through this anti-injection.
There are two known methods:
1. Use URL encoding to encode the data we pass. For example, select can be encoded as selec % 74 (converting t to url encoding), so that injection can be implemented!
2. Use cookies for injection.
Let's take a look at the implementation of the 1st types. Because the program accepts the request parameters. servervariables, haha, this method is not exactly the same as our usual request, because the data it receives will be unblocked and accepted, for example, we passed selec % 74, here, the sss will be selec % 74, rather than the decoded select string. The current judgment statement will bypass the detection because of select <> selec % 74!

2nd cookie methods are used to transmit data. Why? Looking at the code of the program, we know that it only judges the use of request. servervariables ("QUERY_STRING") to accept the data. If we use cookies for transmission, the program will certainly not detect the data, you only need to find a place in the previous Code where the request method is used to receive variables. This is the cookie injection. For example, we can use this code to implement cookie injection. This code was intercepted in admin_news_view.asp during the message.

<%
Newsid = trim (request ("newsid "))
SQL = "select * from news where id =" & newsid
Set rs = Server. CreateObject ("ADODB. RecordSet ")
Rs. Open SQL, conn, 1, 1
Title = rs ("title ")
Dat = rs ("time ")
Hit = rs ("hit") + 1
Content = rs ("content ")
%>

The request is received, and it will be determined by three data sets (Form, QueryString, cookie) in sequence. Therefore, we can use cookies to submit the constructed SQL statements. this is not the case here. For details, refer to the article "cookie cracking vulnerability in the News Publishing System in the latest version".

But not all programs are so excited. The last time I intruded into a station, I encountered this situation. I found the source code, but did not break through this anti-injection mechanism. The Code is as follows:

Sub check ()
Fy_Url = Request. ServerVariables ("QUERY_STRING ")
Fy_a = split (Fy_Url ,"&")
Redim Fy_Cs (ubound (Fy_a ))
On Error Resume Next
For Fy_x = 0 to ubound (Fy_a)
Fy_Cs (Fy_x) = left (Fy_a (Fy_x), instr (Fy_a (Fy_x), "=")-1)
Next
For Fy_x = 0 to ubound (Fy_Cs)
If Fy_Cs (Fy_x) <> "Then
If Instr (LCase (Request (Fy_Cs (Fy_x), "'") <> 0 or Instr (LCase (Request (Fy_Cs

(Fy_x), "and") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "select") <> 0 or Instr (LCase

(Request (Fy_Cs (Fy_x), "union") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "from") <> 0 or

Instr (LCase (Request (Fy_Cs (Fy_x), "") <> 0 Then
Response. Write (" hey, Don't inject it! Blocking keywords, but this blocking program is not good-how to break through ?")
Response. End
End If
End If
Next
End sub

Such code uses Request. ServerVariables ("QUERY_STRING") to receive data. However, you can directly encode the injected Character URL and you will see that injection is still unavailable!

So how can we make a breakthrough? See the following! Lake2 Daniel once wrote a masterpiece about cracking through this anti-injection attack. This method was discovered by Daniel! The description is very detailed. Let's refer to Daniel's words to explain this bypass mechanism. "Request. serverVariables ("QUERY_STRING") is the string submitted by the client. The url encoding is not automatically converted here. Haha, If we encode the name and submit it again, then you can bypass the check." The following is my understanding, because the program uses a judgment statement such as Instr (LCase (Request (Fy_Cs (Fy_x), "') <> 0, it determines the value of name, that is, value, and uses request to receive data. previously, if we used url encoding for the value in the url and then submitted it, and the value is passed here, it will be decoded again, so the program can detect it. note: But it only determines the value of name, that is, value. But for name, we can see that no judgment is made, and it judges the SQL statement through the variable name of name, so we only need to use url encoding for name, and then the program will still judge the name value, but this time it is I % 64, it will be converted to id, however, we didn't assign a value to id but I % 64. Haha, the value of id will be considered as null, so we can bypass it!

It can be seen that as long as the method received earlier cannot be decoded, the statements determined later can be decoded and bypassed. Later, I thought about the chr () function, but YY ..... Not even.
Can I use cookies for injection? I did not get the result during the test. I may not be looking for a place where the request is accepted ....
Record these ......
Some places are just your own understanding, and it is inevitable that there will be errors. You are welcome to throw bricks!
By salors