Alternative "injection"

The word "injection" can be regarded as fashionable at the moment, and "sounds" everywhere. This word has made countless people "Famous for color change". Today our topic is still injecting. However, the injection here is different from the previous one. It is different from the common SQL injection, which can be said to be a new type. On weekdays, people submit data in the form of pages. However, today we are going to break this traditional idea. In this way, you can construct HTTP request packets by yourself and use programs instead of traditional methods to automatically submit data.
When the article has not yet entered the topic, I will give you another question about the HTTP protocol. In fact, I didn't want to talk about the HTTP protocol. However, to take care of most friends. On weekdays, when we open a website, for example, http://www.tr4c3.com/, we use Internet Explorer as a client, which will send the following request to the server:

GET, HTTP, 1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. ms-
Powerpoint, application/vnd. ms-excel, application/msword, application/x-shockwave-flash ,*/*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: www.Tr4c3.com
Connection: Keep-Alive
Cookie: NETEASE_SSN = hinrof; NETEASE_ADV = 11 & 22; Province = 0; City = 0; NTES_UV_COOKIE = YES

From the above message, we can see a lot of fields, but many of them are not necessary. If we program ourselves, just focus on the necessary. The HTTP/1.1 protocol specifies that the minimum request message is composed of a Method Field (GET/POST/HEAD) and a HOST field (HOST. As shown above:
GET, HTTP, 1.1
HOST: www.Tr4c3.com
However, in HTTP/1.0, the HOST field is not mandatory. As for why it cannot be saved, continue to look down.
GET and POST are two methods that the browser usually uses to submit packets to the server. After receiving the packet, the server decodes and analyzes the required data and processes it. Finally, the server returns the result. What we can see is usually like http: // ***. ***/list. asp? For URL requests such as id = ***, we can construct the following message by ourselves.
GET/list. asp? Id = *** HTTP/1.1
HOST :***.***.***.***
Because the URL length is limited to 1024, The GET method is usually used to submit small data. If the data size is large, you can only use the POST method. Before explaining some of the POST methods, let's take a look at the POST request message.

POST/hace/add. php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. ms-
Powerpoint, application/vnd. ms-excel, application/msword, application/x-shockwav
E-flash ,*/*
Referer: http: // 202.147.125.36/huace/add. php
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 202.147.125.36
Content-Length: 115
Connection: Keep-Alive

Name=test&email=&comefrom=&homepage=&icq=&oicq=&image=say.gif & comment = test & passw
Ord = & doadd = % B7 % A2 % CB % CD % C1 % F4 % D1 % D4

Compared with the GET method, there is a piece of content below the field, which is the data we submit. If there is a Chinese character, it must be subject to urlencode encoding. Similarly, we can avoid unnecessary fields and construct a minimum POST request.

POST/hace/add. php HTTP/1.1
Host: 202.147.125.36
Content-Type: application/x-www-form-urlencoded
Content-Length: 115

Name=test&email=&comefrom=&homepage=&icq=&oicq=&image=say.gif & comment = test & passw
Ord = & doadd = % B7 % A2 % CB % CD % C1 % F4 % D1 % D4

The Content-Type field above indicates the POST form Type, and Content-Length is of course the Length of the object data. It cannot be less here, otherwise it will not be able to receive it correctly. In this way, the server processing page will receive the submitted data and receive the processed data. If you write something to the database, haha.
I talked a lot about the client without knowing it. Next I will look at the server. When the packet data arrives at the server, the underlying process of the server receives the data and puts it in a specific buffer zone. At the same time, some environmental variables, such as "CONTENT_LENGTH" and "QUERY_STRING", are set, of course, this still shields some underlying details, such as how the data submitted by the client is reset to the standard input on the requested page, so we will not consider it too much here. Then, high-level applications such as CGI, ASP, and PHP extract data. CGI must also perform Unencode decoding and string extraction on its own. If you submit data to an ASP program, I have submitted the name and body fields and submitted them in the POST form mode. The ASP program should receive the following information:
Name = request. form ("name ")
Body = request. form ("body ")
And add it to the database.
Rs. addnew
Rs ("name") = name
Rs ("body") = body
Rs. update
At this point, we have basically finished talking about it. At the same time, we should also note that when we send a message, "name = value" URLEncode must be encoded, without it, we may fail when writing something to the database. At the same time, we also need to pay attention to a problem here. When the compiler processes a Chinese character, it will automatically read one or two characters based on the Character bit 7, in this case, unsigned char * can be forcibly used to read a character.

 

Int isT (char ch)
{
If (ch = ''| ch = '%' | ch = '/' | ch & 0x80) return 1;
Else return 0;
}

Int encode (char * s, char * d)
{
If (! S |! D) return 0;
For (; * s! = 0; s ++)
{
Unsigned char * p = (unsigned char *) s;
If (* p = '')
{
* D = '% ';
* (D + 1) = '2 ';
* (D + 2) = '0 ';
D + = 3;
}
Else if (isT (* p ))
{
Char a [3];
* D = '% ';
Sprintf (a, "% 02x", * p );
* (D + 1) = a [0];
* (D + 2) = a [1];
D + = 3;
}
Else
{
* D = * p;
D ++;
}
}
* D = 0;
Return 1;
}
/* Unencode URL Decoding function */

Int unencode (char * s, char * d)
{
If (! S |! D) return 0;
For (; * s! = 0; s ++)
{
If (* s = '+ ')
{
* D = '';
D ++;
}
Else if (* s = '% ')
{
Int code;
If (sscanf (s + 1, "% 02x", & code )! = 1) code = '? ';
* D = code;
S + = 2;
D ++;
}
Else
{
* D = * s;
D ++;
}
}
* D = 0;
Return 1;
}

/* Booksend. cpp */