Break through the first-class information surveillance interception system for SQL injection

Monitoring

by Lake2 (http://lake2.0x54.org)
Back to infiltrate a site, SQL injection Test return this page (Figure 1)

I faint, the original server installed a call "first-class information surveillance interception system" of BT gadgets, disappointing! Check it out first.

Google the "first-class information surveillance interception system." This is the Guangzhou XX Information technology company developed a content monitoring system, used to monitor the interception of illegal information, of course, including SQL injection. The introduction of the software feature on its home page impressively reads: "The software can intercept any SQL injection attacks in a comprehensive way, even if the bad programs don't worry." Hey, brother, cowhide don't blow too much yo, otherwise how good to step down ah.

I must give him some color to see what he said so absolutely. Oh, is not to say that only can not do it, well, let me think about first. Online did not find the software download, calculate, directly on the site tested well.

After several rounds of testing, I found that the software was blocking the Independent keyword, that is, intercepting the string "and" without intercepting the string containing "and" such as "island". The submission of the Http://xxx/x.asp?x=island 1=2 was fine and was intercepted when the http://xxx/x.asp?x=a and 1=1 were submitted.

Oh, understand it, in fact, the program to determine whether the exact match is a real intercept string is a space + keyword + space (in this case, "and"). If it is expressed in ASP code:

If Instr (1, Strquest, "and", 1) Then
Response.Write ("some nonsense")
Response.End
End If

Intercept principle to understand, the question is how to break through? Look down.

Keywords are to be injected to use, not move, only from the space to start. Oh, think what dongdong can replace space Ah, yes, is tab! Now I modify the URL with the Tab to replace and before and after the two spaces, oh, look at Figure 2 Bar (tab--> "%09", Space--> "%20").

Yeah, success! The legendary first class information surveillance interception system has been around us. Haha, that what system is just a flawed web program, oh, continue to do the same SQL injection with the Administrator account password Webshell, those are physically alive, slightly skipped.

With Webshell, the execution of the "net User" command was intercepted by him (this hateful guy ...). , oh, small case, then the implementation of "NET user" (the middle two spaces) bar ^_^

Of course, the method of using tab to break through the limit is not limited to the "First-class Information surveillance interception system", as long as it is a similar filtering method on the line. For example, the green Creation article system (Version 1.5.2.23.7.0), it is this filtering method, but also filtered "_", and its each table is article_xxx form, the result is still unable to guess the solution. Stop!

Finally, by the way, first-class information monitoring system "can be real-time monitoring of users uploaded to the server every picture", "users of the use of the server to carry out the key word monitoring, whether through FTP upload or Web upload files can be accurately monitored, the behavior of illegal users on record" and other functions, It's like violating privacy.