Effects of result sets in ASP and ASPX on Injection

Text/ninty

I learned from BS Daniel, and then I made a little research and wrote some notes ..

Let's take a look at the following code:

<%
Set Conn = Server. CreateObject ("ADODB. Connection ")
Conn. open "Driver = {SQL Server}; Server = MICROSOF-17A8A8; UID = sa; PWD = sajjjjjj; Database = pubs"
Set RS = Server. CreateObject ("Adodb. Recordset ")
RS. Open "select * from sysobjects where id =" & request ("id"), Conn, 1, 3
If not rs. bof and not rs. eof then
Response. write rs ("name ")
End if
Set rs2 = rs. NextRecordset
Response. write rs2 ("test ")
Conn. close
%>

Asp connects to the SQL SERVER database in ODBC mode. It is obvious that there is a piece of code injected.
Save as odbc. asp
Then visit:
Odbc. asp? Id = 1 and @ version = 1

The @ version value can be exposed.
However, if we construct the injection as follows:
Odbc. asp? Id = 1; select 1 where @ version = 1

This will not have any effect. This does not have any effect, meaning that the value cannot be exposed, but it may cause other errors or no page changes,
It depends on the environment,
Different environments or different drivers used by the database connection may affect the error message during injection and the injection method.

In this case, the two lines of the comment are opened and reused.
Odbc. asp? Id = 1; select 1 where @ version = 1
This value is exposed.

When we submit id = 1; select 1 where @ version = 1, the executed SQL is:
Select * from sysobjects where id = 1; select 1 where @ version = 1

The two SELECT statements obviously have two result sets, but the Recordset takes only the first result set by default. Therefore, when the second result set reports an error,
The value cannot be exposed. If the code returns the second result set, (rs. NextRecordset) the value can be exposed.
However, it seems that there are not many ASP codes that can be written in this way. Generally, only the first result set is used .. So there is no big use in ASP.

If only the first result set is obtained in the Code, the page is normal unless the second statement has a syntax error.
For example:
Odbc. asp? Id = 1; selectttt 1
In this way, even if the second result set is not obtained, it will be violent and wrong ..

Let's look at ASPX again:

SqlConnection conn = new SqlConnection ("server = MICROSOF-17A8A8; User ID = sa; Password = sajjjjjj; Database = pubs; Connect Timeout = 30 ");
SqlDataAdapter adap = new SqlDataAdapter ("select * from sysobjects where id =" + Request ["id"], conn );
DataTable dt = new DataTable ();
DataSet dt = new DataSet ();
Adap. Fill (dt );
This. GridView1.DataSource = dt;
This. GridView1.DataBind ();
Conn. Close ();

There is still a piece of code with injection vulnerabilities:
Access:
SQL. aspx? Id = 1 and 1 = @ version
@ Version can be exposed.

Access again:
SQL. aspx? Id = 1; select 1 where 1 = @ version
Same as ASP, brute-force value is not supported.

In this case, the line commented will be opened, and the DataTable dt = new DataTable (); line will be commented out before accessing
SQL. aspx? Id = 1; select 1 where 1 = @ version

The error message is returned ..

The reason is the same. If DataTable is used, only the first result set is obtained by default. If DataSet is used, all result sets are obtained.
Naturally, it will be violent and wrong ..
Is it common to use DataSet in ASPX programs? You can try it when adding ASPX. If a code error is not good, try multiple sentences ..
There is a probability.

There are also the effects of different database drivers on the injection. I don't know how to understand this. I will try again later ..