Dongle test-Injection

Simple cool, download http://www.anquangou.cn from official website/
IIS v3.0 installation simple test... construct a simple injection page asp + sqlserver start testing: Bypass: It was so simple, suddenly confidence timesIi. Basics1. data flow to the http://zone.wooyun.org/content/5091 to learn the sword total feeling benefited a lot (there is no way this year not flattering, do not give), forward to the sword said, for a request, in the case of protection, data Flow Direction: data-> dongle-> webserver-> app-> database visible. A data stream goes through multiple "programs" throughout the process ", the dongle processes data first, and requests are blocked if any risk is detected. 2. The so-called dongle is bypassed: For an effective attack, the dongle fails to identify and block the attack, resulting in a successful attack. 3. Reasons for dongle bypass: For the same request, dongle and webserver, app, and database have different understandings, resulting in dongle bypass.Iii. TestFor injection, of course, we want to get the data stored in the database. Therefore, the test: the dongle has no response. Does the dongle think this is unnecessary? This is also a small hazard. If you continue to test the select from function, how does the select from function bypass? We need to use different understandings of various security dogs... 1) In the retest, the first thing that comes to mind is that the 80 sec cool said that the iis retest problem has failed and the dongle can identify it. 2) Some people have analyzed iis's asp. dll parameter url Decoding has the following features: asp under IIS. when the dll file decodes the url of the parameter string after the asp file, it will directly filter out the characters 09-0d, 20, and % (one of the following two characters is not hexadecimal. Convert the Get request to the post request, and then add a space after the from f: the bypass is successful. 3) Unicode encoding testing IIS supports unicode encoding, so use unicode encoding to check if the dongle intercepts it? The dongle does not perform unicode decoding 4) mssql feature testing is also acceptable, but it is a bit tricky, in some cases ..Iv. SummaryHere, we only use several methods we know and tested the select from rule. We found that safe dogs are doing well, but there are also some bypasses. As a network-layer protection software, the target should be zero attacks. However, in the real environment, the role of Network-layer defense is to increase the threshold for attacks, because it should consider a thing called false positives...
 Solution:

Take special cases into consideration.