SQL Injection Defense Bypass--two-time code to kill the backslash

SQL Injection Defense Bypass--two code 01 background first, why URL encoding

Usually if something needs to be coded, it means that something is not suitable for transmission. For URLs, coding is primarily to avoid ambiguity and confusion.
For example, the URL parameter string uses the Key=value key value pair in such a way to pass the parameter, the key value pair is separated by the & symbol, /?name=abc&pwd=123 If your value string contains = or &, then it is bound to cause the server parsing error to receive the URL, Therefore, it is necessary to escape the ambiguous & and the = symbol, that is, to encode it.
An in-depth study of URL coding can be shown in the following sections:
Why URL encoding
In-depth analysis of coding issues in Web request responses

Second, the encoding problem in the process of URL transmission

The HTTP request process goes through several steps:
Browser "get/post" ①========> server ②========> Browser display ③

• ①: The browser will encode the URL and send it to the server, different browsers have different encoding rules for the URL. For the data submitted by the Get method, the browser automatically encodes the URL, and the encoding of the data submitted by post can be specified by the developer.
• ②: The server decodes (decodes to Unicode) the URL according to its own configuration file, and then encodes the content.
• ③: The browser displays the page according to the specified encoding.
  In addition, the front-end programs that run on the client side of the browser will also encode the data to be transmitted according to the needs of the Web service, while the server middleware automatically decodes the URL in the service side, and the backend Web program decodes the data encoded by the front end.

22-Time Code injection

The following picture is a good explanation of the principle of two-time code injection (image from NetEase Web Security Engineer course, invasion delete):

Two-time Code injection

From this we can also be informed that the two-time code injection is caused by:
The coding function of the backend program, such as UrlDecode (), and so on, and the PHP itself processing code, the combination of errors, so that the attacker can construct data to eliminate\

Take a look at the instance code:

//用GET方式获取id值，并对其中的特殊字符进行转义$id = mysql_real_escap_string($_GET[‘id‘]);//使用urldecode()函数进行解码$id = urldecode($id);$sql = "SELECT * FROM usres WHERE id = ‘$id‘ LIMIT 0,1;$result = mysql_query($sql);$row = mysql_fetch_array($result);

The code above is a typical scenario for two injections, and if we commit:
http://127.0.0.1/sql.php?id=1%2527
You can bypass the escape of the pair for ‘ a SQL injection attack.

When testing, you can use Sqlmap to automate attacks if you find a page that may have a two-time encoding injection vulnerability

//只需在注入点后键入%2527即可python sqlmap.py -u "http://127.0.0.1/sql.php?id=1%2527"

Share a two-time code injection Vulnerability instance

SQL Injection Defense Bypass--two-time code to kill the backslash