New Injection Point Detection Methods (add test examples)

See previous article: http://www.bkjia.com/Article/200809/29750.html

Repost this information
By goomoo 2008.9.25
Http://gzkb.goomoo.cn

Currently, many anti-injection programs shield and, 1 = 1, 1 = 2, such keywords. Using such a method sometimes cannot detect injection points.

Is there any new method for detecting injection points? After a period of research, we found a better method. Haha, share it here.

Now suppose there is a news page where the URL is http://gzkb.goomoo.cn/news.asp? Id = 1, 123,

1. Open it in the browser and you will see a normal news page;
2. Add-1 after the URL address, the URL becomes: http://gzkb.goomoo.cn/news.asp? Id = 123-1. If the returned page is different from the previous page and is another news item, it indicates there is an injection vulnerability, which is a digital injection vulnerability. Add-0 to the URL address, the URL is changed to asp? Id = 123-0 "> http://gzkb.goomoo.cn/news.asp? Id = 123-0. The returned page is the same as the previous page. If-1 is added, the error page is returned, indicating that the injection vulnerability exists, which is a digital one.

Otherwise:

3. Add % 2B to the URL, and the URL becomes: http://gzkb.goomoo.cn/news.asp? Id = 123% 2B, the returned page is the same as 1; with 2% 2 Basdf, the URL address becomes: http://gzkb.goomoo.cn/news.asp? Id = 123% 2 Basdf. The returned page is different from 1, or this record or error is not found. It indicates that there is an injection point, which is a text type.

Why?

We can consider it from the perspective of a program. The programmer's statement is roughly like this:

Select * from newswhere id = 123

After-1 is added to the end, the statement becomes

Select X from news where id = 123-1

The SQL Server performs operations when executing this statement. The actual execution is:

Select * from newswhere id = 122

This is another news record. If this record exists, it is another news item. Otherwise, the record does not exist or an error occurs. Haha. This also indicates that the program does not filter the input data and has the numeric injection vulnerability.

If the SQL statement is as follows:

Select * from newswhere id = 123

After % 2B is added, the statement becomes

Select * from news where id = 123 +

% 2B is the URL encoding of +. Then, the SQL server actually executes the following:

Select * from newswhere id = 123

Returns the same page.

After % 2 Basdf is added, the statement becomes

Select * from news where id = 123 + asdf

The actual execution is:

Select * from news where id = 123 asdf

The returned page does not exist or is displayed incorrectly. This indicates a text injection vulnerability.

Ancient Wood System Security Original, reproduced please keep here: http://gzkb.goomoo.cn
2008/9/25 -----------------------------------------------

Test example: //////////////////////////////////////// //////////////////////////////////////// ///////
The following three addresses are tested using the and 1 = 1 method. The injection program prompts are displayed, but the injection point can be tested using the-1 method:

Http://www.snedu.gov.cn/readnews.asp? Id = 2703

Http://zsb.szu.edu.cn/Article.asp? Id = 99

Http://gs.njust.edu.cn/dsjs.asp? Id = 659