Search injection point search and injection methods

Source: Internet
Author: User

Currently, some websites provide users with the search function to facilitate searching for website resources, programmers often ignore the filtering of their variables (parameters) when writing code, and such vulnerabilities are common in domestic systems. The common search function code is as follows:

..................
Keyword = trim (request. From ("keyword ")
Obtains the keywords submitted by the client in the query and filters spaces on both sides.

If keyword = "" then if the keyword is null, the following output "query content cannot be blank! "
Response. Write "alert (the query content cannot be blank !); History. back (-1 );"
Response. end
End if
Set rs = server. CreateObject ("ADODB. recordset") create an object
SQL = "select * from B _class where B _name like %" & keyword "% order by id desc"
Fuzzy search using keywords to sort query results in descending order of id Fields
Rs. open sqls. conn.3.1
If rs. eof then
...................
%>

From the code above, the program only filters spaces on both sides of the search variable (parameter) submitted by the user, and does not filter other things of this parameter, so it takes the SQL statement for query, this causes injection vulnerabilities. in most systems, the file name for implementing the search function is "search. asp, you can also search for the system's homepage and search for the keyword "Search" (or "query"). You can also find the keyword, you also need to check that the form to implement the search function is linked to that file (as we all know, in HTML, the form is in a specific area on the webpage, it is identified by a pair of flags. In the flags, the ACTION attribute defines the address of the form data submission.) So we also need to see that the ACTION attribute is the link to the file, this file is the file that implements the search function. You can use "View Source File" to view the code and find out whether the injection vulnerability exists. however, we still need to learn how to use the Like operator in the WHERE clause in SQL data queries. The Like operator plays a role in Fuzzy queries, to use Like for fuzzy search, you must use wildcards to complete fuzzy search. "%" is a wildcard in the Like operator. It represents zero or multiple arbitrary characters. for your understanding, for example:

Like "hacker %" returns any character starting with hacker

Like "% hacker" returns any character ending with hacker

Like "% hacker %" returns any character containing the hacker

I think, through the illustration of these examples, you may have some knowledge about fuzzy search. Let's talk about the injection method below.
Open a website, enter the keyword "% and 1 = 1 and % =" manager "in the search box, click" Search ", and return the manager-related information, when we enter manager % and 1 = 2 and % =, empty information is returned. Why ?, Haha, some friends may think about logic operations in the first lecture, after entering manager % and 1 = 1 and % = in Like, the statement becomes % manager % and 1 = 1 and % = %, if it is converted into a logical operator, it is true and the result is true. Of course, the information we want to search is returned. Otherwise, the result of the operation is false, naturally, nothing can be found. of course, you can also enter the keyword and 1% = 1 and keyword and 1% = 2 in the search box to check whether a different page is returned to determine whether the vulnerability exists. (I have explained this in detail in the first lecture)
Similarly, the search injection method is divided into two methods: manual and tool. The method of manual injection is very simple, as long as we enter the keyword % and injection attack code and % = in the search box, the injection attack code here is the same as the injection code we usually use in URLs. For example, we need to determine the Database Type of the website background, then we can enter the keyword % and user> 0 and % =, but we must be able to search for the selected keyword on this website, if this keyword cannot be found in the website, it cannot be used as the keyword we inject. both the NBSI and HDSL injection tools provide injection to the search-type injection vulnerability, but the premise is that we need to get the injection point, that is, to obtain the URL address of the search page, in the previous lecture, I have mentioned that the system has two data submission methods: GET and POST when obtaining the user's submitted data, in the request object, the set of data submitted by the GET method is QueryString, and the set of data submitted by the POST method is From. In the actual code, you can use the POST method to submit the most data. In the code above, you can also see that the POST method is used to submit data. Of course, the request object can obtain data without using a set, however, this method is inefficient and error-prone. This method is generally not used in large systems, the biggest difference is that when data is submitted through GET, all parameters and values are put into the URL and become part of the URL and displayed, for example, baidu adopts this method when searching. When we search for "New Century Network Security", we can see that the browser URL shows" http://www.baidu.com/s?wd=%D0%C2%CA%C0%BC%CD%CD%F8%B0%B2&cl=3 "% D0 % C2 % CA % C0 % BC % CD % F8 % B0 % B2 is the encoded character of cyber security in the new century (I can check this for you ), and put it in the URL. In this URL ?, & The values of multiple variables are connected. This URL is used to transmit the search word "New Century Network Security ". the cl value is 3. If the system uses the GET method to submit the search, we only need to enter its URL in the tool, but also enter the keywords that can be searched, however, when using the POST submission method, the data we submit cannot be seen in the URL. It places the data in the form into the data body of PORM, in this way, we need to manually find the hidden variables, then assign the correct values and construct the injection URL correctly, and then hand it over to the tool for injection. Next we will use" http://hr.wtojob.com (World Trade talent Network) and http://www.sdrs.gov.cn/ "(Shandong Personnel Information Network), the two websites respectively talk about the steps of the two methods:

1: first determine whether there is any Injection Vulnerability
2: Enter the keyword to search in the search box of the website. Do not click "Search" first ".
3: Open Wesockexpert and click "Open Process" in the toolbar. A process list is displayed. Select the IE process of the website, click it to view the submitted data,
4: click "Search". Then, in the tool interface box, select the information package submitted by POST, and click it. In the box below, the parameters and corresponding values submitted by POST are displayed.
5: manually modify the URL and enter it in the injection tool after modification. The HDSI tool handles the search injection tool well, because the method used by the tool to determine the injection vulnerability is only to detect the last variable, you must put the query keyword at the end of the URL to detect the vulnerability, next, the tool can help us do what we want to do. (important note: after reading the tutorial, do not destroy the two websites mentioned above. Otherwise, you will be responsible for the consequences)
Nowadays, many website Systems filter some common injections, but programmers often neglect to query the search function, input in the text box, and hide the data submission variables (parameters) in the domain) the filtering or filtering of the vulnerability is incomplete, which also leads to the vulnerability generation.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.