Search injection points and search injection vulnerability injection methods

Currently, some websites provide users with the search function to facilitate searching for website resources, programmers often ignore the filtering of their variables (parameters) when writing code, and such vulnerabilities are common in domestic systems, the common search function code is as follows :.................. keywordtrim (request. fro

Currently, some websites provide users with the search function to facilitate searching for website resources, programmers often ignore the filtering of their variables (parameters) when writing code, and such vulnerabilities are common in domestic systems. The common search function code is as follows:

..................
Keyword =TrIm (request. From (keyword)
Obtains the keywords submitted by the client in the query and filters spaces on both sides.

If keyword = then if the keyword is null, the following query content cannot be blank! '
Response. Write alert ('the query content cannot be blank! '); History. back (-1 );
Response. end
End if
SetRs = server. CreateObject (ADODB. recordset) create an object
SQL = select * from B _class where B _name like '% & keyword %' orderIdDesc
Fuzzy search using keywords to sort query results in descending order of id Fields
Rs. open sqLs. Conn.3.1
If rs. eof then
...................
%>

From the code above, the program only filters spaces on both sides of the search variable (parameter) submitted by the user, and does not filter other things of this parameter, so it takes the SQL statement for query, this causes injection vulnerabilities. in most systems, the name of the file that implements the search function is search. asp. If you are looking for any search injection vulnerability in the system source code, you must first check whether this file exists in the system. Generally, this file exists. If not, you can also search for keywords (or query, etc.) on the homepage of the system. After finding the keywords, you can also check that the form to implement the search function is linked to the file, (As we all know, in HTML, a form is identified by a pair of tags in a specific area on a webpage, in the flag, the ACTION attribute defines the address for submitting form data. Therefore, we also need to see that the ACTION attribute is the link to the file, and this file is the file that implements the search function, we can use the source file to view the code and find out whether the injection vulnerability exists. however, we still need to learn how to use the Like operator in the WHERE clause in SQL data queries. The Like operator plays a role in Fuzzy queries, to use Like for fuzzy search, you must use wildcards to complete the fuzzy search. % is a wildcard in the Like operator. It represents zero or multiple arbitrary characters. for your understanding, for example:

Like hacker % returns any character starting with hacker

Like % the hacker returns any character ending with the hacker

Like % hacker % returns any characters that contain the hacker

I think, through the illustration of these examples, you may have some knowledge about fuzzy search. Let's talk about the injection method below.
Open a website and enter the keyword % 'and 1 = 1 and' % '=' in the search box. Click "Search" and return information related to the manager, when we enter manager % 'and 1 = 2 and' % '=', empty information is returned. Why ?, Haha, some friends may think about logic operations in the first lecture, after entering manager % 'and 1 = 1 and' % '=' After Like, the statement becomes '% manager %' and 1 = 1 and '%' = '% ', if it is converted into a logical operator, it is true and the result is true. Of course, the information we want to search is returned. Otherwise, the result of the operation is false, naturally, nothing can be found. of course, you can also enter the keyword 'and' 1% '= '1 and the keyword 'and' 1%' = '2 in the search box to check whether a different page is returned to identify the vulnerability. exist. (I have explained this in detail in the first lecture)
Similarly, the search injection method is divided into two methods: manual and tool. The manual injection method is very simple, as long as we enter the keyword % 'and injection attack code and' % '=' in the search box, the injection attack code here is the same as the injection code we usually use in the URL, for example, to determine the Database Type of the website background, enter the keyword % 'and user> 0 and' % '=, however, the selected keyword must be available on this website. If this keyword cannot be found on the website, this keyword cannot be used as the injected keyword. both the NBSI and HDSL injection tools provide injection to the search-type injection vulnerability, but the premise is that we need to get the injection point, that is, to obtain the URL address of the search page, in the previous lecture, I have mentioned that the system has two data submission methods: GET and POST when obtaining the user's submitted data, in the request object, the set of data submitted by the GET method is QueryString, and the set of data submitted by the POST method is From. In the actual code, you can use the POST method to submit the most data. In the code above, you can also see that the POST method is used to submit data. Of course, the request object can obtain data without using a set, however, this method is inefficient and error-prone. This method is generally not used in large systems, the biggest difference is that when data is submitted through GET, all parameters and values are put into the URL and become part of the URL and displayed, for example, baidu adopts this method when searching. When we search for cyber security in the new century, we can see that the URL in the browser is displayed. http://www.baidu.com/s?wd=%D0%C2%CA%C0%BC%CD%CD%F8%B0%B2&cl=3 % D0 % C2 % CA % C0 % BC % CD % F8 % B0 % B2 is the encoded character of cyber security in the new century (I can check this for you ), and put it in the URL. In this URL ?, & The values of multiple variables are linked together. This URL is used to transmit the search term "New Century Network Security. the cl value is 3. If the system uses the GET method to submit the search, we only need to enter its URL in the tool, but also enter the keywords that can be searched, however, when using the POST submission method, the data we submit cannot be seen in the URL. It places the data in the form into the data body of PORM, in this way, we need to manually find the hidden variables, then assign the correct values and construct the injection URL correctly, and then hand it over to the tool for injection. Next we will use http://hr.wtojob.com (World Trade talent Network) and http://www.sdrs.gov.cn/ (Shandong Personnel Information Network), the two websites respectively talk about the steps of the two methods:

1: first determine whether there is any Injection Vulnerability
2: Enter the keyword to search in the search box of the website. Do not click search first.
3: Enable Wesock again.ExPert tool. Click the open process button in the toolbar. A process list is displayed. Select the IE process of the website and click it to view the submitted data,
4: click search again. In the tool interface box, select the information package submitted by POST and click it. In the box below, the parameters and corresponding values submitted by POST are displayed.
5: manually modify the URL and enter it in the injection tool after modification. The HDSI tool handles the search injection tool well, because the method used by the tool to determine the injection vulnerability is only to detect the last variable, you must put the query keyword at the end of the URL to detect the vulnerability, next, the tool can help us do what we want to do. (important note: after reading the tutorial, do not destroy the two websites mentioned above. Otherwise, you will be responsible for the consequences)
Nowadays, many website Systems filter some common injections, but programmers often neglect to query the search function, input in the text box, and hide the data submission variables (parameters) in the domain) the filtering or filtering of the vulnerability is incomplete, which also leads to the vulnerability generation.