URL encoding and SQL Injection

Author: lake2 from: http://blog.csdn.net/lake2

Speaking of url encoding, you may think of the url Encoding Vulnerability N years ago. Unfortunately, when I got in touch with the Internet, the vulnerability had long been extinct.

What is URL encoding? Let's take a look at the definition I copied from the Internet:

Reference:

Url encoding is a format used by a browser to package form input. The browser obtains all names and values from the form, and encodes them with the name/value parameter (removing characters that cannot be transferred, ranking data, and so on) as part of the URL or sent to the server separately. In either case, the form input format on the server is as follows:

TheName = Ichabod + Crane & gender = male & status = missing & headless = yes

URL encoding follows the following rules: each pair of name/value is separated by the & operator; each pair of name/value from the form is separated by the = Operator. If the user does not enter a value for this name, the name still appears, but there is no value. Any special characters (that is, those which are not simple seven-digit ASCII characters, such as Chinese characters) will be encoded in hexadecimal notation with percentages. Of course, they also include = ,&, and %.

The url encoding is a hexadecimal ascii code. However, there are some changes. You need to add "%" to the front ". For example, "", its ascii code is 92,92's hexadecimal code is 5c, so "" url encoding is % 5c. What about the url encoding of Chinese characters? For example, the ascii code of "Hu" is-17670, The hexadecimal code is BAFA, And the url code is "% BA % FA ". You know how to switch.

We usually cannot use URL encoding because IE will automatically convert non-numeric letters you enter into the address bar to url encoding. Therefore, for browsers, http://blog.csdn.net/l31661ke2and http://blog.csdn.net/lake2are equivalent (note that I replaced a with % 61 for the first url ). You may have remembered that someone put "#" in the database name to prevent downloading, because when IE encounters #, it will ignore the following letters. The solution is simple-replace # With the url code % 23 #. I tried to escape the injection check by using url encoding, but it failed because the server will convert the url encoding into characters.

Wait, it seems that I have run the question. Haha, sorry :)

Currently, SQL injection is very popular, so someone has written some injection prevention scripts. Of course, there are different ideas and different effects. For more information, see the following section of the SQL universal anti-injection asp code.

Fy_Url = Request. ServerVariables ("QUERY_STRING ")
Fy_a = split (Fy_Url ,"&")
Redim Fy_Cs (ubound (Fy_a ))
On Error Resume Next
For Fy_x = 0 to ubound (Fy_a)
Fy_Cs (Fy_x) = left (Fy_a (Fy_x), instr (Fy_a (Fy_x), "=")-1)
Next
For Fy_x = 0 to ubound (Fy_Cs)
If Fy_Cs (Fy_x) <> "" Then
If Instr (LCase (Request (Fy_Cs (Fy_x), "and") <> 0 then
Response. Write "error! "
Response. End
End If
End If
Next

The idea is to first obtain the submitted data, obtain and process the name/value group based on "&", and then determine whether the value contains the defined keywords (this is simple, I only left "and"). If yes, It is injection.

At first glance, the value is checked, and it seems that there is no problem. Well, yes, there is no problem with the value, but what about the name?

Its name/value group value comes from Request. ServerVariables ("QUERY_STRING"). Sorry, there is a problem. Request. serverVariables ("QUERY_STRING") is the string submitted by the client. The url encoding is not automatically converted here. Haha, If we encode the name and submit it again, then you can bypass the check. For example, if the parameter is ph4nt0m = lake2 and lis0, the program can detect it. If you submit % 50h4nt0m = lake2 and lis0 (url encoding for p ), the program will judge the value of % 50h4nt0m, and % 50h4nt0m will be converted to ph4nt0m, so the value of % 50h4nt0m is null, so it bypasses the detection.

Wait, why can't value be bypassed since name cannot be decoded? Because the value is obtained from Request (Fy_Cs (Fy_x), the server will decode it.

How can we improve the program? You only need to obtain the decoded data submitted by the client. Change the name statement to For Each SubmitName In Request. QueryString.

Thank you for your patience.