In the second section, bypass the program limit continues to inject
In the entry, there are many people like to use the 'number test into the vulnerability, so there are many people who use the filter' to "prevent" to inject vulnerabilities, which may block some entry of the entry, but familiar with SQL injection People can still use the related functions to achieve the purpose of bypassing the program.
In the "SQL Injection" section, the statements I have use have been optimized, so that they do not include single quotes; in the "Using the System Table Inject into the SQLServer Database", some statements contain a 'number, We will give an example to see how to transform these statements:
Simple, like WHERE XTYPE = 'u', the ASCII code corresponding to the character u is 85, so you can use where xtype = char (85) instead; if the character is Chinese, such as where name = 'user', you can use where name = Nchar (29992) NCHAR (25143) instead.
Section III, experience summary
1. Some people will filter these keywords such as select, update, delete, but forget to distinguish case sensation, so everyone can try it with SELECT.
2. When you can't guess the field name, you may wish to look at the login form on the website. Generally, the field name is the same name with the form of the form.
3. Special Note: The number incorporated in the address bar is interpreted as space, the% 2B is interpreted as number, and the% 25 is explained to the% number, and the specific introduction can be referred to URLENCode.
4. When injecting with GET method, IIS will record all your submission strings, do not record the POST method, so you can use the POST's URL to try not to use GET.
5. Instest the use of ASCII checking method, SQL Server can also use this method, only the difference between the two can only be exposed, but if the value of the error information can be exposed, that efficiency and Accuracy will have great improvements.
Defense method
SQL injection vulnerabilities can be described as "a thousand miles of embankments, collapsed in the ant hole", which is extremely common online, usually because the programmer does not understand, or the program is not strict, or a parameter is forgotten. Here, I will give you a function, instead of the Request function in the ASP, can inject SAY NO to all SQL, the function is as follows:
Function SafeRequest (paraName, Paratype)
'--- Incoming parameters ---
'ParaName: Parameter Name - Character
'Paratype: Parameter Type - Digital (1 means the above parameters are numbers, 0 means the above parameters are characters)
DIM Paravalue
Paravalue = Request (paraName)
IF paratype = 1 THEN
IF not isnumeric (Paravalue) THEN
Response.write "parameter" & paraName & "must be digital!"
Response.end
END IF
Else
Paravalue = Replace (Paravalue, "'", "' ')
END IF
SafeRequest = Paravalue
END FUNCTION
The article is over here, whether you are a security personnel, technical enthusiasts or programmers, I hope this article can help you. (Source: 9cbs)
