Speaking of URL encoding, you may remember the URL encoding vulnerability n years ago. Unfortunately, I am "life,", when I contact the network, the vulnerability is early.
Master-return, what is the URL code? See the definition I copied from the Internet:
Quote: URL encoding is a browser used to package form input formats. The browser gets all NAMEs and values from the form, encodes them in Name / Value parameter (removed those that cannot be transferred, and send data, etc.) as part of the URL or separately. Regardless of which case, the form input format of the server side is like this:
Thename = Ichabod Crane & gender = Male & status = missing & headless = yes
URL encoding follows the following rules: each pair of Name / Value is separated by & symbol; each pair of Name / Value from the form is separated by =. If the user does not enter the value to give this name, then this Name still appears, only no value. Any special characters (that is, those that are not simple, seven ASCIIs, such as Chinese characters) will use hexadecimal coding with percentage%, and of course, like =, &, and% these special characters.
Oh, I understand, in fact, the URL code is a hexadecimal of a character ASCII code. However, slight changes, you need to add "%" in front. For example, "/", its ASCII code is 92,92 hexadecimal 5c, so "/" URL encoding is% 5C. So what is the URL encoding of Chinese characters? Very simple, see example: "Hu" ASCII code is -17670, hexadecimal is BAFA, URL encoding is "% BA% fa". Oh, know how to convert it.
URL coding usually we can't use because IE will automatically convert the non-digital letters you enter to the address bar to URL encoding. So for the browser http://blog.9cbs.net/laKE2 with http://blog.9cbs.net/lake2 is equivalent (note, the first URL I use% 61 to replace A) . Oh, maybe you have already thought of it, someone proposes "#" in the database name to prevent being downloaded, because IE encounters # ignores the back of the letter. The crack method is very simple - replace it with the URL encoding% 23. I have an attempt to use the URL code to escape the injection check, but the server is converted, because the server is converted into a character.
Wait, it seems to be running, huh, hit, sorry :)
Now SQL is very popular, so some people write some of the anti-injection scripts. Of course, the ideas are different, the effect is very different. Everyone is looking at the following × × SQL universal anti-injection of the ASP version of the code.
FY_URL = Request.ServerVariables ("query_string")
Fy_a = split (fy_url, "&")
Redim fy_cs (ubound (fy_a))
ON Error ResMe next
For fy_x = 0 to ubound (fy_a)
FY_CS (fy_x) = left (fy_a (fy_x), INSTR (fy_a (fy_x), "=") - 1)
NEXT
For fy_x = 0 to ubound (fy_cs)
IF fy_cs (fy_x) <> "" "" "
IF INSTR (REQUEST (fy_cs (fy_x))), "and") <> 0 THEN
Response.write "error!" Response.end
END IF
END IF
NEXT
Its ideas is to get submitted data, get "&" to get and process the Name / Value group, then determine if the value contains a defined keyword (here is easy, I only leave "and"), If there is, it is injected.
At first glance, Value was checked and there seems to be no problem. Oh, yes, Value will not have problems, but what about NAME?
Its Name / Value group value comes from Request.ServerVariables ("Query_String"), huh, I am sorry, here is a problem. Request.serverVariables ("query_string") is a string submitted by the client. It does not automatically convert the URL encoding, haha, if we make the name URL encoded, huh, you can bypass. For example, the parameter is pH4NT0M = Lake2 and Lis0, at which time the program can detect; if the% 50H4NT0M = Lake2 and Lis0 (URL encoding) is submitted, the program will determine the value of% 50H4NT0M, and% 50H4NT0M will be converted to pH4NT0M , The% 50H4NT0M value is empty, so it will bypass the test.
Wait, why can you bypass the check and Value can not bytern Name without decoding? Because Value's value is taken from Request (fy_cs (fy_x)), this server will decode.
How does the program improve? As long as the data submitted by the client can be decoded, it is possible to change the statement that gets the NAME to for each submitname in request.QueryString is OK.
