Speaking of URL encoding, you may remember the URL encoding vulnerability n years ago. Unfortunately, I am "life,", when I contact the network, the vulnerability is early. Master-return, what is the URL code? Look at the definition I copied from the Internet: Quote:
URL encoding is a browser to package form input formats. The browser gets all NAMEs and values from the form, encodes them in Name / Value parameter (removed those that cannot be transferred, and send data, etc.) as part of the URL or separately. Regardless of which case, the server-side form input format is like this: thename = iChabod Crane & gender = MALE & status = missing & headless = yesURL encoding follow the following rules: Each pair name / value is separated by & symbol; each pair of Name / Value from the form = Separate. If the user does not enter the value to give this name, then this Name still appears, only no value. Any special characters (that is, those that are not simple, seven ASCIIs, such as Chinese characters) will use hexadecimal coding with percentage%, and of course, like =, &, and% these special characters.
Oh, I understand, in fact, the URL code is a hexadecimal of a character ASCII code. However, slight changes, you need to add "%" in front. For example, "/", its ASCII code is 92,92 hexadecimal 5c, so "/" URL encoding is% 5C. So what is the URL encoding of Chinese characters? Very simple, see example: "Hu" ASCII code is -17670, hexadecimal is BAFA, URL encoding is "% BA% fa". Oh, know how to convert it. URL coding usually we can't use because IE will automatically convert the non-digital letters you enter to the address bar to URL encoding. So for the browser http://blog.9cbs.net/laKE2 with http://blog.9cbs.net/lake2 is equivalent (note, the first URL I use% 61 to replace A) . Oh, maybe you have already thought of it, someone proposes "#" in the database name to prevent being downloaded, because IE encounters # ignores the back of the letter. The crack method is very simple - replace it with the URL encoding% 23. I have an attempt to use the URL code to escape the injection check, but the server is converted, because the server is converted into a character. Wait, it seems that I am running, huh, I am sorry :) SQL is very popular, so some people write some anti-injection scripts. Of course, the ideas are different, the effect is very different. Everyone is looking at the following × × SQL universal anti-injection of the ASP version of the code. FY_URL = Request.SerVariables ("query_string") fy_a = split (fy_url, "&") redim fy_cs (Ubound (fy_a)) on error resume next for fy_x = 0 to Ubound (fy_a) fy_cs (fy_x) = left (fy_a Fy_x), INSTR (fy_a (fy_x), "=") - 1) Next for fy_x = 0 to Ubound (fy_cs) if fy_cs (fy_x) <> "" "" "" "" "" " , "and") <> 0 Then Response.write "Errors!" Response.end end if end if next is to get submitted data, obtain and process the Name / Value group with "&" to the boundary, then Judging whether the value contains a defined keyword (here is easy, I only left "and"), and it is injected. At first glance, Value was checked and there seems to be no problem.
