The injection tool of the principles and development-vulnerability warning-the black bar safety net

ID MYHACK58:6220066413
Type myhack58
Reporter 佚名
Modified 2006-01-16T00:00:00


“Injection,”that the word now can be calculated on the Hipster,“the streets”everywhere you“listen”to see. This word once let countless people“famous for its color change”, today our topic is still injected. But today we here of this injection is different from the previous, it is different from the usualSQL injection, it can be said is a new. On weekdays, people are in submissiondatawhen using the page form. However, today we are here going to break this traditional concept. This method is by its own construct HTTP request packet to program the way instead of the traditional method, to achieve thedata autoto submit. In the article also did not enter the chase, I the HTTP Protocol for this stuff to everyone and then wordy sentences. In fact, on the HTTP Protocol this is something I originally didn't want to say. However, in order to take care of most of the friends. On weekdays, when we open a website, say<>actually IE as a client, it will send aserviceto send the following request packet: GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. ms- powerpoint, application/vnd. ms-excel, application/msword, application/x-shockwave-flash, / Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: Connection: Keep-Alive Cookie: NETEASE_SSN=hinrof; NETEASE_ADV=1 1&2 2; Province=0; City=0; NTES_UV_COOKIE=YES From the above packet, we can see a lot of fields, but where a lot is not necessary, if our ownprogramming, the only care necessary is on the line. In the HTTP/1.1 Protocol stipulates a minimum the request message by the method field of the GET/POST/HEAD and host fields, HOST. As the above GET /HTTP/1.1 HOST:www. 3 6 9 6 3. cn But in HTTP/1.0, the HOST field is not required, as for why can not be the province, continue to look down. GET and POST are the browser to theserviceto submit packets is usually employed in two ways. Servicein the received packet after decoding the analysis of the requireddataand processing, and finally returns the result. Usually we can see are like<http://.../ list. asp? id>=such a URL request, we can construct the following packet to complete. GET /list. asp? id= HTTP/1.1 HOST:... Due to the URL length 1 0 2 4 limit, so the GET method is usually used in the submission of some of the smalldataof the case. If thedatais relatively large it can only use POST method. In explaining the POST method some of the points before, we still first look at a section of the POST request packets.

POST /huace/add.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. ms- powerpoint, application/vnd. ms-excel, application/msword, application/x-shockwav e-flash, / Referer: <> Accept-Language: zh-cn Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: Content-Length: 1 1 5 Connection: Keep-Alive

name=test&email=&comefrom=&homepage=&icq=&oicq=&image=say. gif&comment=test&password=&doadd=%B7%A2%CB%CD%C1%F4%D1%D4 With the GET method compared, in the field below more than a piece of content, this is what we submittedthe data, if there is Chinese to go through the urlencode encoding. Also let us omit unnecessary fields, construct a minimal POST request. POST /huace/add.php HTTP/1.1 Host: Content-Type: application/x-www-form-urlencoded Content-Length: 1 1 5 name=test&email=&comefrom=&homepage=&icq=&oicq=&image=say. gif&comment=test&password=&doadd=%B7%A2%CB%CD%C1%F4%D1%D4 Above the Content-Type field indicates to the POST form type, Content-Length, of course, is represents the EntityDatathe length, here are not less, otherwise it can not be received correctly. Thus, theserviceserver-side processing of the page will receive the submissionof the data and receive process. Above the unknowingly speak a whole lot about the client stuff, then look at theserviceController aspects. When the messagedatato reach theservice, serviceis the underlying process be received and placed into a particular buffer, and to set some environment variables, such as“CONTENT_LENGTH“AND”QUERY_STRING“, etc., of course, during this period or masking some of the underlying details, as submitted by the clientdatais how be reset to the requested page the standard input, in this we do not do too much consideration. After the high-level application programs such as CGI, ASP, PHP, etc. todatato extract, where the CGI must also conduct their own Unencode decoding and string extraction. If to an ASP program submitted to thedata, I submitted the name and body fields, and using a POST form submission, in the ASP program should be as follows for reception: name=request. form("name") body=request. form("body") And to add to thedatalibrary rs. addnew rs("name")=name rs("body")=body rs. update At this point, the speaking of also basically finished, while here we also note that the point is that we are in when sending packets, the“name=value“URLEncode coding this thing can not be less, if not it, we in thedatalibrary to write something when it is possible it will fail. While we here also note a problem, when the compiler is processing Chinese characters, it willautomaticallyaccording to the character bit 7 to read one or two characters, then you can force the use of unsigned char *to read into a character. int isT(char ch) { if(ch==’ ’||ch==’%’||ch==’/’||ch&0x80) return 1; else return 0; }

int encode(char s,char d) { if(! s||! d) return 0; for(;s!= 0;s++) { unsigned char p=(unsigned char)s; if(p==’ ’) { d=’%’; (d+1)=’2’; (d+2)=’0’; d+=3; } else if(isT(p)) { char a[3]; d=’%’; sprintf(a,"%02x",p); (d+1)=a[0]; (d+2)=a[1]; d+=3; } else { d=p; d++; } } *d=0; return 1; }

The following is Unencode the URL decoding function:

int unencode(char s,char d) { if(! s||! d) return 0; for(;s!= 0;s++) { if(s==’+’) { d=’ ’; d++; } else if(s==’%’) { int code; if(sscanf(s+1,"%02x",&code)!= 1) code=’?’; d=code; s+=2; d++; } else { d=s; d++; } } d=0; return 1; } ......