Prior to URL encoding, percent-plus the two bits 1 to 6 hexadecimal representation of a character, such as’after the after encoding is%2 7, This is everyone knows the URL encoding rules, UrlUnescapeInPlace like the API function even programmers write their own URL decoding function that are based on this idea.
However, we why so obedient, just imagine if the%is followed by not 1 6 ary digital but like abc%hh what will happen? Look at the UrlUnescapeInPlace, the Write a small program to try, abc%hh through the decoding or abc%hh; then see asp. dll is how to decode the code in the asp page to write the response. Write(request. QueryString("str")), and then use? str=abc%hh access it, the page displays abchh, it is directly The%to remove.
Now to think about if we submitted the sele%ct information monitoring system to get the string or the sele%ct, of course it's not dangerous characters, it wouldn't be intercepted, but for ASP, it can Is select, the other Similarly, the’available%’representation, such as and exists(select * from admin)can be converted to the following string is a%nd ex%ists(%select * %from ad%min). This method may extrapolate, for example, use%%instead of%are available, also can be other specific can go and see RFC2396 for.
The above are only for GET-way analysis, POST haven't tried, but the conjecture is also possible. And tested the above method on all current IIS firewalls are effective, including VIF's.
Added: in fact the discovery of this vulnerability has been there many days, and I don't want to disclosed, the other day twice to give first-class information surveillance of people an email to remind them, but they just didn't consider carefully I say problem, but also said first class of information systems can be put through the coding of the injected character is also added to the filter list, don't know how they think, he is there plus a sele%ect filter rules on it? That sele%%ct., and also together with you? That sele%%%ct??? In view of the best of this indifferent attitude I disclosed this vulnerability, hope they can Service the authentication of.