"利用URL編碼繞SQL防注入"的說法已經(jīng)看到多次了(黑客防線以及網(wǎng)上大牛們的文章)�,今天抽空分析了一下這種說法的原理:
下面是一個典型SQL防注入程序的核心代碼:
......
Url=LCase(Request.QueryString())
Ip=Request.ServerVariables("REMOTE_ADDR")
if instr(Url,"")<> 0 or instr(Url,";")<>0 or instr(Url,"where")<>0 or instr(Url,"select")<>0 or instr(Url,"chr")<>0 or instr(Url,"/")<>0 or instr(Url,"count")<>0 or instr(Url,"update")<>0 or instr(Url,"char")<>0 or instr(Url,"declare")<>0 or instr(Url,"master")<>0 or instr(Url,"mid")<>0 or instr(Url,"*")<>0 or instr(Url,"and")<>0 or instr(Url,"exec")<>0 or instr(Url,"insert")<>0 or instr(Url,"truncate")<>0 then
Flag=True
Set theRs=server.CreateObject("ADODB.recordset")
Sql="select * from hackrecord"
theRs.Open sql,theconn,2,3
theRs.AddNew
theRs("time")=cstr(now())
theRs("ip")=ip
theRs.Update
theRs.Close
set theRs=nothing
end if
......
程序過濾的很仔細,SQL注入的核心關(guān)鍵字都被檢測了���。
程序使用Request.QueryString來獲取客戶端提交的QUERY_STRING參數(shù)��,下面是一個小實驗�����,看過之后就不言而喻了�����。
test.asp文件
<%
response.write "request(""param"")=" & request("param") & "<br>"
request.querystring("")和request.servervariables("QUERY_STRING")是等效的
response.write "request.querystring()=" & request.querystring() & "<br>"
response.write "request.servervariables(""QUERY_STRING"")="& request.servervariables("QUERY_STRING") & "<br>"
%>
看如下瀏覽器截圖(一目了然了):
域名注冊知識
虛擬主機知識
網(wǎng)站建設(shè)知識
網(wǎng)絡(luò)推廣知識
網(wǎng)絡(luò)營銷知識
常見技術(shù)問題
QQ空間
新浪微博
開心網(wǎng)
人人網(wǎng)
