ASP Classic QueryString's that Split
You might be thinking, "Murray has lost his mind" why in the world do you do so much to one querystring?
When I get to the section of "HackOMania" you'll know but until then just keep quiet, do the functions and remember the process.
- URL Encode
- URL Decode
Now we have something that looks like /default.asp?v=gssor$2@$1E$1E(MnW)
What can we do next?
Oh, we decode it.
So now we have a QueryString("v") that gives us gssor$2@$1E$1E(MnW)
Then we decode that and we see v=https:// less the (MnW) which I do believe is the ` character we replaced in the ASP SQL Encode - Decode article.
Now we pass this information.
strQ = Request.QueryString("v")
strQ = URLDecode(EncodeOffSet(strQ))
Next we have to split out each of our known strings and skip anything that isn't ours (SQL Injection)
'######### Split me at my V ###############
If InStr(strQ,"q=") Then
j = InStrRev(strQ, "q=")
if j > 0 Then
strQBTEMP = Mid(strQ, j+2)
j = InStr(strQBTEMP, "v=")
if j > 0 Then
strQBTEMP = Left(strQBTEMP, j-2)
strQ = strQBTEMP
'#### End Split me at my V #####
The script above takes all the data between to defined points.
In this case, between q= and v= which will be the same as
strQ = Request.QueryString("q")
You might have a faster, better idea which is good.
I used this to split my decoded URL.
You can add the above script to as many variables as you need.
This is one of my oldest code pieces and like I said newer faster methods may be available.
Anyway, we now have our POST encoded string back into a variable we can work with.
Next we need to double check and triple check our decoded string.
Nice thing is the POST query string would not work if someone added characters to the mix, remember it had to reverse itself. If the q= and v= were not found the decode would need to have a function to handle the issue. I will show how you report this as a poisoned querystring and redirect.
Next up, Adding a Checksum to Length of your query string.
Notice that I'm using a form GET so you can create the querystring.
This method is for internally created server side querystrings which once put together can not be edited or the page will simply redirect. I'll be more detailed in the ASP SQL Injection Code Page.