by   December 20 2014   
ASP SQL Injection Intro then ASP SQL Encode - Decode is finished now we enter the room and look around to find the QueryString Var Split function. How you take your SQL INjection Protection to the next level. I haven't started the Salting process to keep it simple, but it's coming soon. We need to do this next split the var carefully so we don't spend the Holiday's debugging.

ASP Classic QueryString's that Split

You might be thinking, "Murray has lost his mind" why in the world do you do so much to one querystring?

When I get to the section of "HackOMania" you'll know but until then just keep quiet, do the functions and remember the process. 

  1. URL Encode
  2. Encode
  3. Decode
  4. URL Decode

Simple. 

Now we have something that looks like /default.asp?v=gssor$2@$1E$1E(MnW)

What can we do next?

Oh, we decode it. 

So now we have a QueryString("v") that gives us gssor$2@$1E$1E(MnW)

Then we decode that and we see v=https:// less the (MnW) which I do believe is the ` character we replaced in the ASP SQL Encode - Decode article. 

Now we pass this information. 

Dim strQ

strQ = Request.QueryString("v")

strQ = URLDecode(EncodeOffSet(strQ))

Next we have to split out each of our known strings and skip anything that isn't ours (SQL Injection)

'######### Split me at my V ###############
Dim strQ,strQBTEMP,j
If InStr(strQ,"q=") Then
    j = InStrRev(strQ, "q=")
     if j > 0 Then
        strQBTEMP = Mid(strQ, j+2)
     end if
 j = InStr(strQBTEMP, "v=")
    if j > 0 Then
   strQBTEMP = Left(strQBTEMP, j-2)
 End If
End If

strQ = strQBTEMP
'#### End Split me at my V #####

The script above takes all the data between to defined points. 
In this case, between q= and v= which will be the same as 

strQ = Request.QueryString("q")

You might have a faster, better idea which is good. 
I used this to split my decoded URL. 

You can add the above script to as many variables as you need. 
This is one of my oldest code pieces and like I said newer faster methods may be available. 

Anyway, we now have our POST encoded string back into a variable we can work with.

Next we need to double check and triple check our decoded string.
Nice thing is the POST query string would not work if someone added characters to the mix, remember it had to reverse itself. If the q= and v= were not found the decode would need to have a function to handle the issue. I will show how you report this as a poisoned querystring and redirect.  

Next up, Adding a Checksum to Length of your query string. 

 

  Example Page with Code

 

 Notice that I'm using a form GET so you can create the querystring. 

This method is for internally created server side querystrings which once put together can not be edited or the page will simply redirect. I'll be more detailed in the ASP SQL Injection Code Page. 

ASP SQL Injection Intro then ASP SQL Encode - Decode is finished now we enter the room and look around to find the QueryString Var Split function. How you take your SQL INjection Protection to the next level. I haven't started the Salting process to keep it simple, but it's coming soon. We need to do this next split the var carefully so we don't spend the Holiday's debugging.