ASP SQL Injection Part I - Encode and Decode
In the introduction page or noval that you read completely I talked about encode and decode of GET and POST commands before your SQL kicks in.
We have all kinds of methods and some of them were created to capitalize on select API's that claimed you couldn't capitalize on them. I'll explain.
O_ od_ le is a flea market type of website that used a very long URL encoding method to deter people from let's say copying the pages.
They even stated it in their own Terms Of Service and claimed to ban those that violated their Terms.
The fun part of this is they scrapped other site for content and then encoded it so it looked just their it was their own original content. Don't quote me on this but I still have some old code that shows scrapping was it's number one method of publishing.
Anyway, what I did was I took the 2,000+ character URL, split it up into 250 character length strings, encoded it so it was safe to store in a SQL server and linked them by a table ID.
Basically you could copy and then re-index their complete website from one SQL table using a simple HTTP scraper script. I think things have changed today but years ago scraping was very much the trend and I hated my shopping sites being scraped. I didn't mind the shopping cart scraping site (I forget the name but the API was great) I think I stopped using it after it became a pay for spotlight site.
Anyway, if I offer tips on how I did things it was only because I did them before they were in fashion or before the TOS was updated to say I couldn't do them. Indeed.com didn't like the way I took their "Start" "End" page and then created a function that simulated a
paginated index. Back in 2012 when they took my balance and asked me to go away the script came from a single line in their own API that had a number, I took that number and divided by the limit query and make "Next 10" type of buttons. The person over in the UK that runs the show on affiliates thought I was downloading the full website. I thought she was really stupid to think that with a page load of 20ms. How could I download 5,000,000 jobs in 20ms? Unless their numbers are off. (Don't ask, but I will show those scripts as well in my ASP API sections.)
Let's get to the Encode / Decode.
First up is our Native services.
URLEncode = Server.URLEncode(str)
Sorry, no native decode but here's a script you can find via the Google Search Index.
If IsNull(sConvert) Then
URLDecode = ""
' convert all pluses to spaces
sOutput = REPLACE(sConvert, "+", " ")
' next convert %hexdigits to the character
aSplit = Split(sOutput, "%")
If IsArray(aSplit) Then
sOutput = aSplit(0)
For I = 0 to UBound(aSplit) - 1
sOutput = sOutput & _
Chr("&H" & Left(aSplit(i + 1), 2)) &_
Right(aSplit(i + 1), Len(aSplit(i + 1)) - 2)
URLDecode = sOutput
The above script is from ASPNUT.Com which is linked here in my best supporting efforts.
The reason I used their script in this example is because one of mine has a few sub's which do not mix well at this point. But not to worry, when it comes time to show a few tricks I have other decoders that change a few things before hand.
Now that you have the URLEncode and the URLDecode we need to put them into good working order with another Encode and Decode method.
Cypher, Cipher, Cryptography, Cryptographic, Cryptology, Crypto you got to love it or it's going to drive you nuts.
One quick story, I had a SQL Database programmer tell me his encoding was impossible to break. Well, I took one look and laughed, then spent 20 minutes, coded a function and asked him to copy and paste any part of his encoded database into my decoder.
This was a medical records company claiming to be HIPPA compliant, now they have changed their wording on their disclaimer to say, "A very advanced programmer can decode..." which made me smile becuase their DB which they didn't allow customers to export can not be exported to Excel or Calc with a simple VB Script.
Why did I share that story? Becuase your encode and decode can be reverse engineered if a person really wants to do it. So let's just keep things open and honest so we can do our jobs easier.
Encoding using Character OffSet. (I like this for the speed and it's easy)
str1 = ""
str2 = ""
str1 = Trim(str)
For I = 1 To Len(str1)
str2 = str2 + CHR(ASC(MID(str1,I,1))-1)
str2 = Replace(str2,"`","(MnW)") 'Google does not like that character in some apps.
EncodeOffSet = str2
That's it, simple, one character offset.
Try it, you'll like it.
http:// = gssor$2@$1E$1E(MnW) or was it https:// = gssor$2@$1E$1E(MnW) or is it something like q=https:// ??? it's looking really fun now isn't it?
Now that we encoded your first URL I have to tell you the facts of URL Encode.
First, URLEncode then Encode URL.
strENCoded = EncodeOffSet(URLEncode(str))
You will need to do your Server.URLEncode before you run your Cypher Encode that only you and I know today as ASC offset by -1.
Now go forward and start encoding all your strings no matter how many variables you have in them. I really mean it, encode everything, from v=123&b=123&c=1234 to that silly 2,000+ URL that encodes easy into 250 character length tables to be used later as a link back.
Next on the To Do List is "How do I extract my QueryStrings from this ENCode method after I DECode the ENCoded String?
I can't use Request.QueryString anymore because I used that to DECode the ENCoded string.
This is where creative programming begins.
See you in the next article, "ASP Classic QueryString's that Split"
Here's the Decode function:
str = Trim(str)
str5 = Replace(str5,"(MnW)","`") 'Google does not like that character in some apps.
For I = 1 To Len(str)
str5 = str5 + CHR(ASC(MID(str,I,1))+1)
DecodeOffSet = str5
Only thing that changes is the offset is not +1 from -1. Easy and clean.
Notice that I'm using a form GET so you can create the querystring.
This method is for internally created server side querystrings which once put together can not be edited or the page will simply redirect. I'll be more detailed in the ASP SQL Injection Code Page.