by   January 19 2015   
The XCtM QueryString SQL Injection check is a string detect or VBCompare to character or string of characters. What makes it unique is the encoding and decoding so to be used within the SQL DB itself. We encode known SQL Injection strings into a database and the first function of every page is to check any and all strings against known injection strings.

XCtM QueryString Module handling.

When you start using VBCompare with SQL Injection or HEX querystrings we often times run into issues that the script creator knows about but we don't. 

It might be better to always encode and compare then to just compare. 

Here's part of the XCtM API that encodes every QuerySting then compares strings like a virus check would do of known injection strings and then passes the decoded querystring to the proper functions. 

This simple ASCII list will be your starting point for our floating OffSet. 

!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~

What I mean by floating is each SQL Injection word, phrase, line can be assigned it's own offset so no single offset will work with the full range of scans. 

Hang on, this I will clear up in a minute. 

You can build on this by adding additional encoding or simply by adding a salt.

Each Word can have it's own offset which will make guessing all that much more difficult.
In the examples you can see the same word using different offsets so the encoding will be different based on the ASCII offset.

So what happens when you go outside the realm of the ASCII length?</p>
<%=Len("!""#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~") %>

Ok you have the basics but you could still be confused. Let me show you one example. 

Starting with the SQL Injection word

TEST = SDRS OffSet = 1

TEST = RCQR OffSet = 2

TEST = QBPQ OffSet = 3

TEST = PAOP OffSet = 4

TEST = O@NO OffSet = 5

TEST = N?MN OffSet = 6

TEST = M>LM OffSet = 7

TEST = L=KL OffSet = 8

TEST = K

TEST = J;IJ OffSet = 10

TEST = I:HI OffSet = 11

and so on. 

This method can be then split into groupings of 5, 10, 15, 25, etc to make it even more effective. 

The encoded word is then matched to the querystring that is encoded.

Here are the encoders for this project:

strSQL_OffSet = 1 'use 1 to 36 or greater if you confirm your code
strSQLWord = MnWURLEncode(strSQLWord)
strSQLWord = MnWEncodeString(strSQLWord,strSQL_OffSet)

Function MnWURLEncode(str)
MnWURLEncode = ""
MnWURLEncode = Server.URLEncode(str)
End Function

Function MnWEncodeString(stThis,stOffSet)
MnWEncodeString = ""
Word1 = ""
Word2 = ""
Word1 = stThis
Word2 = ""
'Find ASCII representation for each character and subtract 1
For I = 1 To Len(Word1)
Word2 = Word2 + Chr(Asc(Mid(Word1, I, 1)) - cInt(stOffSet))
Next
MnWEncodeString = MnWEncodeIntoSQLDB(Word2)
End Function

Function MnWEncodeIntoSQLDB(strF)
strF = Trim(strF)
MnWEncodeIntoSQLDB = ""
If strF = "" Then
Exit Function
End If
strCharC = "'"
strCharR = "''"
If InStr(strF,strCharC) <> 0 Then
strF = Replace(strF,strCharC,strCharR, 1, -1, 1)
End If

MnWEncodeIntoSQLDB = strF
End function

Note: If you use the code above be sure you edit to match your own specific code.

If you're a .Net or PhP developer this is easy to read for you and should work just fine.

Next step is to decode the HEX 0x strings of attack which I'll get to in a day or so.

The encode examples of forward encoding where all strings are encoded and decoded no matter what and those that are only encoded at th

Encoding and Decoding really has two (2) options. 

1. Encode and Decode every page. 

2. Encode and Decode only when needed. 

Because I use an API to do all the work I encode after most of the time but I do use the encode to decode process when I need or would like Google to index my encoded querystrings for better bookmarking. 

 

 

 

The XCtM QueryString SQL Injection check is a string detect or VBCompare to character or string of characters. What makes it unique is the encoding and decoding so to be used within the SQL DB itself. We encode known SQL Injection strings into a database and the first function of every page is to check any and all strings against known injection strings.