%2B decoding to a space instead of a plus

▼魔方 西西 提交于 2019-12-13 17:19:57

问题


We have a problem in a specific server. All plus signs posted to the application are replaced with spaces - that's in POST and GET, and on all pages on that site.
As a test case I have this little page (it's an ASP server):

<html>
<body>
  <form method="post">
    <input type="text" name="Plus" id="Plus" />
    <input type="submit" />
  </form>
  Previous Value: <%= request("Plus") %><br />
  Query String: <%= request.querystring %>
</body>
</html>

On every other server this works well, but on one server pluses are replaced with spaces.
Example: for the input "1 2+3" - request("Plus") is "1 2 3", and the Query String is "1+2+3". No good. Other characters seem to be decoding correctly.
It should be said someone had tried to 'harden' this server against attacks, so obscure IIS options may be turned on (though we did remove the ISAPI filter).
Thanks.


UPDATE: It turns out there's another filter installed, the SQL Injection Filter ISAPIClipSQLInjection.dll from http://www.codeplex.com/IIS6SQLInjection .
The filter is buggy - it replaces valid characters from POST and GET:

  1. Plus signs are replaced with spaces: "1%2B2" -> "1+2", same as "1 2"
  2. Semicolons are replaced with Commas: "hello;" -> "hello,"

A newer version of the filter (2.0b) does not fix this, but allows to exclude certain pages. Since it is installed in production we decided not to remove the filter, we used javascript to change all pluses to "&#43 " (with space and not a semicolon).
Not the optimal solution, but that's what the boss wanted.


回答1:


Consider Ascii Code. In the place of a plus sign use its ascii code.It would be chr(43). Both asp and sql would understand this.

here is a table with all ascii codes. http://www.asciitable.com/



来源:https://stackoverflow.com/questions/846934/2b-decoding-to-a-space-instead-of-a-plus

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!