Server| Program | Advanced Introduction:
SQL is a structured query language for relational databases. It is divided into many species, but most are loosely rooted in the latest standard SQL-92 of the national standardization Organization. A typical execution statement is query, which collects records that are more compliant and returns a single result set. The SQL language can modify the database structure (data definition language) and manipulate the database content (data manipulation language). In this document, we will discuss in particular the Transact-SQL language used by SQL Server.
When an attacker is able to manipulate data into the application by inserting a series of SQL statements into query, we define this method as SQL injection.
A typical SQL statement is as follows:
Select Id,forename,surname from Authors
This statement returns the Id,forename and surname columns for all rows in the authors table. This result can be limited, for example:
Select id,forename,surname from authors where forename ' John ' and Surname= ' Smith '
The need to highlight the string ' John ' and ' Smith ' are enclosed in quotation marks. Specifically, the forename and surname fields are restricted by user-supplied input, and attackers can inject some SQL statements into the query by entering values.
As follows:
Forename:jo ' HN
Surname:smith
The query statement becomes:
Select id,forename,surname from authors where forename= ' Jo ' hn ' and Surname= ' Smith '
When the database attempts to execute the query, it returns the following error:
SERVER:MSG 170, State 1, line 1
Line 1:incorrect syntax near ' HN '
The reason for this result is the insertion of the. Single quotation mark as a delimiter. The database tried to execute ' hn ', but failed. If the attacker provides special input such as:
Forename:jo ';d ROP table authors-
Surname:
The result is that the authors table is deleted and the reason for this is that we'll talk about it later.
It looks like you can solve this problem by removing single quotes from the input or by avoiding them in some way. This is possible, but there are several difficulties in doing so in this way. First, not all user-supplied data are strings. If the user is typing through the user ID to query author, then our query should look like this:
Select id,forename,surname from authors where id=1234
In this case, an attacker can simply add SQL statements at the end of a number, use a variety of qualifying symbols in other versions of the SQL language, and in the database management system jet engine, the data can be qualified with ' # '. Second, avoid single quotes that seem to be possible, but not necessary, and we'll talk about that later.
We further use a simple ASP landing page to identify which access to the SQL Server database and to try to identify access to some fictitious applications.
This is the code that submits the form page, lets the user enter the user name and the password:
<HTML>
<HEAD>
<title>login page</title>
</HEAD>
<body bgcolor= ' 000000 ' text= ' CCCCCC ' >
<font face= ' tahoma ' color= ' CCCCCC ' >
<CENTER><H1>Login</H1>
<form action= ' process_loginasp ' method=post>
<TABLE>
<tr><td>username:</td><td><input type=text name=username size=100 Width=100></TD ></TR>
<tr><td>password:</td><td><input Type=password Name=password size=100 withd=100>< /td></tr>
</TABLE>
<input type=submit value= ' Submit ' ><input type=reset value= ' reset ' >
</FORM>
</Font>
</BODY>
</HTML>
Here is the code for the process_login.asp, which is used to control the login:
<HTML>
<body bgcolor= ' 000000 ' text= ' ffffff ' >
<font face= ' tahoma ' color= ' ffffff ' >
<STYLE>
P {font-size=20pt! important}
Font {FONT-SIZE=20PT! important}
H1 {font-size=64pt! important}
</STYLE>
<% @LANGUAGE = JScript%>
<%
function Trace (str) {
if (Request.Form ("debug") = = "true")
Response.Write (str);
}
function Login (CN) {
var username;
var password;
Username = Request.Form ("username");
Password = request.form ("password");
var RSO = Server.CreateObject ("ADODB.") Recordset ");
var sql = "Select * from users where username = '" + username + "' and password = '" + password + ""; Trace ("Query:" + SQL);
Rso.open (SQL, CN);
if (RSO. EOF) {
Rso.close ();
%>
<font face= ' tahoma ' color= ' cc0000 ' >
<H1> <BR><BR>
<center>access denied</center>
</H1>
</BODY>
</HTML>
<% Response.End return; }
else {
Session ("username") = "" + RSO ("username");
%>
<font face= ' tahoma ' color= ' 00cc00 ' >
<H1> <center>access granted<br> <BR>
Welcome, <% Response.Write (RSO ("Username")); Response.Write ("</BODY></HTML>"); Response.End}
}
function Main () {//set up connection
var username
var cn = Server.CreateObject ("ADODB.") Connection ");
Cn.connectiontimeout = 20;
Cn.open ("LocalServer", "sa", "password");
Username = new String (Request.Form ("username"));
if (Username.length > 0) {
Login (CN);
}
Cn.close ();
}
Main ();
%>
Where the problem occurs is the part of the process_lgin.asp that produces the query statement:
Var sql= "SELECT * from Users where username= '" +username+ "' and password= '" +password+ "";
If the user enters the following information:
Username: ';d ROP table users-
Password:
Table users in the database will be deleted, denying any users access to the application. '-' sign in Transact-SQL to ignore '-' later statements, '; ' The symbol represents the end of a query and the start of another query. '-' is required in the Username field to terminate this particular query and not return an error.
Attackers can log on to any user by simply providing the user name they know, using the following input:
Username:admin '-
An attacker could use the first user in the Users table and enter the following:
Username: ' or 1=1-
More specifically, attackers can log in with a completely fictitious user and enter the following:
Username: ' Union select 1, ' Fictional_us
