In-depth analysis of SQL Injection principles (1)

Bkjia.com exclusive Article]For Web applications, injection attacks have been around for a long time. Common attacks include SQL injection, command injection, and recent XPath injection. This article takes SQL injection as an example to explain in depth the attack principles at the source code level.

I. Principles of injection attacks

The root cause of injection attacks is that there is no clear distinction between program commands and user data, that is, user input. This gives attackers the opportunity to submit program commands to the We program as user-input data and give orders as desired.

To launch an injection attack, attackers need to mix the "data" that will be interpreted as a command in the conventional input. To succeed, three things must be done:

1. Determine the technology used by Web Applications

Injection attacks are closely related to programming languages or hardware, but these attacks can be moved out by appropriate clicks or simply by trying them one by one. To determine the technology used, attackers can inspect the footer of a Web page, view the error page, check the page source code, or use tools such as Nessus for spying.

2. determine all possible input methods

There are many user input methods for Web applications, some of which are obvious, such as HTML forms. In addition, attackers can interact with Web applications through hidden HTML form input, HTTP header, cookies, and even invisible backend AJAX requests. In general, all http get and POST requests should be user input. To find out all possible user input for a Web application, we can turn to Web proxies such as Burp.

3. Search for user input that can be used for Injection

After finding out all user input methods, we need to filter these input methods to find out which input methods can inject commands. This task seems a little difficult, but here is a tip, that is, pay more attention to the error pages of Web applications, and you can often get unexpected gains from this.

Ii. SQL Injection principles

We have made a general explanation of injection attacks. The following uses SQL injection as an example to give readers a perceptual understanding of injection attacks. As for other attacks, the principles are consistent.

SQL Injection allows attackers to bypass the authentication mechanism and completely control databases on remote servers. SQL is short for the structured query language. It is the de facto standard for database access. Currently, most Web applications use SQL databases to store application data. Almost all Web applications use a SQL database in the background. Like most languages, SQL syntax allows database commands to be mixed with user data. If developers are not careful, user data may be interpreted as commands. In this way, remote users can not only input data to Web applications, you can also execute arbitrary commands on the database.

3. Bypass User Authentication

Here we will explain a simple Web application that requires user identity authentication. Assume that this application provides a logon page, requiring the user to enter the user name and password. The user sends their username and password through an HTTP request. Then, the Web application checks whether the username and password passed by the user match the username and password in the database. In this case, a database table is required in the SQL database. You can use the following SQL statement to create a table:

CREATETABLEuser_table(idINTEGERPRIMARYKEY,usernameVARCHAR(32),passwordVARCHAR(41));

The preceding SQL code creates a table consisting of three columns. The first column stores the user ID. If someone has been authenticated, use this to identify the user. The second column stores the user name, which consists of up to 32 characters. The third column stores the password, which consists of the hash value of the user's password, because it is too dangerous to store the user's password in plain text, therefore, the hash values of passwords are usually stored. We will use the SQL function PASSWORD) to obtain the hash value of the PASSWORD. in MySQL, the output of the function PASSWORD is composed of 41 characters.

To authenticate a user, the user name and password are compared with the rows in the table. If the user name and password in a row exactly match the user input, then the user passes the authentication and obtains the ID in the row. If the user name and password provided by the user are lonelynerd15 and mypassword, the process of checking the user ID is as follows:

SELECTidFROMuser_tableWHEREusername='lonelynerd15'ANDpassword=PASSWORD('mypassword')

If the user is located in the database table, the SQL command returns the corresponding ID of the user, which means that the user has passed authentication; otherwise, the return of this SQL command is blank, this means that the user has not been authenticated.

The following is the Java code used for automatic logon. It receives the username and password from the user and authenticates the user through an SQL query:

Stringusername=req.getParameter("username");Stringpassword=req.getParameter("password");Stringquery="SELECTidFROMuser_tableWHERE"+"username='"+username+"'AND"+"password=PASSWORD('"+password+"')";ResultSetrs=stmt.executeQuery(query);intid=-1;//-1impliesthattheuserisunauthenticated.while(rs.next()){id=rs.getInt("id");}

The first two lines of code obtain user input from the HTTP request, and then construct an SQL query starting from the next line. Execute the query and obtain the result in the while loop. If a user name matches the password pair, the correct ID is returned. Otherwise, the value of id is-1, which means that the user has not passed the authentication. On the surface, if the user name matches the password pair, the user will pass the authentication; otherwise, the user will not pass the authentication -- but is it true? None! The reader may have noticed that SQL commands are not defended here. Therefore, attackers can inject SQL statements into the username or password fields to change SQL queries. For this reason, we carefully study the preceding SQL query string:

Stringquery="SELECTidFROMuser_tableWHERE"+"username='"+username+"'AND"+"password=PASSWORD('"+password+"')";

The above Code assumes that the string username and password are both data. However, attackers can enter any character as they like. If the user name entered by an attacker is

'Or1 = 1-

The password is

X

Then the query string will look like the following:

SELECTidFROMuser_tableWHEREusername = ''' OR1 = 1 -- 'andpassword = PASSWORD ('x') indicates the double-stroke symbol. It tells the SQL parser that all the items on the right are comments, so ignore it. In this way, the query string is equivalent to: SELECTidFROMuser_tableWHEREusername = ''OR1 = 1

Today's SELECT statement is quite different from the previous one, because as long as the user name is a zero-length string ''or 1 = 1, one of the two conditions is true, returns the user ID -- we know that 1 = 1 is always true. Therefore, this statement returns all IDs in user_table. In this case, the attacker puts the SQL command 'or1 = 1 -- rather than data in the username field.