LINQ-"No-ignore hole policy" for SQL Injection"

Editor's note: I wanted to convert traditional Chinese to traditional Chinese. After that, I can see that the images are also traditional Chinese.

Author:Yan zhongcheng

A bunch of Mass SQL Injection attacks, let us back to the SQL Injection attack a few years ago, many years later today, we are still stuck in the same danger. This article describes the history, cause, solution, and optimization methods of SQL Injection, the author introduces a brand-new and more secure anti-blocking SQL Injection policy.

What is SQL Injection?

SQL Injection, medium refers to SQL Injection, and even better known is [resource Injection attack ], it refers to the creation of web application applications by developers. It is a convenient idea for developers to develop online applications at a time or according to the previous written programming method. Several years ago, a large-scale cyberattack triggered the protection of all website administrators and design engineers, A website is a public site exposed to everyone. Its security cannot be ignored! During that attack, thousands of websites were infiltrated by the same method. The leaked information and the loss of financial resources due to the intrusion were estimated, the origin is just the adequacy of programming and anti-DDoS, and we have all been part of it.

What is SQL Injection? In fact, it is very simple, that is, the inbound domain on the webpage (INPUT, such as text Injection box, or the query string in the URL ), send a specific SQL statement over the Internet to the Data Sheet row. Take a logon website as an example. When you log on to a website, we place two TextBox controls to allow users to enter the user ID and password, similar plane:

Lifecycle 1:

After the user presses the login button, we send the information they have received to the data warehouse to verify whether the user's login information is correct:

Using System; using System. configuration; using System. data; using System. web; using System. web. security; using System. web. UI; using System. web. UI. htmlControls; using System. web. UI. webControls; using System. web. UI. webControls. webParts; using System. data. sqlClient; public partial class _ Default: System. web. UI. page {protected void Page_Load (object sender, EventArgs e) {} protected void button#click (object sender, EventArgs e) {if (ValidateUser (TextBox1.Text, TextBox2.Text )) label1.Text = "welcome"; else Label1.Text = "Logon loss";} private bool ValidateUser (string userName, string password) {SqlConnection conn = new SqlConnection ("Data Source = JEFFRAY; Initial Catalog = Northwind; Integrated Security = True"); using (conn) {SqlCommand cmd = new SqlCommand ("select count (*) from users where USER_ID =" + userName + "and password =" + password + "", conn); conn. open (); return (int) cmd. executeScalar ()> 0 );}}}

When you write these programs, you have already opened the SQL Injection statement. When the user logs in, fill in the corresponding information, you can log on to the system no matter what the ID password is.

Limit 2:

Why? The reason for this itinerary is as follows:

SqlCommand cmd = new SqlCommand("SELECT COUNT(*) FROM USERS WHERE USER_ID = "                + userName + " AND PASSWORD = " + password + "", conn);

We use the methods commonly seen by the ASP administration to organize SQL commands and integrate users' tokens into the established SQL statement, however, explain ignores one important thing: users can inject arbitrary strings, including some SQL commands! After reading some SQL commands and micro-scripts, you can easily modify this SQL command, or even add another SQL command, our website is billed in full mode. The above statements will merge the entire SQL statement into the following:

Protocol 3:

After reading the lines that will inevitably come true, coupled with the explain solution of SQL, our website is exposed on the Internet. Today I am adding OR, if you add drop table and other brute-force commands, the website will worship you.

This kind of attack does not cause this kind of POST attack. The other kind of GET attack is often subject to the same attack, for example, the program below opens the SQL Injection large program.

using System;using System.Collections;using System.Configuration;using System.Data;using System.Linq;using System.Web;using System.Web.Security;using System.Web.UI;using System.Web.UI.HtmlControls;using System.Web.UI.WebControls;using System.Web.UI.WebControls.WebParts;using System.Data.SqlClient;public partial class QueryStringInjection : System.Web.UI.Page{    protected void Page_Load(object sender, EventArgs e)    {        if (!IsPostBack)        {            SqlConnection conn = new SqlConnection("Data Source=JEFFRAY;Initial Catalog=Northwind;Integrated Security=True");            using (conn)            {                SqlCommand cmd = new SqlCommand(        "SELECT * FROM Customers WHERE CustomerID = "+Request.QueryString["ID"]+”‘”, conn);                conn.Open();                DetailsView1.DataSource =                cmd.ExecuteReader(CommandBehavior.CloseConnection);                DetailsView1.DataBind();            }        }    }}

Insert the following into the URL:

Http: // localhost: 43236/FirstInjection/QueryStringInjection. aspx? ID = VINET 'OR 1 = 1-

Custom: http: // localhost: 43236 is the Port generated by your Web Development Server.

As a result, you will see ALFKI data columns other than CustomerID = "VINET", as shown below:

Lifecycle 4:

If someone is interested in inserting drop table or INSERT QueryString into the URL, any amount of information is divided or inserted into the intended ending Script (see the following Mass SQL Injection statement), and the result is unimaginable.

Custom Error Page Vulnerability not found

You should already know that ASP. the first security hand of the NET application program is the Custom Error Page function used by the hacker, so that customers cannot obtain the information they should not obtain through the preset webpage. If Custom Error Page is not used, then, the website may occur on your website:

Limit 5:

With these resources, the patience of the hacker should read through different characters to explore the entire SQL sentence, the best anti-blocking method is to use Custom Error Page to set:

Web. config

............... <CustomErrors mode = "On" defaultRedirect = "DefaultError.htm"> </customErrors> ............ omitted

Once used, the response is directed to DefaultError.html when it is generated. The result is as follows:

Limit 6:

Your website has the possibility of no SQL Injection.

OK. Is there any way to determine whether the current website is affected by SQL Injection statements? If you are a website manager, rather than a design engineer, then you only have a black box for the website based on the common website vulnerability detection tool, I don't remind you that most of the current website vulnerability detection tools are designed for PHP and ASP, and the vulnerabilities that can be exploited are limited, sometimes, even a secure website may cause negative comments because it has not been implemented (as described later.

If you are a program design engineer, there will be a lot of things to do. You just need to check whether SQL Injection exists in the part of the dynamic SQL statement, lifecycle 007 is a formula used to confirm whether SQL Injection exists in your program.

Lifecycle 7:

As long as your program contains SQL strings and user input values, the possibility of SQL Injection crisis on the Web page is 99.9% higher.

Ding Yi of the previous statement: the method to prevent SQL Injection

After thousands of website intrusion events have occurred, many data security experts have proposed various anti-indexing SQL Injection methods, of which four are similar to those of 008.

Listen 8: