SQL Injection for Security Test sharing

Security testing is a process in which confidential data is kept confidential and users can only perform operations within the authorized scope.

For example:
A confidential content is not exposed to unauthorized individuals or user entities
User B cannot unilaterally block a function of the website.

What are the security testing aspects?

SQL Injection (SQL Injection)

Cross-site script (XSS)

CSRF (cross-site forgery request)

URL jump

Directory Traversal (Directory Traversal)

Email Header Injection (mail Header Injection)

Exposed error messages (error message)

 

SQL Injection is called an SQL command implant attack, which describes an action to attack an application by writing Special SQL code.

You can submit a piece of database query code and obtain the desired data based on the results returned by the program. This is the so-called SQL Injection, that is, SQL Injection.

How to determine the existence of SQL Injection

In general, SQL Injection usually exists on URL pages with parameters passed
Example: HTTP: // xxx. xxx. xxx/abc. asp? Id = XX

Sometimes there may be only one parameter in a dynamic webpage, and sometimes there may be N parameters, sometimes Integer Parameters, and sometimes string parameters, which cannot be generalized. In short, as long as a dynamic webpage with parameters and the webpage accesses the database, there may be SQL injection.
Example: search a page
Logon page
Submit a comment page.

 

Judgment process:

URL with parameters passed:
Http://aipai.163.com/s/trade/orderDetail? OrderId = 183004
The SQL statement used to submit a query is as follows:
Select * from orderwhere id = 183004.
Test whether SQL Injection exists:
1. Add a single quotation mark: 'http: // ..ail.htm? Oid = 183004
Query SQL: select * from orders where id = 183004 'running exception
2, additional "and 1 = 1" http://...ail.htm? Oid = 183004and 1 = 1,
Query SQL: select * from orders where id = 183004and 1 = 1 running normally
3, additional "and 1 = 2" http://...ail.htm? Oid = 183004and 1 = 2,
Query SQL: select * from orders where id = 183004and 1 = 2 running exception
If the preceding three steps are fully met, the SQL injection vulnerability exists.

How to test SQL injection?

For parameters that are not clearly identified in the URL, you can view the parameters in the HTML source code
To identify whether there is any parameter transfer.

Note: Each parameter transfer between the <FORM> and </FORM> labels may be exploited.
<Form action = http://www.bkjia.com "method =" get ">
<Div>
<Lab <input type = "text" name = "yourname" value = "/>
El> User Name </label>
<Label> password </label>
<Input type = "password" name = "yourpwd" value = ""/>
<Input type = "submit" value = "submit">
</Div>
</Form>
Common SQL Injection statements

The following statements can be used for an SQL injection request:

The name of the connected database and db_name ()> 0 is returned.
The function is to obtain the connection username and user> 0
Back up the database to the Web directory; backup database name to disk = 'C: \ inetpub \ wwwroot \ 1. db ';--
Show the SQL System VERSION and 1 = (select @ version) or and 1 = convert (int, @ VERSION )-
'Or 1 = 1 --
"Or 1 = 1 --
Or 1 = 1 --
'Or 'A' = 'a
"Or" a "="
') Or ('A' = 'a

How to Prevent SQL injection?

From the application perspective, we need to do the following three tasks:
1. Escape sensitive characters and strings. SQL sensitive characters include:
"Exec", "xp _", "sp _", "declare", "Union", "cmd", "+ ","//",".. ","; "," '"," -- "," % "," 0x ","> <=! -*/() | ", And" space ").
2. Blocking error messages: prevent attackers from knowing the attack results.
3. Validity of submitted data before the server officially processes the data (data type, data length, and sensitive character verification)

From the tester's point of view, we should consciously check the security before the program development (that is, the demand stage ).
Check the application to the requirement test. For example, when a form requirement is checked, we generally check the following security items:
Problem:
1. the type, length, and value range of a FIELD in the form should be described as required (the main function is to prohibit the input of sensitive characters)
2. The requirement should indicate that if the type, length, and value range specified in the form are exceeded, the application should not
Error message containing any code or database information.
Of course, during the test, we also need to test the above two items.