A SQL attack to get user information

This article is not a write-SQL injection attack, there is a SQL database vulnerability in addition to SQL injection attacks. The purpose of this article is primarily to allow developers to make sense of this security issue when building a website. This loophole is not too common, I will show this attack method, I hope you can lesson, timely to do the corresponding defense measures.

When registering a new user, the developer may run according to the following logic.

First check the user name password:

"SELECT *
From users
WHERE username= ' user name '

If the user name does not exist in the database, execute the following SQL statement
INSERT into users (username, password)
VALUES (' username ', ' password ')

The following is the authentication user's login information:

The Select username from users
WHERE username= ' user name '
and password= ' password ';
There is no security issue in this sense. There should be no mistakes.
But the truth is not what you think. An attacker could still log on to the system as any user.

Before attacking, let's start with a few points of attention.
During SQL execution, the space at the end of the string is deleted. For example, a string "Riyudeshui", in fact, the equivalent of "Ruyudeshui", most of the case is set up. For example, we use the following two SQL statements to query:

SELECT * from users WHERE username= ' Ruyudeshui ';
SELECT * from users WHERE username= ' Ruyudeshui ';

The returned data is the same. But there are also special cases. There is no much discussion here.

In all insert operations, SQL specifies the string length according to varchar (n), that is, when the actual string is larger than N, the first n characters are inserted. For example, we limit varchar (8). When we insert "Ruyudeshui", we do not insert the entire string, but we truncate it, inserting only the first 8 characters. Actually the characters inserted are "Ruyudesh", of course, there will be differences between different versions of MySQL, I try to be truncated in MySQL 5.5.2, but in MySQL version 5.0, you will be prompted to not insert the situation.

Here is a demonstration of the attack steps:

1. First create a table

CREATE TABLE Users (
Username varchar (20),
Password varchar (20)
);
Insert data:
INSERT into users
VALUES (' Ruyudeshui ', ' password1 ');

To demonstrate, check first
SELECT * from users
WHERE username= ' Ruyudeshui ';

The result is that the data is returned normally. Start the attack below:

In order to hack into a user's account and get information, only user name Ruyudeshui [lots of spaces] a ' is required.

and an arbitrary password to register it. The purpose of this is to bypass the user name check, because the user

The name query to a result set is empty and does not exist in the database.

The insertion process is then performed.

INSERT into users (username, password)
VALUES (' Ruyudeshui a ', ' password ');

The insert succeeds, we re-login the user, insert with the second username and password that we just inserted, and then execute the SQL statement.

SELECT * from users
WHERE username= ' Ruyudeshui ';

Haha, the original record was returned!

This will return two records, so that the attacker uses any user name plus a bunch of spaces, and then adds a string and any password to sign in. Can return all records of a user with the same prefix as this user name. This attack technique was successful under MySQL 5.5.2 and is said to be used under SQLite. The feeling can also be used in other situations.

When we are developing, we must pay attention to this kind of loophole, many times, the developer checks in the foreground, the user name cannot appear the space or the special character. I don't feel much sense. Because the attacker can register through post submission. However, this problem can be avoided if the ID is used as the primary key and is tracked by the program.

OK, I hope you can notice this problem, in the development process to prevent the leakage of information, after all, information security is very important drop.

Welcome forward OH.

: Liangnote
Weibo: Duck 5838
Blog: http://www.cnblogs.com/pangu/

A SQL attack to get user information