A general method of protecting ASP system

Source: Internet
Author: User
Tags modify nets variables sql injection sql injection attack table name

Research the loophole, I would like to solve the method, I summed up, there are I think of an immature idea.
is for the master to see if it is a good way to solve known and unknown SQL injection vulnerabilities.
This is the immature way I think, I think can solve most of the known and unknown SQL injection vulnerabilities, so that intruders do not get the password!
First of all, I analyze most of the SQL injection, the principle is nothing but the administrator sensitive information to guess, so all need to know the Administrator table name, user variables and password variables to make guesses like
http://ip/art/list.asp?id=253 and 1= (select ID from admin where len (password) =10)
, and what are the biggest drawbacks of a free ASP system? Databases store sensitive information in places that are the same!!
Imagine for the above injection, I do not know how to store the Administrator's Table admin, how can I attack it? Oh, we all think of it, I said the method is to modify the table name and ASP code, in order to achieve the purpose of protection, so that the intruder guessed vomiting blood, also can not find out!
This approach I think is suitable for most article management and download systems, and other ASP systems
or actual combat, for the dynamic network article System 3. 4 of the changes,
First step: Modify the Database
Open the database with access, and then right-click on the table name admin to select Rename, I named Admin1234 (oh, you can name a random difficult to guess AH)
Step Two: Modify the ASP code
In general, we just need to modify the relevant SQL statements.
First find the files that need to be modified, well, open windows Search, select the Search Folder for the Web article, and then in the search criteria for the inclusion of text "admin", be sure to add quotes, that this string exists alone, not included in other strings, then came out 13 files, and then open the file, I find that only one interference is
If session ("admin") = "" Then he also contains admin, the rest are SQL statement queries, so I looked at the file that confirmed the change.
chkadmin.asp saveuser.asp saveuer1.asp adminuser.asp
Modified to, with Notepad, and using its search substitution feature, replace all from admin with the from admin1234, which is actually encountering sql= "select * from admin where flag or similar SQL statements, The admin is modified to admin1234 and then saved,
All right, here we go, and then we test it, OK, no problem. Even if there is a new loophole I am not afraid, because the intruder can not guess my table name, hehe.
This is a simple combat, for other ASP systems are similar.
Here I am not very satisfied, because I am using manual modification, who can guarantee that no error, and for the Forum class ASP is impossible.
So my idea is to use the software batch to modify the file, such a function of the software should have, can find themselves, or, but I still think it is not good, because there are a lot of interference factors, such as the above if session ("admin") = "" Then can not be changed, the software is not good judgment. So I think that this approach should be a new specification for the industry to do programming. Or do you want to use the net as an example?
For the BBS of moving nets, he can at the time of writing, to store the user and administrator of the table name and the BBS code does not duplicate the name of the table, and then with the forum to publish a software, after the user installed, batch modify the database and forum file code to store the Administrator's table name for the user-defined table name. This solves the problem when there are too many files to modify. And the same character interference problem, and your own definition of the Administrator's table name is the probability of guessing extremely bottom, the intruder can not guess will not be able to do SQL injection attack, even if he found a new injection vulnerabilities, so security greatly improved.
What I hope is that this approach can be implemented so that users can define sensitive data themselves after they get the file to avoid most known and unknown SQL attacks.
This is a good tool I find, very good batch file character replacement program.
I am not very satisfied with the first two articles, that is, the network loophole and wave password, I just in the original knowledge of repetitive work, no use, and this article I think can effectively change the security issue, I looked at, if for a way to deal with the Bbsxp forum, Even if there is no patch for bbsxp vulnerability upside down to see one or two, four or five are innate immunity, for moving nets, if also with the above methods handled, then, for "absolutely behind the smile-again talk about Dvbbs loophole", "free version Dvbbs another kind of vulnerability", "SQL injection Vulnerabilities such as Access "are also inherently immune, so I have a great hope for this method, if it can become a norm, should be the contribution of security is big, although not yet, but I would like to do in the future, and now for small-scale ASP system can be manually modified.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.