Attack and Defense Against SQL Injection Vulnerabilities

 

SQL injection is a common attack method by exploiting program vulnerabilities. It is a popular attack method for many entry-level "hackers ".

I am very enthusiastic about it, so I will reveal the main principles of SQL attacks and how to prevent them in this topic.

 

Principle of SQL injection due to program vulnerabilities

 

The vulnerability that causes SQL injection attacks is not caused by the system. It is mainly because the programmer ignores the security factors in programming and its principle is not complicated.

 

Introduction

With the development of B/S application development, more and more programmers are writing applications using this mode. However, this industry

The entry threshold is not high, and the programmer's level and experience are also uneven. A considerable number of programmers did not

The validity of input data is determined to pose security risks to applications. You can submit a piece of database query code and return it according to the program

Obtain the expected data. This is the so-called SQL Injection, that is, SQL Injection.

SQL injection is accessed from the normal WWW port, and it looks similar to the general Web page access, so the current market

OfFirewallWill not alert SQL injection. If the Administrator does not check IIS logs, it may not be detected for a long time.

.

However, the SQL injection method is quite flexible, and many unexpected situations may occur during the injection process. Can I score according to the actual situation?

Analyze and construct clever SQL statements to successfully obtain the desired data, which is the fundamental difference between experts and cainiao.

According to national conditions, ASP + Access or SQLServer accounts for more than 70% of Chinese websites, PHP + MySQ accounts for L20 %, and other websites are less than 10%.

In this article, we will explain the methods and skills of ASP injection from entry-level, advanced to advanced. The article on PHP injection is written by another member of the NB alliance.

You zwell wrote, hoping to be useful to both security workers and programmers. Do not skip this article because

There are still some misunderstandings about the basic injection judgment methods by people. Are you ready? Lets Go...

Entry

If you have never tried SQL injection before, set IE menu> Tools> Internet Options> advanced> display friendly

Remove the check box before the HTTP error message. Otherwise, no matter what error is returned by the server, IE will only display as an HTTP 500 server error, no

You can get more prompts.

Section 1. Principles of SQL Injection

Below we get from a websiteWww.mytest.com(Note: I have obtained the consent of the webmaster before this article is published. Most of them are real data.

Data ).

On the homepage of the website, there is a link named "IE cannot open a new window for multiple solutions". The address is:Http://www.mytest.

Com/showdetail. asp? Id = 49. we add a single quotation mark (') after this address. The server will return the following error message:

Microsoft JET Database Engine error 80040e14

The syntax error of the string is found in the query expression ID = 49.

/Showdetail. asp, row 8

We can see the following points from the error prompt:

1. The website uses an Access database and connects to the database through the JET engine, instead of using ODBC.

2. The program does not determine whether the data submitted by the client meets the program requirements.

3. The table queried by this SQL statement has a field named ID.

From the above example, we can know that the principle of SQL injection is to submit special code from the client to collect programs and services.

To obtain the information you want.

Section 2: Determine whether SQL injection can be performed

After reading the first section, some people will think: I also often test whether it can be injected. Isn't it very easy?

In fact, this is not the best method. Why?

First, not necessarily the IIS of each server returns a specific error message to the client. If the program adds statements such as cint (parameter)

The SQL injection will not succeed, but the server will also report an error. The specific prompt is that an error occurs on the server when the URL is processed. Please and System

Contact the system administrator.

Second, some programmers who have a little knowledge about SQL Injection think that it is safe to filter out single quotes.

If you use single quotes for testing, the injection points are not tested.

So what test method is more accurate? The answer is as follows:

① Asp? Id = 49 ">Http://www.mytest.com/showdetail.asp? Id = 49

②Http://www.mytest.com/showdetail.asp? Id = 49; And 1 = 1

③Http://www.mytest.com/showdetail.asp? Id = 49; And 1 = 2

This is the classic 1 = 1, 1 = 2 test method. How can this problem be determined? You can see the results returned from the above three urls:

Injection performance:

① Normal display (this is inevitable, or the program is wrong)

② Normally displayed, the content is basically the same as ①

③ Prompt BOF or EOF (when the program does not make any judgment), or prompt that the record cannot be found (when rs. eof is determined), or the display content is

NULL (the program adds on error resume next)

It is easier to judge if it cannot be injected. ① It is displayed normally. ② and ③ There are generally Program-defined error prompts or prompt classes.

Type conversion error.

Of course, this is only the method used to determine when the input parameters are numeric. in actual application, there will be between numeric and search parameters.

Analyze the SQL Injection general steps in the intermediate section.

Section 3. Database types and injection methods

Different database functions and injection methods are different. Therefore, before injection, we need to determine the database type.

Generally, Access and SQLServer are the most commonly used databases in ASP. More than 99% of websites on the Internet are among them.

How can a program tell you what database it uses? Let's take a look:

SQLServer has some system variables. If the IIS server prompts that it is not closed and SQLServer returns an error message, you can

Obtain the error information directly by using the following method:

　　Http://www.mytest.com/showdetail.asp? Id = 49; And user> 0

This statement is very simple, but contains the essence of the SQL Server-specific injection method. I also found it in an unintentional test.

This method is highly efficient. Let me see what it means: first, the preceding statement is normal, with emphasis on and user> 0.

We know that user is a built-in variable of SQLServer and its value is the username of the current connection. The type is nvarchar. Take one

The nvarchar value is compared with the int value 0. The system first tries to convert the nvarchar value to the int type. Of course, the conversion process will definitely fail.

SQLServer error message: Convert nvarchar value "abc" to int

A syntax error occurs in the column. The abc is the value of the variable user. In this way, the user name of the database is obtained without waste. In

In the future, we will see many statements using this method.

By the way, as we all know, the SQLServer user sa is a role equivalent to the Adminstrators permission and has obtained the sa permission.

You can certainly get the Administrator of the host. The above method can be used to conveniently test whether to log on with sa. Note that

: If you log on to the sa, an error occurs when the "dbo" column is converted to the int type, instead of the "sa" column ".

If IIS on the server does not allow an error message to be returned, how can we determine the database type? We can use Access and SQLServer and Zone

Do not start, Access and

SQLServer has its own system tables, such as tables that store all objects in the database. Access is in the system table [msysobjects],

When you read the table in the Web environment, the system prompts "no permission". SQLServer is in the table [sysobjects] and can be read normally in the Web environment.

Use the following statement to confirm that the injection can be performed:

Http://www.mytest.com/showdetail.asp? Id = 49; And (select count (*) from sysobjects)> 0

Http://www.mytest.com/showdetail.asp? Id = 49; And (select count (*) from msysobjects)> 0

If the database is SQLServer, then the page of the first website and the original pageHttp://www.mytest.com/showdetail.asp?

Id = 49 is roughly the same. However, because the second website cannot find the table msysobjects, an error is prompted, even if the program has fault tolerance Processing,

The page is also completely different from the original page.

If the database uses Access, the situation is different. The page of the first web site is completely different from the original one; the second web site

It depends on whether the database settings allow reading the system table. Generally, it is not allowed, so it is completely different from the original website. Most cases

In this case, you can use the first web site to know the database type used by the system. The second web site is used only for verification when the IIS error prompt is enabled.

 

Advanced

In this article, we learned how to judge SQL injection, but it is far from enough to obtain the website's confidential content. Next

We will continue to learn how to get the desired content from the database. First, let's take a look at the general steps of SQL injection:

Section 1: General steps of SQL Injection

First, judge the environment, find the injection point, and determine the database type. This is already discussed in the Getting Started article.

Secondly, according to the injection parameter type, the original appearance of the SQL statement is reconstructed in mind. There are three types of parameters: