Defense acces from manual injection

In many cases, when using tool injection, intruders find that the tool cannot parse the table name and field name, because all tools have their own dictionary, this dictionary includes the table name and field name. If the Administrator changes the table name and field name to a different one, the tool we use will not be able to guess the field name and table name. In the following articles, we will start from the analysis of manual injection to build a line of defense against SQL injection.

Intruders construct simple judgment conditions to determine whether the page has an injection vulnerability. The general steps are as follows:

The page to be checked here is http: // 127.0.0.1/111/view. asp? Id = 198

1. to manually inject a website, the attacker must configure the browser to ensure that error messages are returned during manual injection. The procedure is as follows: Right-click the browser and select "properties ", in the displayed dialog box, select the "advanced" tab. As shown in:

Figure 1

Remove the check box before "show friendly HTTP Error information" and click "Apply.

2. The attacker submits the following url to the browser:

Http: // 127.0.0.1/111/view. asp? Id = 198 and 1 = 1

If the SQL injection vulnerability exists, you can query the database. 1 = 1 is a constant equation that can be ignored. Therefore, a normal page is returned, which is the same as http: // 127.0.0.1/111/view. asp? Id = 198 is the same, then the intruder judges that the site is expected to be injected. If some error messages are returned, some elementary intruders may give up the site. 3. The intruder further submits the following url to the browser:

Http: // 127.0.0.1/111/view. asp? Id = 198 and 1 = 2

1 = 2 is a constant inequality. If the site supports database queries, the following information is returned:

Figure 2

Generally, when an intruder is shown, it is determined that the website can carry out SQL injection attacks.

However, in many cases, intruders only need to use single quotes to quickly identify whether the target site has the SQL injection vulnerability and submit the following url to the browser:

Http: // 127.0.0.1/111/view. asp? Id = 198 'If the following information is returned, it indicates that there are more than half of the opportunities for the injection vulnerability:

Microsoft ole db Provider for ODBC Drivers error '80040e14'

[Microsoft] [ODBC Microsoft Access Driver] the syntax of the string is incorrect in the query expression 'id = 1. /List. asp, row 50

4. At this time, the attacker starts to construct a special SQL query statement to query the table name of the site database. The following statement is submitted to the url:

Http: // 127.0.0.1/111/view. asp? Id = 198 and exists (select * from admin)

This statement is used to check whether the admin table exists in the Database. If the table exists, the normal page is returned. If the table does not exist, the error page is returned. Generally, intruders first test common table names, which are also the table names and field names in the password dictionary of the common injection tool. If the table name is not a common table name, intruders will use social engineering to guess the table name. In this case, the chance of intruders to guess the table name is low.

5. After obtaining the table name, the intruder constructs a query statement to query the database field name and submits the following statement to the url:

Http: // 127.0.0.1/111/view. asp? Id = 198 and exists (select user from admin)

This statement queries whether the user field exists in the admin table of the database. If the user field exists, the normal page is returned. If the user field does not exist, the error page is returned.

7. Next, the intruder starts to determine the value of the field id. The following statement can be constructed to query the id value: http: // 127.0.0.1/111/view. asp? Id = 198 and exists (select id from admin where id = 1)

If yes, the correct page is returned. If yes, the error page is returned.

6. After the table name and field name are guessed, the intruder starts to construct a query statement to guess the length of the administrator account. The following statement is submitted to the url:

Http: // 127.0.0.1/111/view. asp? Id = 198 and exists (select id from admin where len (user) <6 and id = 1)

This statement is used to query the length range of the user name in the user field, indicating that the length is less than 6. If it is correct, the normal page is returned. If it is incorrect, the error page is returned.

Narrow down the scope and construct the following statement to determine the specific length of the User Name:

Http: // 127.0.0.1/111/view. asp? Id = 198 and exists (select id from admin where len (user) = 5 and id = 1)

If it is correct, the system returns the normal page. If it is incorrect, the system returns the error page.

8. Next, the attacker starts to enter the final stage to construct a statement to query the administrator username and submit the following statement to the url: http: // 127.0.0.1/111/view. asp? Id = 198 and exists (select count (*) from admin where left (user, 1) =)

This statement starts from the left side of the user name and guesses that the first place of the user name is a. If it is correct, the normal page is returned. If it is incorrect, the error page is returned, modify the statement to (user, 2) = ad, and so on.

After the intruder obtains the username and password, the injection is nearing completion.

As for the prevention method, we can see from the above process that if the table name and field name are not common table names and field names, the intruders use social engineering to guess, if the table name and field name modified by the Administrator are complex enough, the intruders still cannot achieve the goal. Another simple defense method is to download some anti-injection patches on the Internet, this method is to modify the site file and add filter statements to filter statements submitted by intruders to prevent injection. Here we will not explain the principles of these statements.