Attack and precaution of SQL injection program

Program | Attacks now web-based attacks are generally injected. The cause of the injection is generally incomplete filtering of the variable, which allows the intruder to execute the program or query to modify arbitrary data illegally. With the intensification of injection attacks, some special filtering code came into being. But some of the filtering code imperfections are likely to lead to new attacks. The following is the most widely used filter code--SQL general Anti-injection program for the following description of the causes of the vulnerability, the use of methods and preventive measures.

SQL General Anti-injection program is written by Firefox maple Autumn, the function is quite perfect injection code. It can filter the defined filter characters to get submitted, and can record the data information of the attacker's IP submission. Use only in the file to prevent injection of the header code <--#Include file= "wrsky_sql.asp"--> can be implemented to filter the variable. If the database connection file (such as conn.asp) after adding the program code, you can achieve the whole station variable filtering, so as to achieve the effect of injection.

OK, let's look at the code for the variable filter section first:

'--------Definition part------------------
Dim Fy_post,fy_get,fy_in,fy_inf,fy_xh,fy_db,fy_dbstr
' Custom need to filter the string, separated by "maple"
fy_in = "' Maple", maple and maple, select maple Delete maple Update maple count maple * Maple% maple chr Maple mid maple maple truncate maple char Maple declare "
'----------------------------------
%>

The
Fy_inf = Split (fy_in, "maple")
'--------Post part------------------
If Request.Form <> Then
For each fy_post in Request.Form

For fy_xh=0 to Ubound (Fy_inf)
If Instr (LCase (Request.Form (Fy_post)), Fy_inf (FY_XH)) <> Then
'--------Get part-------------------
If request.querystring <> Then
For each fy_get in Request.QueryString

For fy_xh=0 to Ubound (Fy_inf)
If Instr (LCase (Request.QueryString (Fy_get)), Fy_inf (FY_XH)) <> Then

This code defines the "'" and "and" the common injection variable filter, if you feel that the filter is not enough or too much to increase or decrease the character. Obviously, any data that is submitted to the server via get or post will be banned by the program if it contains filtered characters. This leads to a problem, if it is in the Forum database to join the file after the program code, posts when the post content including the filtered characters will be banned. According to the default filter content, it seems almost impossible to post content in English. In addition, some special characters (such as percent "%") are sometimes used when defining the forum style, and if these special characters are filtered, the entire forum will not function properly. I used Dvbbs to test the problem mentioned above, and the result was exactly the same as what I had guessed.

The solution to this problem is to inject the connection statements only in the files that need to be filtered. But this workload is relatively large, and the general webmaster is not aware of what files need to filter. So my advice is to add the filter code to the conn.asp, and then build a connl.asp that does not contain the filtering code, and connect the files that are definitely not needed to filter and filter the code to run the file to conn1.asp, but be aware that the basic content of the two data connection files should be consistent. In addition, it is best not to use the filtered characters in the style setting, and the filter for the character can be deleted in the anti-injection program.

The above is about the impact of the anti-injection program on the site, and does not cause any harm. Actually, the real hazard comes from the Data Logging section, and we look at this part of the code:

'--------write to the database-------header--------
fy_dbstr= "dbq=" +server.mappath ("Sqlin.mdb") + ";D efaultdir=;D river={ Microsoft Access Driver (*.mdb)};
Set fy_db=server.createobject ("ADODB. CONNECTION ")
Fy_db.open fy_dbstr
fy_db. Execute (INSERT into Sqlin (SQLIN_IP,SQLIN_WEB,SQLIN_FS,SQLIN_CS,SQLIN_SJ) VALUES (' &request.servervariables " REMOTE_ADDR ") &" ', ' "&request.servervariables (" URL ") &" ', ' Get ', ' "&Fy_Get& ', '" &replace ( Request.QueryString (Fy_get), "'", "'") & ")"
Fy_db.close
Set fy_db = Nothing
'-------- Write to the end of the database---------------

Response.Write "

The role of this code is to record the attacker's information and actions so that we can take the necessary measures. From the code can be seen that the program to the attacker's IP, submit the address, the content of the submission of the record, but there are clearly several vulnerabilities:

Failure to deal with frequent attacks. That is to say, no matter how we submit the method data, it will be recorded by the program, which would likely lead to a malicious Dos attack. I did an experiment on it. I submit the following statement after the URL of a protected file: and (select Top l ASC (Mid username,l,l) from admin) >0, record with the keystroke wizard during the commit process, and then automatically repeat the submission. In any case, the size of the database changes dramatically (Figure 1, 2). It can be imagined that if the use of the tools such as the moon to open multithreading, DOS is absolutely not a problem.

[1] [2] Next page