HP + MYSQL website SQLInjection attack and defense

: This article mainly introduces the defense against SQLInjection on the HP + MYSQL website. if you are interested in the PHP Tutorial, refer to it.

WebjxCom prompt: programmers pay attention to TDD (test-driven development) when writing code: before implementing a function, they will first write a test case and then write the code to make it run through. In fact, when the hacker SQL Injection, it is also a TDD process: they will first try to let the program report an error, and then modify the parameter content at, when the program runs successfully again, the injection is followed.

When writing code, programmers should pay attention to TDD (test-driven development): before implementing a function, they will first write a test case and then write the code to make it run through. In fact, when the hacker SQL Injection, it is also a TDD process: they will first try to let the program report an error, and then modify the parameter content at, when the program runs successfully again, the injection is successful.
Attack:
Suppose your program has a script similar to the following content:
$ SQL = "SELECT id, title, content FROM articles WHERE id = {$ _ GET [''id'']}";
The URL for normal access is as follows:
/Articles. php? Id = 123
When a hacker wants to determine whether the SQL Injection vulnerability exists, the most common method is to add a single quotation mark after the integer ID:
/Articles. php? Id = 123''
Because the $ _ GET [''id''] parameter is not filtered, an error is inevitable, which may be similar to the following information:
Supplied argument is not a valid MySQL result resource in...
This information is enough to indicate that the script has a vulnerability. we can try again:
/Articles. php? Id = 0 union select 1, 2, 3
The reason for select, 3 is that union requires the same number of fields on both sides. The first is the id, title, and content fields, and the second, second, and third are also three fields. therefore, no syntax error is reported, in addition, if id = 0 is set to a non-existent record, the query result is 1, 2, 3, which is displayed on the webpage. 1 is displayed for the original id, 2 is displayed for the title and 3 is displayed for the content.
For more information about how to continue using the service, see the settings of magic_quotes_gpc:
When magic_quotes_gpc is off:
/Articles. php? Id = 0 union select 1, 2, load_file (''/etc/passwd '')
In this way, the content of the/etc/passwd file is displayed in the original content.
When magic_quotes_gpc is on:
In this case, if load_file (''/etc/passwd'') is used directly, it will be invalid because the single quotation marks are escaped, but there are other methods:
/Articles. php? Id = 0 union select 1, 2, load_file (char (47,101,116, 115,115,119,100 ))
The number is the ASCII of the/etc/passwd string: each character in the string cyclically outputs ord (...)
In addition, you can also use the hexadecimal string: each character in the string cyclically outputs dechex (ord (...))
/Articles. php? Id = 0 union select 1, 2, load_file (0x2f6574632f706173737764)
Here, we only talk about several attack methods of numeric parameters, which are at the tip of the iceberg. for attack methods such as string parameters, refer to the link below.
Defense:
Some software similar to SQL Injection Firewall is available on the network, such as GreenSQL. if the website has already been attacked by SQL Injection, using such a shortcut will often save your life, however, such software is a Proxy role in the architecture, most of which will affect the website's concurrent performance. Therefore, it is best to carefully decide whether to choose or not based on objective conditions. In many cases, professional software is not necessary, and there are many lightweight solutions. the following shows how to use awk to detect possible vulnerabilities.
Create the detect_ SQL _injection.awk script with the following content (do not include the row number if you want to copy the content ):
01 #! /Bin/gawk-f
02
03/\ $ _ (GET | POST | COOKIE | REQUEST) \ s *\[/{
04 IGNORECASE = 1
05 if (match ($0,/\ $. * (SQL | query )/)){
06 IGNORECASE = 0
07 output ()
08 next
09}
10}
11
12 function output ()
13 {
14 $1 = $1
15 print "CRUD:" $0 "\ nFILE:" FILENAME "\ nLINE:" FNR "\ n"
16}
This script can match the following problematic code, and it is easy to extend the matching mode, as long as you write the if match statement as you like.
1: $ SQL = "SELECT * FROM users WHERE username ='' {$ _ POST [''username'']} ''";
2: $ res = mysql_query ("SELECT * FROM users WHERE username ='' {$ _ POST [''username'']} ''");
Do not forget to use chmod + x detect_ SQL _injection.awk before using it. there are two call methods:
1:./detect_ SQL _injection.awk/path/to/php/script/file
2: find/path/to/php/script/directory-name "*. php" | xargs./detect_ SQL _injection.awk
The problematic code is displayed as follows:
CRUD: $ SQL = "SELECT * FROM users WHERE username ='' {$ _ POST [''username'']} ''";
FILE:/path/to/file. php
LINE: 123
There are many methods to apply this script in the real environment, such as regular scanning of program source files through CRON or automatic matching by using the hook method when submitting SVN.
The use of professional tools or detection scripts is passive defense. the root cause of the problem is always the necessity of security awareness in the programmer's mind. Below are some rules that must be kept in mind:
1: numeric parameters are forcibly filtered using methods like intval and floatval.
2: string parameters are forcibly filtered using methods like mysql_real_escape_string, rather than simple addslashes.
3: it is best to discard the splicing SQL query method like mysql_query and try to use the PDO prepare binding method.
4: Use rewrite technology to hide information about real scripts and parameters, and use rewrite regular expressions to filter suspicious parameters.
5. disable the error message and do not provide the attacker with sensitive information: display_errors = off.
6: log errors: log_errors =/> 7: Do not use an account with FILE permissions (such as root) to connect to MySQL. this Shields dangerous functions such as load_file.
8 :......
In fact, website security is not complicated. In summary, it is a sentence: filter input and escape output. Among them, the SQL Injection we have discussed above is a question of filtering input. as for escape output, it stands for Cross-site scripting, but it does not fall into the scope of this article, I will not go into detail.
Documentation:
Addslashes () Versus mysql_real_escape_string ()
SQL Injection with MySQL
Advanced SQL Injection with MySQL
Research on exporting field content in MySQL injection-exporting WebShell through injection

Reprinted from: http://www.aspnetjia.com/Cont-328.html

The above introduces the SQL Injection attack and defense of the HP + MYSQL website, including some content, and hope to help those who are interested in the PHP Tutorial.