SQL injection attacks

Reprint http://blog.jobbole.com/105259/

1. Case variants

This technique is useful when keyword blocking filters are not smart, and we can change the case of characters in the keyword string to avoid filtering because the SQL keyword is handled in a case-insensitive manner.

For example: (The following code is a simple keyword blocking filter)

function WAF ($id 1) { if (strstr ($id 1,' Union ')) { echo ' error:lllegal input '; return;     } return $id 1; The flaw in this code is that the STRSTR () function is case-sensitive, so we can bypass the case variant. Http://www.isbase.com/aa/bb/index.php?id=1uNionSelect null, NULL 2.URL EncodingURL encoding is widely used to bypass multiple types of input filters.function WAF ($id 1) { if (strstr ($id 1,") | | strstr ($id 1,'/**/')) { echo ' error:lllegal input '; return;     } return $id 1; The dual URL encoding sometimes works if the web app decodes multiple times, applying its input filter before the last decoding http://www.isbase.com/aa/bb/index.php?id=1/**/and/**/1=1 because of the dual URL encoding, The first decoding%2f%2a entered the input filter, so the success was bypassed. Of course this is used only if there is a URL decoded later. 3. SQL CommentMany developers believe that restricting input to a single can limit SQL injection attacks, so they tend to just block a variety of whitespace characters. However, inline annotations can construct arbitrarily complex SQL statements without using spaces. Http://www.isbase.com/aa/bb/index.php?id=1/**/and/**/1=1HTTP://WWW.ISBASE.COM/AA/BB/INDEX.PHP?ID=1/**/AND/**/1 =1 4, empty bytes

The usual input filters are implemented outside of the application code. such as intrusion detection system (IDS), these systems are generally developed by the native programming language, such as C + +, why null bytes can play a role, because in the original into the language, based on the starting position of the string to the first occurrence of a null byte position to determine the length of the string. So the null byte effectively terminates the string.

You only need to provide a URL-encoded NULL byte in front of the string blocked by the filter, for example:

%00 ' Union select Username,password from users where username= 'admin ' -- 5. Second-order SQL injection

In fact, so far, most of the SQL injection articles you've searched online can basically be categorized into "First order (First-order)" SQL injection, as these examples involve events that occur in a single HTTP request and response, as follows:

(1) An attacker submits some kind of conceived input in an HTTP request.

(2) Application processing input, which causes the SQL query injected by the attacker to be executed.

(3) If applicable, the query results are returned to the attacker in response to the request.

Another different SQL injection attack is "second-order (second-order)" SQL injection, and the event timings for such attacks are usually as follows:

(1) An attacker submits some kind of conceived input in an HTTP request.

(2) The application stores the input (usually saved in the database) for later use and responds to requests.

(3) The attacker submits a second (different) request.

(4) To process the second request, the application retrieves the input already stored and processes it, causing the SQL query injected by the attacker to be executed.

(5) If applicable, the query results are returned to the attacker in the application's response to the second request.

Literally second-order SQL injection is difficult for beginners to understand, so let me introduce a classic example to help you understand. This is a personal information application, we can update our user name, we can also view our personal information.

The second step is to view our personal information in the SQL statement:

MySQL<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 13px ! important; line-height: 15px ! important; z-index: 0; opacity: 0;" readonly="" data-settings="dblclick">SELECT * from users where username = ' $name '</textarea>

1	Select * from users where username = ' $name '

The variable used by the queried statement name is our user name extracted from the database, so we can first insert the statement into the database using the update our User name feature. Our SQL injection attacks were successfully executed when we viewed our personal information.

For example, we insert the user name into the

[SQL] Plain text view copy code

Then we'll execute the statement in the back.

<textarea class="crayon-plain print-no" style="-moz-tab-size: 4; font-size: 13px ! important; line-height: 15px ! important; z-index: 0; opacity: 0;" readonly="" data-settings="dblclick">SELECT * from users where username = ' Zusheng ' or ' 1 ' = ' 1 '</textarea>

1	SELECT * FROM users where username = ' Zusheng ' or ' 1 '= ' 1 '

• Section sixth discusses SQL injection defense techniques

6.1. Input verification

Input validation refers to verifying that the input received by all applications is legitimate. There are two different types of input validation methods: Whitelist and blacklist verification

• Whitelist validation: For example, the ID value, then we determine whether it is a number.
• Blacklist validation: Use regular expressions to disallow certain characters and strings

White lists should be used as much as possible, with local restrictions on blacklisting that cannot be used.

6.2. Coded output

In addition to validating the input received by the application, we also encode the data, which not only protects against SQL injection attacks, but also prevents other problems such as XSS

SQL injection attacks