SQL injection This word believe that everyone should be not unfamiliar, and every year there will be such things happen, the following I first take you back to the 11-year two period from the more classic case event:
1 Sony Events
April 2011, the famous XXX organization anonymous***sony a Web site, a week later was found 70 million of the user's personal information, including name, address, e-mail, date of birth, user name, password and purchase records of data information, Some of the other servers that followed were also compromised.
2, CSDN data leakage door
At the end of 2011, the domestic major websites were burst "password leak door", the first published is a well-known technical website CSDN600 million accounts and password leakage incident, the site due to the existence of SQL injection vulnerability by XXX users and download user database, at the same time, it is puzzling that the site of the user's information storage is clear
What is SQL injection
SQL injection refers to a security vulnerability that occurs when a Web application is dealing with a background database query statement, simply by embedding an SQL instruction in the input string, ignoring the inspection of a particular string in the design program, which is mistakenly considered a normal SQL instruction, executed in the database, Therefore, the background database can be viewed and so on, or even fast-breaking background database caused serious consequences.
Currently SQL injection is broadly divided into common injection and blind
- Normal injection: Inject with valuable error messages based on background database hints
- Blind Note: Experienced administrators do not provide detailed error information when they give the error page. The XXX needs to use the script to detect each field in the table through the only judgment information (such as the time difference), thus implementing the injected technique.
(Blind is more difficult, but often encountered in XXX tests)
General idea of SQL injection
- Find SQL Injection Location
- Determine the background database type
- Determine xp_cmdshell performance
- Discover Web virtual directories
- Upload aspxxx
- Get Administrator privileges
SQL injection Technology
- Force error generation
- Use of non-mainstream channel technology
- Use a special character
- Using conditional statements
- Take advantage of stored procedures
- Avoid input filtering technology
- Inference Technology
Common injection Examples
The SQL injection test platform provided by the famous IBM Company
We found a login page on this website, now we enter "admin" in the form of username, enter the same field in password
After clicking the ' login ' login button, we get an error page, according to the prompt "Syntax error (missing operator) in query expression ' username = ' admin ' and password = ' Admin "". We can guess that the approximate SQL statement should be "select * from [users] where username=?" and password=? "
We return to the login page and enter "admin" or ' 1 "in username and password and then click Sign In, we will be able to accidentally enter the login page.
is not still a face, now let us explain why this, the reason for landing success, because the SQL statement into a statement:
select * from [users] where username= ‘admin‘ or ‘1‘ and password=‘admin‘ or ‘1‘
Depending on the priority of the logical operation in SQL, or is below and, the last or ' 1 ' is always true, so the condition expression evaluates to the same as the following statement
SELECT * FROM [users]
Sqlmap Tool Injection Example
After this page passed a commit, we got a couple of messages, one for the address, and the cookie value, and we use the Sqlmap tool to detect if there are any SQL injection points.
From the results of the detection, we see the SQL injection point containing the error, as well as the union query injection point, in addition, further detected that the database version is MySQL5.0, the Web application platform is php5.3.2/apache2.2.14
Using the Sqlmap "--dbs" option, you can probe the included database names based on the different types of database management platforms identified, and in addition to discovering MySQL's default system database Information_schema, we also found a database of Web applications DVWA
Using the "-D dvwa--tables" option to specify the database, and then get all the tables under this database, we can see the table, and then let's look at the list to get the content.
Plus the-d option in front of the "-D dvwa--tables-t users--columns--dump" option specifies the database, followed by-T to specify the table, and finally we see the contents of the table, from which we see an admin account, Put password on the online decryption MD5 website, our password is admin, take this account password, easy to enter into the background
How SQL injection is protected
Through the beginning of the two cases and the following I demonstrated the simple injection, I believe you should know the SQL injection is how dangerous it is, the following for everyone to popularize a few ways to prevent SQL injection:
Input Validation
Check the legality of user input and make sure that the input contains only valid data. Data checks should be performed on both the client and server side to perform server-side validation to compensate for the fragile security of the client authentication mechanism.
Error message Handling
Prevent SQL injection, and avoid some verbose error messages, because XXX can take advantage of these messages. A standard input validation mechanism is used to verify the length, type, statement, enterprise rules, and so on for all input data.
Encryption processing
Encrypt data such as user login name, password, and so on. Encrypt the data entered by the user, and then compare it with the data stored in the database, which is equivalent to the user input data "disinfection" processing, the user input data no longer has any special meaning to the database, thus preventing the xxx to inject SQL command.
Stored procedures to execute all queries
The way SQL parameters are passed prevents XXX from being implemented with single quotes and hyphens. In addition, it allows database permissions to be restricted to only certain stored procedure executions, and all user input must follow the security context of the stored procedure being called, making it difficult to inject xxx again.
SQL injection is really simple, so don't take it easy.