[SQL] SQL Injection miss and Detection and Prevention Measures

Source: Internet
Author: User
Tags sql injection methods ways to prevent sql injection
Document directory
  • 1. SQL injection vulnerability attack principles
  • 2. SQL injection vulnerability detection methods and methods
  • 3. SQL injection vulnerability Prevention Measures

SQL Injection (sqlinjection) vulnerability attack is one of the most popular hacker script attacks on the Internet. What is SQL injection vulnerability attack? It refers to some pages on which hackers use some Web applications (such as websites, forums, message books, and article publishing systems) that have Insecure code or SQL statements, carefully construct SQL statements, translate illegal SQL statement commands into actual system SQL statements, and execute them to obtain sensitive information such as user names and passwords, so as to control the attack methods of host servers.
1. How SQL injection attacks work 1. How SQL injection attacks work

Structured Query Language is a language text used to interact with databases. The attack principle of SQL injection is that attackers use SQL statements or strings to insert illegal data into the server-side database through web applications to obtain the database management user permissions, then, the database management user permissions are raised to the operating system management user permissions, and the server operating system is controlled to obtain important information and confidential files.
SQL Injection Vulnerability attacks are mainly caused by scanning SQL injection vulnerabilities on web pages by using SQL Injection tools such as HDSI, nbsi, and domain to locate SQL injection points, attackers can execute illegal SQL statements or strings to perform the operations they want. The following uses a piece of authenticated. Net code as an example to describe how to implement SQL injection attacks.

SqlConnectionnwConn = new SqlConnection((string)ConfigurationSettings.AppSettings["DBconnStrings"]);string queryStr = "SELECT userid,userpwd, username,type FROM users where userid='" + Txtusername.Text +"'"; DataSet userSet = new DataSet();SqlDataAdapter userAdapter = newSqlDataAdapter(queryStr, nwConn);userAdapter.Fill(userSet, "Users");Session["UserID"] =Txtusername.Text.ToString();Session["type"] =type.Text.ToString();Response.Redirect("/Myweb/admin/login.aspx");

The code above shows that after the program establishes a connection with the database to obtain user data, it directly transmits the username value to login through session. aspx is directly used to construct SQL statements without any filtering or processing measures. The risk factor is very high. As long as attackers write rules based on SQL statements, they can bypass authentication, to achieve the purpose of intrusion.
1. 2 SQL injection vulnerability attack analysis

SQL injection is either a vulnerability or an attack. This vulnerability may occur when the variables in the program are not properly handled, the data types submitted by the user are not verified, Insecure code is written, and illegal SQL statements or strings are constructed.
For example, the web system has a login page, which controls whether the user has the right to access and requires the user to enter a user name and password. The database connection statement is:

“select *  from users where username = 'username' andpassword = 'password'” 

The attacker entered the username AA or 1 = 1 and the password 1234 or 1 = 1. We can see that the attacker does not actually know the real user name and password. After the content is submitted to the server, the server executes the SQL command constructed by the attacker. However, the content entered by the attacker is very special, so the final SQL command is changed:

“select *  from users where username = 'aa' or 1=1 andpassword = '1234' or 1=1”

The server executes the query or storage process and checks the identity information entered by the user and the real identity information in the database users table. Because the SQL command has actually been modified, there are always 1 = 1 conditions, so the user identity cannot be verified, so the system will incorrectly authorize attackers to access.
SQL injection is performed through port 80 of the target server and is a normal Web access. The firewall does not warn or intercept such attacks. When a web server accesses a database as a common user, the SQL injection vulnerability may be exploited to create, delete, or modify all data in the database. However, when a database is logged on as a user administrator, the entire database server may be controlled.
There are many SQL injection methods, and various SQL statements need to be constructed when attacking manually. Therefore, generally, attackers need a wealth of experience and patience to bypass detection and processing and submit statements, to obtain the desired useful information. This process takes a lot of time. If you use this manual method to launch SQL injection attacks, many websites with SQL injection vulnerabilities, such as ASP, JSP, PHP, and Java, will be much safer, it is not because the vulnerability does not exist, but that manual intruders need programming basics. However, attackers can now use some existing hacking tools to assist in SQL injection vulnerability attacks, speeding up the intrusion and making SQL Injection easy.
The SQL injection vulnerability exploits the common SQL syntax, which makes the attack extensive. Theoretically, it is effective for all SQL-based database management systems, including MSSQLServer, Oracle, DB2, Sybase, and MySQL. Of course, the SQL extension functions of various systems are different, so the final attack code may be different.
1. 3 SQL injection vulnerability Attack Process

(1) bypass authentication

For example, on a login interface, you need to enter the user name and password, and then post it to another page for authentication, therefore, an attacker only needs to enter AA or '1' = '1' In the username and password input boxes. Then, the attacker can directly access the next page through spoofing authentication, and have all the same privileges as normal logon users. Why? We will compare the two SQL statements for normal user logon and attacker Logon:
1) normal users (for example, the user name is admin and the password is 1234567 ):

SQL= " selectfrom users where username = ’admin’and password= ’1234567’ ";

2) attackers (both the user name and password are AA or '1' = '1 '):

SQL= " select * from users where username='aa or’1’=’1’'and password = ' aa or’1’=’1’'";

We can see that the two conditions connected by and are replaced by a permanent 1 = 1, and the execution result is true. The database considers the condition to be invariably set and returns a true value, allow the attacker to log on to the next page as a legal identity.

(2) Illegal operation

For example, a query page select1.asp? Id = 1. The programmer originally designed to display the query information with ID 1, while the attacker inserted his own code using the program's no mechanism to check the ID content.
Extract A Piece Of key code from select1.asp:

SQL= " select *from photo where photoid= 'id'";

As you can see, IDs are not processed and directly constitute SQL statements and executed. However, when attackers know the table name and field name in the system database, using SQL statement features (semicolons are symbols used to separate two SQL statements), you can directly add records to the database Tuser table:
Select1.asp? Id = 1; insertinto Tuser (username, password, type) values ('hack', '000000', 'admin'), then attackers can log on directly with hack. In this way, attackers can also perform anything on the system, including adding, deleting, and modifying system resources.

(3) execute system commands

If the web host uses the MSSQL database management system, attackers can use the xp_mongoshell extended stored procedure. xp_mongoshell is a very useful extended stored procedure for executing system commands, for example, Dir and net. Attackers can submit different statements based on different programs:

execmaster.dbo.xp_cmdshell " dir ";exec master.dbo.xp_cmdshell" net user hack 1234567 /add ";execmaster.dbo.xp_cmdshell " net localgroup administrators hack /add ";

In this way, you can successfully add an administrator account to the web host system.
2. SQL injection vulnerability attack detection methods and methods 2. 1 Detection Methods

SQL Injection Vulnerability Detection includes pre-intrusion detection and post-intrusion detection. Pre-intrusion detection can be performed manually or by using the SQL injection vulnerability scanning tool software. The purpose of the detection is to prevent SQL injection vulnerability attacks. The detection after the SQL injection vulnerability attack is mainly for viewing audit logs. After the SQL injection vulnerability attack is successful, the "trace" is left in the audit logs of web services and databases ".
2. 2 Detection Method

(1) dynamic SQL check
Dynamic SQL statements are powerful tools for database queries. However, mixing them with user input makes SQL Injection possible. Replacing dynamic SQL statements with pre-compiled SQL statements or stored procedures is feasible for most applications. Pre-compiled SQL statements or stored procedures can use user input as parameters rather than commands for execution, thus limiting the actions of intruders. Of course, it is not applicable to the use of user input to generate SQL commands in stored procedures. In this case, the SQL commands entered by the user may still be executed, and the database may still be vulnerable to SQL injection attacks.
(2) validity Verification
If an input box only contains numbers, verify that the user inputs a number. If you can accept letters and check whether there are unacceptable characters, you need to set the string check function. Make sure that the application checks the following characters: semicolons, equals signs, broken signs, Parentheses, and SQL keywords.
(3) Check Data Tables
Some temporary tables are generated in the database after the SQL injection vulnerability attack tool is used. By viewing the structure and content of the recently created table in the database, you can determine whether an SQL injection vulnerability has occurred.
(4) Audit Log check
If the audit log function is enabled on the Web server, the Web service audit log records the visitor's IP address, access time, access files, and other information, SQL Injection Vulnerability attacks often access a large number of page files (dynamic web pages with SQL injection points), and audit log files increase dramatically, by checking the size of the audit log file and the content of the audit log file, you can determine whether an SQL injection vulnerability attack event has occurred. You can also view the database Audit Log, query whether there are illegal insert, modify, or delete operations in a certain period of time.
(5) Others
After successful SQL injection attacks, intruders often add privileged users (such as administrator, root, and SA), open illegal remote services, and install Trojan Backdoor programs, you can check the user account list, the remote service activation status, the files generated by the system on the latest date, and other information to determine whether the intrusion has occurred.
3. SQL injection vulnerability Prevention Measures

There are many ways to prevent SQL injection vulnerability attacks. At this stage, we can summarize the following methods:
(1) Data Validity verification. If an input box can only contain numbers, verify that all users enter numbers. If you can accept letters, check whether there are unacceptable characters. The best way is to add the automatic verification function of character complexity. Make sure that the application checks the following characters: semicolons, equals signs, broken signs, Parentheses, and SQL keywords. In addition, it is also a good way to limit the length of form data input and query string input. If a user's login name contains a maximum of 10 characters, do not acknowledge that the form contains more than 10 characters, which greatly increases the difficulty for attackers to insert harmful code in SQL commands.
(2) encapsulate data information. Encapsulate the data submitted by the client. Do not store the data directly into the cookie by inserting session, if, try, and else in the programming code, this effectively prevents attackers from getting important information in cookies.
(3) remove sensitive information from the code. Delete the username, password, and other sensitive fields in the Code and replace them with the input box.

SQL=" select from users where username = ’admin’and password= ’1234567’ "

For example, the Administrator's username and password are clearly exposed. You can change it:

SQL= " select * from users where username='" +Txtuser.Text + "' and userpwd='" + Textpwd.Text + "'"

In this way, the user name and password information are not easily obtained by intruders.

(4) replace or delete single quotes. Double quotation marks are used to replace the single quotation marks entered by all users. This simple precaution will prevent SQL injection attacks to a large extent. single quotation marks often cannot constrain the value of data insertion, attackers may be given unnecessary permissions. Replacing single quotes with double quotes can cause most SQL injection attacks to fail. For example:

“select* from users where username='" + admin + "' and userpwd='" + 1234567+ "'”

Obviously

“select * from users where username='admin' and password= '1234567'”

Same result.

(5) Specify the error response page. Attackers sometimes try to submit harmful code and attack strings from the client and collect program and server information based on the error message provided by the Web service to obtain desired information. You should specify an error prompt page in the Web service that does not contain any information.
(6) configuration files that restrict SQL string connection. SQL variables are used because the variables are not executable scripts. on the web page, replace the SQL string connecting to the database with the specified value, and then encrypt the Web. config file to reject access.
(7) set the access permission for the web directory. Prohibit visitor users (such as guest users) from accessing the file directory of the Virtual Site, change user permissions to read-only permissions, and do not add users with administrative permissions to the access list.
(8) minimum service principle. The Web server should be configured with the minimum permissions and only provide Web Services. This can effectively prevent dangerous system commands, such as FTP, CMD, and VBScript.
(9) encrypted storage of authentication information. The username and password information stored in the database users table are saved in ciphertext format. You can also encrypt the users table to greatly increase the security level of access to authentication information.
(10) user permission separation. Users with SA permissions in the database should be prohibited or deleted as much as possible, and different user permissions should be assigned to different databases, in this way, different users can only perform query, insert, update, and delete operations on the databases authorized to them, thus preventing different users from accessing unauthorized databases.
4. Conclusion

SQL Injection Vulnerability attacks are common on the Internet. Many ASP, PHP forums and article management systems, download systems, and news systems all have this vulnerability. The main cause of SQL injection vulnerability attacks is that developers do not properly program the system during system development and do not have good programming habits. The solution to the problem only depends on standardized programming. In addition, you can use the existing SQL injection vulnerability scanner to scan the key code of the entire website to find the SQL injection points on the website page. You can delete or update problematic pages in time. This article describes and summarizes the methods, principles, and implementation of SQL injection vulnerability attacks, and provides some common methods to prevent SQL injection vulnerability attacks.

[Note] forwarding from: http://fatedgar.iteye.com/blog/1281836

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.