Full access to SQL injection vulnerabilities-advanced article (II) _ MySQL

Full access to SQL injection vulnerabilities-advanced article (II) Section 2. continue injection by bypassing program restrictions

As mentioned in the entry-level article, many users prefer to use the 'number test to inject vulnerabilities. Therefore, many users use the' number filtering method to "prevent" injection vulnerabilities, this may block some hacker attacks, but those familiar with SQL injection can still use related functions to bypass program restrictions.

In the "general steps of SQL injection" section, all the statements I use are optimized by me so that they do not contain single quotes; in "injecting SQL Server database with system tables", Some statements contain the "number". let's take an example to see how to modify these statements:

A simple example is where xtype = 'u'. the ASCII code of the character U is 85, so you can replace it with where xtype = char (85). if the character is Chinese, for example, where name = 'user' can be replaced by where name = nchar (29992) + nchar (25143.

Section 3 experience summary

1. some people will filter keywords such as Select, Update, and Delete, but they forget to be case sensitive. so you can try using selecT.

2. if you cannot guess the field name, you can view the logon form on the website. generally, for convenience, the field names are the same as those in the form input box.

3. note: The + number in the address bar is interpreted as a space, % 2B is interpreted as a + number, and % 25 is interpreted as a % number. for details, refer to the introduction of URLEncode.

4. when the Get method is used for injection, IIS will record all your submission strings and will not record the Post method. therefore, try not to use Get for Post URLs.

5. you can only use the Ascii literal decoding method to guess Access. SQLServer can also use this method. you only need the difference between the two methods. However, if you can use the SQLServer error information to expose the value, the efficiency and accuracy will be greatly improved.

Defense methods

The SQL injection vulnerability is a "treasure of thousands of miles, which breaks the ant hole". This vulnerability is very common on the Internet. it is usually caused by a programmer's lack of understanding about injection, poor program filtering, or a parameter forgetting to check. Here, I will give you a function that replaces the Request function in ASP and can inject Say NO to all SQL statements. the function is as follows:

Function SafeRequest (ParaName, ParaType)
'--- Input parameters ---
'Paraname: parameter name-parameter type
'Paratype: parameter type-number type (1 indicates that the preceding parameter is a number, and 0 indicates that the preceding parameter is a character)

Dim ParaValue
ParaValue = Request (ParaName)
If ParaType = 1 then
If not isNumeric (ParaValue) then
Response. write "parameter" & ParaName & "must be numeric! "
Response. end
End if
Else
ParaValue = replace (ParaValue ,"'","''")
End if
SafeRequest = ParaValue
End function

The article is over now. Whether you are a security engineer, a technical enthusiast or a programmer, I hope this article will help you.