With the development of B/S application development, more and more programmers are writing applications using this mode. However, due to the low entry threshold in this industry, the programmer's level and experience are also uneven. A considerable number of programmers did not judge the legitimacy of user input data when writing code, application security risks. You can submit a piece of database query code and obtain the desired data based on the results returned by the program. This is called SQL Injection, that is, SQL Injection.
SQL injection is accessed from the normal WWW port, and it seems to be no different from the general Web page access, so the current municipal firewall does not alert SQL injection, if the administrator does not check IIS logs, it may be invisible for a long time.
However, the SQL injection method is quite flexible, and many unexpected situations may occur during the injection process. It is the fundamental difference between a master and a Cainiao to analyze the specific situation and construct clever SQL statements to obtain the desired data.
According to national conditions, ASP + Access or SQLServer accounts for more than 70% of Chinese websites, PHP + MySQ accounts for L20 %, and other websites are less than 10%. In this article, we will explain the methods and skills of ASP injection from entry-level, advanced to advanced. The PHP injection article was written by another NB-consortium friend zwell, it is expected to be useful to security workers and programmers. Do not skip this article if you are familiar with ASP injection, because some people still have misunderstandings about the basic injection judgment methods. Are you ready? Let's Go...
Entry
If you have never tried SQL injection before, remove the check box before IE menu> Tools> Internet Options> advanced => show Friendly HTTP error messages. Otherwise, no matter what error is returned by the server, IE only displays as an HTTP 500 server error and cannot receive more prompts.
I. Principles of SQL injection
We will start from a website http://www.19cn.com/( note: most of the data is real data that has been approved by the webmaster before this article is published ).
On the home page of the website, named "IE cannot open new window of a variety of solutions" link, address: http://www.19cn.com/showdetail.asp? Id = 49. We add a single quotation mark (') after this address. The server will return the following error message:
Microsoft JET Database Engine error ''80040e14''
The syntax error of the string is found in the query expression ''id = 49.
/Showdetail. asp, row 8
We can see the following points from the error prompt:
1. The website uses an Access database and connects to the database through the JET engine, instead of using ODBC.
2. The program does not determine whether the data submitted by the client meets the program requirements.
3. The table queried by this SQL statement has a field named ID.
From the above example, we can know that the principle of SQL injection is to submit special code from the client to collect information about programs and servers and obtain the information you think.
II. Determine whether SQL injection can be performed
After reading the first section, some people will think: I also often test whether it can be injected. Isn't it very easy? In fact, this is not the best method. Why?
First of all, not necessarily the IIS of each server returns a specific error message to the client. If statements such as cint (parameter) are added to the program, SQL injection will not succeed, but the server also reports an error. The specific prompt is that an error occurs on the server when processing the URL. Contact the system administrator.
Second, some programmers who have a little knowledge about SQL injection think that it is safe to filter out single quotes. This is not a minority case. If you use single quotes for testing, the injection points cannot be tested.
So what test method is more accurate? The answer is as follows:
① Http://www.19cn.com/showdetail.asp? Id = 49
② Http://www.19cn.com/showdetail.asp? Id = 49 and 1 = 1
3 http://www.19cn.com/showdetail.asp? Id = 49 and 1 = 2
This is the classic 1 = 1, 1 = 2 test method. How can this problem be determined? You can see the results returned from the above three URLs:
Injection performance:
① Normal display (this is inevitable, or the program is wrong)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.