I made a website for others last week and accidentally found many vulnerabilities in my work. In just 20 seconds, I was able to use SQL injection. So I checked some information about SQL injection and had some insights. I hope I can share it with new users. Experts laughed!
The general idea of SQL injection attacks:
SQL Injection Location found;
Determine the server type and backend database type;
Determine the executable status
For some attackers, SQL injection is generally used. Next I will talk about my thoughts on the SQL injection method.
Injection Method:
Theoretically, the authentication webpage has the following types:
Select * from admin where username = 'xxx' and password = 'yyy' statement. If necessary character filtering is not performed before this statement is officially run, it is easy to implement SQL injection.
For example, enter abc 'or 1 = 1 in the username text box -- enter 123 in the password box, and the SQL statement is changed:
Select * from admin where username = 'abc' or 1 = 1 and password = '000000' this statement can always be executed correctly regardless of the user name and password entered by the user. You can easily cheat the system, obtain a valid identity.
Guess:
The basic idea is: to guess the names of all databases, guess the names of each table in the warehouse, analyze the table names that store the user name and password, and guess the names of each field in the table, guess the content of each record in the table.
You can also obtain your database name and the name of each table.
Is through the form such as: http: // www.. cn/news? Id = 10' to get your database name and table name through an error!
For jsp, we generally adopt the following policies to deal:
1. PreparedStatement
If you are already a level developer, you should always replace Statement with PreparedStatement.
The following are some reasons
1. code readability and maintainability.
2. PreparedStatement to maximize performance.
3. The most important thing is to greatly improve security.
So far, some people (including myself) have no idea about the basic evil SQL syntax.
String SQL = "select * from tb_name where name = '" + varname + "' and passwd = '" + varpasswd + "'";
If we pass in ['or '1' = '1] as the name, the password is random and you can see what it will become? Network Management Network bitsCN.com
Select * from tb_name = 'or '1' = '1' and passwd = 'random ';
Because '1' = '1' must be true, any verification can be performed. What's more:
Input ['; drop table tb_name;] As varpasswd. Then:
Select * from tb_name = 'random 'and passwd = ''; drop table tb_name; some databases won't let you succeed, but many databases can execute these statements.
If you use precompiled statements. nothing you input will match the original statement. (the premise is that the database itself supports pre-compilation, but there may not be any server-side databases that do not support Compilation. Only a few desktop databases, that is, all files that access the database directly use pre-compilation statements, you don't have to worry about the incoming data. however, if you use a common statement, you may need to make painstaking judgment and worry over the drop,; and so on.
2. Regular Expression
2.1 check the SQL meta-characters Regular Expression/(\ % 27) | (\ ') | (\-) | (\ % 23) | (#)/ix
2.2 modify the regular expression/(\ % 3D) | (=) [^ \ n] * (\ % 27) of SQL meta-characters | (\') | (\-) 54ne.com
| (\ % 3B) | (:)/I
2.3 Typical Regular Expressions for SQL injection attacks/\ w * (\ % 27) | (\ ') (\ % 6F) | o | (\ % 4F) (\ % 72) | r | (\ www.bitscn.com
% 52)/ix
2.4 check SQL injection, regular expression of the UNION query keyword/(\ % 27) | (\ ') union/ix (\ % 27) | (\')-single
The quotation mark and Its hex equivalent union-union keyword.
2.5. Regular Expression for detecting ms SQL Server SQL injection attacks/exec (\ s | \ +) + (s | x) p \ w +/ix
3. String Filtering
Public static String filterContent (String content ){
String flt = "'| and | exec | insert | select | delete | update | count | * | %
| Chr | mid | master | truncate | char | declare |; | or |-| + | ,";
Stringfilter [] = flt. split ("| ");
For (int I = 0; I
{
Content. replace (filter [I], "");
}
Return content;
}
4. insecure character shielding
This part uses js to block the query, which plays a very small role. Although this method can block keywords, the keywords of these SQL statements may also become real query keywords in practical applications, by the time it was blocked by you, the user could not be used normally. You only need to work on code specifications.
When there are variables in the SQL statements involved in execution, you can use the PreparedStatement provided by JDBC (or other data persistence layers). Remember not to concatenate strings.
Function Description: Check whether "'", "\", "/" is included "'","\\","/"
Parameter description: string to be checked
Returned value: 0: 1: No
The function name is
Function check ()
{
Return 1;
Fiber DN = new Array ("'","\\","/");
I = maid. length;
J = a. length;
For (ii = 0; ii
{For (jj = 0; jj
{Temp1 = a. charAt (jj );
Temp2 = maid [ii];
If (tem '; p1 = temp2)
{Return 0 ;}
}
}
Return 1;
}