HP+MYSQL website SQL injection offense, mysqlinjection_php tutorial

HP+MYSQL website SQL injection Offensive and defensive, mysqlinjection

Webjxcom Tip: Programmers write code with TDD (test-driven development): Before a function is implemented, a test case is written before the code is written to run it through. In fact, when the hacker SQL injection, is also a TDD process: they will first try to let the program error, and then the 1.1-point correction parameter content, when the program again run successfully, the injection will be followed by

Programmers pay attention to TDD when writing code (test-driven development): Before a function is implemented, a test case is written before the code is written to run it through. In fact, when the hacker SQL injection, is also a TDD process: they will first try to let the program error, and then the 1.1-point correction parameter content, when the program again run successfully, the injection will be successful.

Attack:

Suppose you have a script in your program that resembles the following:

$sql = "SELECT ID, title, content from articles WHERE id = {$_get[' id ']}";

The URL for normal access is as follows:

/articles.php?id=123

When hackers want to determine if there is a SQL injection vulnerability, the most common way is to add a single quotation mark after the Shaping ID:

/articles.php?id=123 "

Since we do not filter the $_get[' id ' parameter, it will inevitably result in an error, which may be similar to the following information:

supplied argument is not a valid MySQL result resource in ...

This information is enough to explain the script is flawed, we can play a little bit more:

/articles.php?id=0 Union Select-A-

The reason why select is because the Union requires the number of fields on both sides of the same, the front is id,title,content three fields, followed by three, so the syntax error is not reported, and the setting id=0 is a nonexistent record, then the result of the query is 1, 2, 3, reflected on the Web page, the original display ID of the place will display 1, the display title of the place will display 2, the display content of the place will show 3.

As for how to continue to use, but also to see the MAGIC_QUOTES_GPC settings:

When MAGIC_QUOTES_GPC is off：

/articles.php?id=0 Union Select 1,2,load_file ('/etc/passwd ')

As a result, the contents of the/etc/passwd file are displayed where the content is originally displayed.

when MAGIC_QUOTES_GPC is on：

If you use Load_file directly ('/etc/passwd ') then it is invalid because the single quotes are escaped, but there are ways to:

/articles.php?id=0 Union Select 1,2,load_file (char (47,101,116,99,47,112,97,115,115,119,100))

The number is the ASCII of the/etc/passwd string: the string each character loops out of Ord (...)

In addition to this thought, you can also use the string 16 binary: string each character loop output Dechex (Ord (...))

/articles.php?id=0 Union Select 1,2,load_file (0x2f6574632f706173737764)

Here are just a few of the digital parameters of the attack, belonging to the tip of the iceberg, string-type parameters such as attack means to look at the following document links.

Defense:

There are some software like SQL injection firewall available on the network, such as Greensql, if the Web site has begun to suffer from SQL injection attacks, then using such a shortcut will often save your life, However, such software in the framework of the role of a proxy, most likely to affect the site concurrency performance, so in the choice of whether or not it is best to consider the objective conditions to carefully decide. Many times professional software is not required, there are many lightweight solutions, and the following shows how to use awk to detect possible vulnerabilities.

Create a Detect_sql_injection.awk script that reads as follows (remember not to include line numbers if you want to copy the contents):

#!/bin/gawk-f
02
/\$_ (get| Post| cookie| REQUEST) \s*\[/{
IGNORECASE = 1
if (Match ($/\$.* (sql|query)/)) {
IGNORECASE = 0
Output ()
Next
09}
10}
11
function output ()
13 {
14 $ = $
Print "CRUD:" $ "\nfile:" FILENAME "\nline:" FNR "\ n"
16}

This script can match the problem code similar to the following, it is easy to extend the matching pattern, as long as the tiger write if match statement.

1: $sql = "SELECT * from users WHERE username = ' {$_post[" ' username "}";
2: $res = mysql_query ("SELECT * from users WHERE username = ' {$_post[' username ']}");

Don't forget to chmod +x Detect_sql_injection.awk before use, there are two ways to call it:

1:./detect_sql_injection.awk/path/to/php/script/file
2:find/path/to/php/script/directory-name "*.php" | Xargs./detect_sql_injection.awk

will display the problematic code information, like this:

CRUD: $sql = "SELECT * from users WHERE username = ' {$_post[' ' username ']}";
FILE:/path/to/file.php
Line:123

There are many ways to apply this script in the real world, such as periodically scanning the program source files via cron, or automatically matching the hooks method when SVN commits.

The use of professional tools, testing scripts are also a passive defense, the root of the problem always depends on the programmer's mind whether there is a need for security awareness, the following are some of the rules must be kept in mind:

1: Digital parameters force filtering using a method like Intval,floatval.
2: String arguments use a method like mysql_real_escape_string to force filtering instead of a simple addslashes.
3: It is best to discard mysql_query such as splicing SQL query, as far as possible to use PDO prepare binding method.
4: Using rewrite technology to hide real scripts and parameters of information, through the rewrite regular can also filter suspicious parameters.
5: Turn off the error prompt without providing sensitive information to the attacker: Display_errors=off.
6: Log the error message: Log_errors=on and Error_log=filename, periodic troubleshooting, web logs best also check.
7: Do not connect MySQL with a file-privileged account (such as root), which masks dangerous functions such as load_file.
8: ...

Web site security is not complex, summed up is a sentence: filter input, escape output. Among them, we have been discussing the SQL injection problem is the filter input problem, as for the escape output problem, its representative is Cross-site scripting, but it does not belong to the scope of this article, not much to say.

Document:

Addslashes () Versus mysql_real_escape_string ()
SQL Injection with MySQL
Advanced SQL Injection with MySQL
Research on the content of exported fields in MySQL injection--exporting Webshell by injection

Reprinted from: http://www.aspnetjia.com/Cont-328.html

http://www.bkjia.com/PHPjc/1101618.html www.bkjia.com true http://www.bkjia.com/PHPjc/1101618.html techarticle hp+mysql website SQL injection Offensive and defensive, mysqlinjection webjxcom tip: Programmers write code when they pay attention to TDD (test-driven development): Before implementing a function, will write a test first ...

