My understanding of SQL Injection

1. What is SQL injection?

SQL injection is to insert SQL commands into web forms to submit or input query strings for domain names or page requests, and finally fool the server to execute malicious SQL commands.

2. Principles of SQL injection attacks.

SQL injection is a common attack method against databases. In this attack mode, attackers can insert malicious code into strings. The string is then transmitted to the instance of the sqlserver database for analysis and execution through various means. As long as the malicious code complies with the rules of the SQL statement, it will not be discovered by the system during code compilation and execution.

 

3. Main forms of SQL injection attacks

First, the code is directly inserted into the user input variables that are connected to the SQL command and executed. Because it is directly bundled with SQL statements, it is also called the direct injection attack method.

The second is an indirect attack method, which injects malicious code into a table or serves as a string for storing the original data. The stored string is connected to a dynamic SQL command to execute malicious SQL code.

The injection process works by terminating the text string in advance and then appending a new command. Take direct injection attacks as an example. When you enter a variable, use a semicolon to end the current statement. Then insert a malicious SQL statement. Because the inserted command may append other strings before execution, attackers often use annotations to mark "-" to terminate the injected strings. During execution, the system considers the subsequent statement bit comments, so the subsequent text will be ignored and compilation and execution will not be carried back.

 

4. When is the most vulnerable to injection attacks?

When an application uses the input content to construct a dynamic SQL statement to access the database, an SQL injection attack occurs. If the Code uses stored procedures, which are passed as strings containing unfiltered user input, SQL Injection also occurs. SQL injection may cause attackers to log on to the database and execute commands. You can use the test tool pangolin for related SQL injection. This problem can become very serious if applications connect to the database using a privileged account. In some forms, the content entered by users is directly used to construct dynamic SQL commands or as input parameters of stored procedures. These forms are particularly vulnerable to SQL injection attacks. Many website programs do not judge the legality of user input or improperly process the variables in the program, which causes security risks to the application. In this way, the user can submit a piece of database query code and obtain sensitive information or control the entire server based on the results returned by the program, so SQL Injection occurs.

 

5. How to Prevent SQL Injection

1. Never trust users' input. Validate user input. You can use regular expressions or limit the length.

Double "-" for conversion.

2. Never use dynamic assembled SQL statements. You can use parameterized SQL statements or directly use stored procedures for data query and access.

3. Never use a database connection with administrator permissions. Use a database connection with limited permissions for each application.

4. Do not store confidential information directly

5. The application exception information should be given as few prompts as possible. It is best to use custom error information to wrap the original error information.

6. the SQL Injection detection method generally uses auxiliary software or website platform for testing. The software generally uses the SQL Injection detection tool jsky, and the website platform has the Yis website security platform detection tool. Mdcsoftscan.

 

6. General steps of SQL Injection

1. Determine the environment, find injection points, and determine the Database Type

2. According to the injection parameter type, the original appearance of the SQL statement is reconstructed in mind. There are three types of parameters:

(A) id = 1. The injection parameters are numeric. The SQL statements are roughly as follows:

Select * from table name where field = 1

The injected parameter is id = 1 and [query condition], that is, the generated statement:

Select * from table name where field = 1 and [query condition]

(B) Class = the injection parameters are generic. The SQL statements are roughly as follows:

Select * from table name where field = 'Everybody'

The injected parameter is class = everybody and [query condition] And ''= ', that is, the generated statement: select * from table name where field = 'Everybody 'and [query condition] And ''='' copy;

If no filter parameter is found, for example, keyword = keyword, the SQL statement is roughly as follows: Select * from table name where field like '% keyword %'

The injected parameter is keyword = 'and [query condition] And' % 25' = ', which is the generated statement: select * from table name where field like '%' and [query condition] And '%' = '%'

3. Replace the query condition with an SQL statement to guess the table name. For example:

Id = 1 and (select count (*) from Admin)> = 0

If the page is the same as ID = 1, the additional conditions are true, that is, the table admin exists, and vice versa. This loop ends until the table name is guessed.

After the table name is guessed, replace count (*) with Count (field name) and use the same principle to guess the field name.

4. After the table name and column name are successfully guessed, use the SQL statement to obtain the field value.

 

Speaking of this, we must have a clear understanding of the importance of SQL injection. As the saying goes, the heart of the victim cannot be possessed, and the heart of the victim cannot be possessed! The Application of SQL Injection in software helps us solve these unnecessary troubles! Do not leave any opportunities for others!