Practice effective website mining SQL injection (2)

Source: Internet
Author: User

My sister-in-law "practice effective website anti-SQL injection (I)" talked with you about the golden method to prevent SQL injection. We started with development and solved the problem at two levels, I think if you can follow the steps described, you should be able to achieve good defensive effects. However, we said that without 100% of the security, minor changes or upgrades to the website's functions may have a global impact, that is why some websites of the eesafe website security alliance still have Injection Vulnerabilities. How can we keep an eye on the security issues of websites? This requires us to explore and understand how to discover website vulnerabilities such as SQL injection.

No matter what architecture your website uses, php + mysql, jsp + oracle, and so on, the actual injection mining steps are basically unified, with great similarity. I will briefly introduce the basic methods for eesafe to help websites mine injection.

1. Judge the script system (that is, the website uses asp, php, jsp, etc ).

2. Detect injection points and scan Injection Vulnerabilities (select an appropriate scan injection method based on different script systems ).

3. Judgment of special injection points (sometimes the script system of the injection point filters out some special characters. In this case, a transfer injection judgment test is required ).

4. Determine the database type. (Determine whether the database is MSSQL, MYSQL, or ORACLE based on the database system variables and system tables)

5. Determine the table structure in the database (determine the database name, database table name, table field name, and table data ).

6. Determine the field structure in the database table (use the guessing or reading Method to Determine the field structure in the table)

7. Construct an injection statement for injection (construct a specific injection statement to obtain important data, such as attempting an administrator account or password)

These six steps are the general steps of exploration, which may vary slightly in actual operations. Finally, the injection site that passes six verifications is provided to the website requesting help for fixing the injection vulnerability. You can apply the mining injection process we use to your website for a comprehensive SQL Injection exploration. Of course, you can also use the online detection tool provided by the eesafe website security alliance. I hope this article and the previous article "effective website anti-SQL injection (I)" will help you.

From: EeSafe Website Security Alliance

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.