Simple SQL Injection Vulnerability Analysis

 

At present, many people basically use SQL injection in the intrusion process, but how many people know why such an injection vulnerability exists? Some will casually say that the character filtering is lax. But is that true? To learn this, we must not only know its nature, but also what it is! Only by linking theory with practice can we improve our technology.

 

SQL injection is used in databases to manage large amounts of data in actual use. The database allows the program to store and organize all data information in a unified manner, facilitating query and update. When a user is using a program, the program can automatically report the obtained information to the user in a certain format by querying the database. At the same time, the user also submits the information to the program through an Interactive dialog box, in this way, the program queries the user's desired information and gives feedback to the user's desired information.

For database operations such as programs, let's look at a piece of code:

StrKeyword = Request ["keyword"];

SqlQuery = "SELECT * FROM Aritcles WHERE Keywords LIKE '%" + strKeyword + "% '";

The main purpose of this Code is to search for files in the software Connection database based on the Keyword submitted by the user, and find all the articles containing the user Keyword. Suppose that we submit the data to the software "hack", then the Keyword "hack" will be passed to the Keyword key variable. Next let's take a look at the code execution. After keyword obtains the data "hack", it is assigned to the strKeyword variable, and the strKeyword variable is placed in the query statement. The query statement is as follows: "SELECT * FROM Aritcles WHERE Keywords LIKE '% hack %'", this query statement queries all articles containing the keyword "hack" FROM the Aritcles table of the database. Note that the word "hack" is submitted to the program, so you can modify it at will. Therefore, you can change it to "hack"; drop table Aritcles ;--".

Now let's see how the program will process this external keyword data. First, the query statement is changed to: "SELECT * FROM Aritcles WHERE Keywords LIKE '% hack %'; drop table Aritcles ;--", we know that the drop table statement is used to delete a specified TABLE in a database operation. Now the meaning of the query statement has changed. It is divided into two parts by the semicolon in the middle, first, we can find out all the articles that contain the hack keyword. But then ......

Because the database used by the program is Microsoft SQL SERVER, the database supports multi-command statement execution. The command statements for these database operations are separated by semicolons and then executed in sequence. Here, "drop table Aritcles; --" is a completely legal command statement. The "--" symbol is a unique annotation identifier of the SQL SERVER database, and the database does not execute any command. In this way, when the query statement is executed, a database command is executed to delete the Aritcles table.

In this way, attackers can obtain malicious control program databases by controlling the key variables passed to the program database operation statements to obtain useful information or create malicious damages, or even control users' computer system vulnerabilities, it is called "SQL Injection Vulnerability ".

The SQL injection vulnerability completely uses SQL statements that contain a certain purpose and inserts key variables into normal database operation statements in the program. Once the program has an injection vulnerability, it will cause a series of security risks.

The SQL injection vulnerability is not language-specific. No matter what language the program is developed with, as long as it involves operations on the database, there may be SQL injection vulnerabilities. Although sometimes the SQL injection vulnerability is difficult to be used by common methods due to the programming language requirements or different programming environments, you can always find a breakthrough method.

The following uses website programs as an example to describe where SQL injection vulnerabilities are most frequently used and are the most dangerous.

We all know that for a website, it can be said that the database stores all the information of the website, and the WEB application runs completely with the information in the database. In a website program, the most important part is to judge the validity of the user, that is, to check whether the user accessing the website is a registered user. At this time, you are required to enter the user name and password, and then query the database based on the entered information to determine whether the user exists, and check whether the password is consistent. If the password is consistent, the user is recognized as a valid user, otherwise, an invalid message is returned. Let's take a look at the user authentication program code that often appears in Forum programs:

(1) admin1 = trim (request ("name "))

(2) password1 = trim (request ("password "))

(3) Set rs = Server. CreateObject ("ADODB. Recordset ")

(4) SQL = "select * from userlogin where name = '" & admin1 & "' and password = '" & password1 &"'"

(5) rs. Open SQL, conn, 1, 1

(6) if rs. eof and rs. bof then

(7) response. write "<SCRIPT language = JavaScript> alert ('user name or password is incorrect! ')"

(8) response. write "javascript: history. go (-1) </SCRIPT>"

(9) response. end

(10) else

(11) session ("name") = rs ("name ")

(12) session ("password") = rs ("password ")

(13) response. Redirect ("default. asp ")

(14) end if

Rows 1st and 2nd of this program obtain the user name and password respectively through the Request object, and row 3rd creates a database operation set object, row 4th puts the username and password in the userlogin table as the query conditions for query. Rows 5th to 14th are judged based on the query results. A warning window is displayed or a webpage is redirected.

Assume that there is a user guest with a password of 123456 in the database. When the user logs on, the 4th lines in the authentication code are changed: SQL = "select * from userlogin where name = 'guest 'and password = '000000'", which is a legal query statement, so the user can log on normally. Otherwise, the user cannot log on.

It seems that this is a strict authentication code, but what is the truth?

Now, the user name is submitted as "'or 1 = '1', And the password is the same. It will also become a legal user. Why?

After the form is submitted, the Code obtains the submitted Username 'or 1 = '1 and password' or 1 = '1 through the Request object, directly put the data into the query statement of 4th rows, so it becomes like this: SQL = "select * from userlogin where name ='' or 1 = '1' and password = ''or 1 = '1 '". Let's first take a look at 1 = '1'. This is always true. If you say false, go back to elementary school to learn mathematics ~ Note that there is another or in front of the Trojan, which means that 1 = '1' is put into the database for query as a condition selection statement. In this way, no matter whether the user name and password in the query statement are correct, because of the 1 = '1' code after or, the return value of the query statement is always true. In this way, the seemingly strict user authentication is bypassed and legal permissions are obtained.

 

Many software programs, like website programs, have a User Login Mechanism. If the software login function is similar to the preceding SQL injection vulnerability, the software login function is virtually empty.

 

From shoushou's blog