Server security is the first consideration of a website. As a server, it may have been able to defend against some security problems before the website is released, so as to defend against external and internal attacks. But some injection attacks from the website itself are carried out through your program, and no firewall can do anything. I have recently studied this knowledge,Only injection attacks targeting URL parameter modification and form inputOther methods are unknown.
I have provided two reference documents, and I have only obtained the SQL injection knowledge from the following two documents. I tried to access a website according to the method, and the results are quite successful.
What is injection attacks? completely blocking SQL injection tool Vulnerabilities
Cainiao also learns to find injection vulnerabilities without tools
If this method of SQL Injection occurs, it must be the SQL concatenation used in the program, and the user's input form parameters are not filtered or URL parameters are not filtered.
There are basically two ways to splice SQL statements:
1, such as SQL = "select * from table where id =" + input parameter; format
This is the best precaution,You only need to verify the number of input parametersIf you ignore the verification here, the consequence is also the most serious. Even if you filter parameters by single quotation marks or equal signs, SQL keyword Filtering does not help.
Without digit verification, the SQL statement may become
select * from table where id=10 delete from table
Serious, but I may have filtered out keywords.
public static string SafeSql(string str){if (string.IsNullOrEmpty(str)){str = "";return str;}else{str.Replace("'", "");}str = new Regex("exec", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("xp_cmdshell", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("select", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("insert", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("update", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("delete", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("drop", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("create", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("rename", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("truncate", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("alter", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("exists", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("master.", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("restore", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("=", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("or", RegexOptions.IgnoreCase).Replace(str, "");str = new Regex("and", RegexOptions.IgnoreCase).Replace(str, "");return str;}
This method is full. It is case-insensitive, but what if my input parameter is 10 delandete from table ??
Haha, the method is used. Because it filters out and in delandete and becomes Delete again.
But how do hackers know the filtering order? The most common and useful method for hackers is to try it. You don't need to try it several times.
This method also applies to the following methods.
2. splicing with single quotes
SQL = "select * from table where name = '" + parameter + "'order by ID DESC"
SQL = "select * from table where name = '%" + parameter + "% '"
The input parameter is feng'delete from Table select 1 from table where 1 = '1
Use single quotes to end the range of single quotes. add your own statements and splice them with them.
For such injection, to insert your own SQL statement, you must add a single quotation mark to end the range of the previous single quotation marks, so it has its own dead point,You only need to filter out single quotes.
There is a more absolute way to replace the single quotation marks entered by the user with two, so that the input statements do not have an execution environment and it feels safer.
SQL injection is so simple that it results in a very serious external environment, so we should have our own protection measures.
Suggestion:
Try to use SQL parameters instead of SQL concatenation, because SQL parameters are not provided to the user's input and execution environment.
However, you also need to verify and filter the input parameters and URL parameters.
There are also custom error pages, some database information and website directory information are exposed through the error page.
Disclaimer: the above suggestions only apply to injection attacks of URL and user form input. Others to be studied.