Author: Lao Wang
When writing code, programmers should pay attention to TDD (test-driven development): Before implementing a function, they will first write a test case and then write the code to make it run through. In fact, when the hacker SQL Injection, it is also a TDD process: they will first try to let the program report an error, and then modify the parameter content at, when the program runs successfully again, the injection is successful.
Attack:
Suppose your program has a script similar to the following content:
$ SQL = "SELECT id, title, content FROM articles WHERE id = {$ _ GET ['id']}";
The URL for normal access is as follows:
/Articles. php? Id = 123
When a hacker wants to determine whether the SQL Injection vulnerability exists, the most common method is to add a single quotation mark after the integer ID:
/Articles. php? Id = 123'
Because the $ _ GET ['id'] parameter is not filtered, an error is inevitable, which may be similar to the following information:
Supplied argument is not a valid MySQL result resource in...
This information is enough to indicate that the script has a vulnerability. We can try again:
/Articles. php? Id = 0 union select 1, 2, 3
The reason for select, 3 is that union requires the same number of fields on both sides. The first is the id, title, and content fields, and the second, second, and third are also three fields. Therefore, no syntax error is reported, in addition, if id = 0 is set to a non-existent reCord, the query result is 1, 2, 3, which is displayed on the webpage. 1 is displayed for the original id, 2 is displayed for the title and 3 is displayed for the content.
For more information about how to continue using the service, see the settings of magic_quotes_gpc:
When magic_quotes_gpc is off:
/Articles. php? Id = 0 union select 1, 2, load_file ('/etc/passwd ')
In this way, the content of the/etc/passwd file is displayed in the original content.
When magic_quotes_gpc is on:
In this case, if load_file ('/etc/passwd') is used directly, it will be invalid because the single quotation marks are escaped, but there are other methods:
/Articles. php? Id = 0 union select 1, 2, load_file (char (47,101,116, 115,115,119,100 ))
The number is the ASCII of the/etc/passwd string: each character in the string cyclically outputs ord (...)
In addition, you can also use the hexadecimal string: each character in the string cyclically outputs dechex (ord (...))
/Articles. php? Id = 0 union select 1, 2, load_file (0x2f6574632f706173737764)
Here, we only talk about several attack methods of numeric parameters, which are at the tip of the iceberg. For attack methods such as string parameters, refer to the link below.
Defense:
Some software similar to SQL Injection Firewall is available on the network, such as GreenSQL. If the website has already been attacked by SQL Injection, using such a shortcut will often save your life, however, such software is a Proxy role in the architecture, most of which will affect the website's concurrent performance. Therefore, it is best to carefully decide whether to choose or not based on objective conditions. In many cases, professional software is not necessary, and there are many lightweight solutions. The following shows how to use awk to detect possible vulnerabilities.
Create the detect_ SQL _injection.awk script with the following content (do not include the row number if you want to copy the content ):
This script can match the following problematic code, and it is easy to extend the matching mode, as long as you write the if match statement as you like.
Do not forget to use chmod + x detect_ SQL _injection.awk before using it. There are two call methods:
The problematic code is displayed as follows:
There are many methods to apply this script in the real environment, such as regular scanning of program source files through CRON or automatic matching by using the Hook method when submitting SVN.
The use of professional tools or detection scripts is passive defense. The root cause of the problem is always the necessity of security awareness in the programmer's mind. Below are some rules that must be kept in mind:
1: numeric parameters are forcibly filtered using methods like intval and floatval.
2: String parameters are forcibly filtered using methods like mysql_real_escape_string, rather than simple addslashes.
3: it is best to discard the splicing SQL query method like mysql_query and try to use the PDO prepare binding method.
4: Use rewrite technology to hide information about real scripts and parameters, and use rewrite regular expressions to filter suspicious parameters.
5. Disable the error message and do not provide the attacker with sensitive information: display_errors = off.
6. log errors: log_errors = on and error_log = filename, which should be checked regularly.
7: Do not use an account with FILE permissions (such as root) to connect to MySQL. This shields dangerous functions such as load_file.
8 :......
In fact, website security is not complicated. In summary, it is a sentence: filter input and escape output. Among them, the SQL Injection we have discussed above is a question of filtering input. As for escape output, it stands for Cross-site scripting, but it does not fall into the scope of this article, for more information, see XSS (Cross Site Scripting) Cheat Sheet.
Documentation:
Addslashes () Versus mysql_real_escape_string ()
SQL Injection with MySQL
Advanced SQL Injection with MySQL
Research on exporting field content in MySQL injection-exporting WebShell through injection