Test SQL anti-injection script

Writer: demonalex [at] dark2s [dot] org

Recently, some customers have asked me about how to defend against SQL injection.
Case A: Do you want to modify the code? It's too 'hard' and requires some technical skills...
Case B: Buy an additional 'application layer firewall 'product? Relatively 'soft', but how can we solve the cost problem ???
Currently, anti-injection scripts are circulating on the Internet to solve this problem. Indeed, the technical content is not high (because the technical content is solved by the product's security developers for you ...), It is also open-source/free.

To put it bluntly, test it for the customer first. I searched the common anti-injection script (this test mainly targets the most popular ASP + ACCESS), and finally locked the SQL universal anti-Injection System 3.0 (asp) developed by neeao. I made a defective script (-- modified the ASP + ACCESS Script of E-style studio full site program E.0 ):
A. Delete the following content in shownews. asp (add the SQL Injection defect of GET ):
If not isInteger (request. querystring ("news_id") then
Founderr = true
Errmsg = errmsg + "<br>" + "<li> invalid news id parameter. "
End if
B. Replace lib/admin_body.asp (add post SQL Injection defects ):
Adminname = trim (replace (request ("adminname "),"'",""))
Adminpwd = trim (replace (request ("adminpwd "),"'",""))
Replace
Adminname = trim (request ("adminname "))
Adminpwd = trim (request ("adminpwd "))

Then download the anti-injection script SQL universal anti-Injection System 3.0 (asp):
(: Http://www.neeao.com/blog/attachments/200504/25_215025_neeao.rar)
After Uncompressing the file, there are four files. Besides the description file neeao.txt, the core is the Neeao_SqlIn.Asp filter engine, the Neeao_ SQL _admin.asp script for management, and the database SqlIn. mdb for storing filtered logs/data.

First, let's take a look at the GET shownews. asp content: shownews. asp shields the custom function rcount directly after the 'non-integer parameter' is incorrectly defined. The content is as follows:
Function rcount ()
OPENnews
Set rscountconconn.exe cute ("select * from news ")
SQL = "UPDATE news SET news_count = news_count + 1 where news_id =" & request. querystring ("news_id ")
Conn.exe cute (SQL)
Rscount. close
Set rscount = nothing
End function
We can see that it directly reads the news_id field from GET. If it is used directly:
Http: // 127.0.0.1/shownews. asp? News_id = 1% 20and % 201 = 1
Http: // 127.0.0.1/shownews. asp? News_id = 1% 20and % 201 = 2
Add the SQL universal anti-injection system -- directly Add the following content to the include file label segment in shownews. asp:
<! -- # Include File = "Neeao_SqlIn.Asp" -->
Refresh and try again to load the GET filter part in Neeao_SqlIn.Asp:
If Request. QueryString <> "Then
For Each Fy_Get In Request. QueryString
For Fy_Xh = 0 To Ubound (Fy_Inf)
If Instr (LCase (Request. QueryString (Fy_Get), Fy_Inf (Fy_Xh) <> 0 Then
If WriteSql = True Then
KillSqlconn. execute ("insert into SqlIn (Sqlin_IP, SqlIn_Web, SqlIn_FS, SqlIn_CS, SqlIn_SJ) values ('" & Request. serverVariables ("REMOTE_ADDR") & "','" & Request. serverVariables ("URL") & "', 'get','" & Fy_Get & "','" & replace (Request. queryString (Fy_Get ),"'","''")&"')")
KillSqlconn. close
Set killSqlconn = Nothing
End If
Response. Write "<Script Language = JavaScript> alert! Http: // Www. wrsky. Com system version: V3.0 (ASP) By: Neeao '); </Script>"
Response. Write "illegal operation! The system makes the following records: <br>"
Response. Write "Operation IP:" & Request. ServerVariables ("REMOTE_ADDR") & "<br>"
Response. Write "operation time:" & Now & "<br>"
Response. Write "Operation page:" & Request. ServerVariables ("URL") & "<br>"
Response. Write "submission method: GET <br>"
Response. Write "Submit parameters:" & Fy_Get & "<br>"
Response. Write "submit data:" & Request. QueryString (Fy_Get)
Response. End
End If
Next
Next
End If
The working mode of the above script is to first check whether the loaded script currently receives GET data. If 'has', substitute the value of the received field into the variable Fy_Get, and then set a loop, the initial counter variable Fy_Xh is 0, and the end counter variable is the length of the filter array Fy_Inf. The last step is to identify/filter. First, use the LCase function to lowercase GET data, and then use the Instr function to search for the elements whose content contains the Fy_Inf array, if the result is obtained (the return value of Instr is not equal to 0), the SqlIn filter database is first written. mdb and output prompt/warning information on the page.

In addition, what is the purpose of writing a database maintained by 'SQL injection script? The last section of the filter engine Neeao_SqlIn.Asp defines whether an attacker's IP address exists in the data when Browsing any page that loads the engine script. If yes, the system outputs a warning:
Dim Sqlin_IP, rsKill_IP, Kill_IPsql
Sqlin_IP = Request. ServerVariables ("REMOTE_ADDR ")
Kill_IPsql = "select Sqlin_IP from SqlIn where Sqlin_IP = '" & Sqlin_IP & "' and kill_ip = true"
Set rskill_ip1_killsqlconn.exe cute (Kill_IPsql)
If Not (rsKill_IP.eof or rsKill_IP.bof) Then
Response. write "<Script Language = JavaScript> alert! To access this site, contact the administrator! Http: // Www. wrsky. Com system version: V3.0 (ASP) By: Neeao '); </Script>"
Response. End
End If
RsKill_IP.close
If you find that you cannot log on again, it is already in the 'blacklist'. Please add/change the PROXY to browse.

Let's see how POST works. First, check the defects and browse:
Http: // 127.0.0.1/admin. asp
The entered account and password are:
'Or ''='
Direct login is not a problem (check whether the defect exists ). When I started the test, I set:
<! -- # Include File = "Neeao_SqlIn.Asp" -->
At the end of admin. asp, The result alert information is displayed, and the blacklist is displayed. However, you can directly browse the login page after injection. What is going on ??? Later, let's take a look at it. It is actually related to the script structure. Let's take a look at the modified admin. asp content:
<! -- # Include file = "config. asp" -->
<! -- # Include file = "conn. asp" -->
<! -- # Include file = "error. asp" -->
<! -- # Include file = "lib/nav. asp" -->
<! -- # Include file = "lib/incjs. asp" -->
<! -- # Include file = "lib/adminmenu. asp" -->
<! -- # Include file = "lib/admin_body.asp" -->
<! -- # Include file = "lib/adminfoot. asp" -->
<Title> <% = webname %>-manage logon </title>
<%
Dim founderr, errmsg
Founderr = false
Errmsg = ""
Call admin_nav ()
Call admin_body ()
Call adminendpage ()
%>
<! -- # Include File = "Neeao_SqlIn.Asp" -->
Analyze the login process. First, the login part in admin. asp is nested in lib/admin_body.asp, And the login part is:
<Form name = "form1" method = "post" action = "admin. asp? Action = adminlogin ">
<Tr>
<Td height = "24" align = "center" background = "images/bg3.gif" class = "diaryhead">
<Font color = "#333333"> log on as an administrator (if you are not an administrator, do not log on) </font> </td>
</Tr>
<Tr>
<Td bgcolor = "# F5F5F5" class = "chinese" align = "center"> User Name
<Input type = "text" name = "adminname" class = "textarea" size = "20">
& Nbsp; Password
<Input type = "password" name = "adminpwd" class = "textarea" size = "20">
& Nbsp;
<Input type = "submit" name = "Submit" value = "Logon" class = "button">
</Td>
</Tr>
</Form>
Once the data is POST to admin. admin. asp will execute the admin_body () function in lib/admin_body.asp for authentication query. Therefore, a standard GET Authentication Bypass (input 'or' = ') is: