The principle of SQL injection attack and its preventive measures

The threshold of attack ASP programming is very low, novice is easy to hit the road. In a short period of time, the novice has been able to produce a seemingly perfect dynamic web site, in the functional, veteran can do, novice can do. So the novice and the veteran is no different? It's a big difference, but it's hard for a layman to see it at a glance. The friendliness of the interface, running performance, and the security of the site are three points of distinction between novice and veteran. In terms of security, the most overlooked problem for beginners is the problem of SQL injection vulnerabilities. Using NBSI 2.0 to scan some of the online ASP sites, it can be found that many ASP Web sites have SQL injection vulnerabilities, education network of colleges and universities in the internal institutions of some sites this loophole is more common, it may be because these sites are mostly some students do it, although all are very clever, but after all, no experience , but also in the study, it is inevitable that loopholes. This article focuses on the precautionary measures of SQL injection, and to understand the usefulness of these precautions, we need to explain in detail the process of exploiting SQL injection vulnerabilities. The beginners see it.

A large part of the programmer in the code, not the user input data to judge the legality of the application has a security risk. If this is a normal URL http://localhost/lawjia/show.asp?ID=444, after submitting this URL to the server, the server will perform a similar select * from table name where field = "& ID of the query (ID is the client submitted parameters, this example is 444), and then return the query results to the client, if the client here intentionally submitted such a URL:

　　http://localhost/lawjia/show.asp?ID=444 and User>0, at which point the server runs a query such as the SELECT * from table name where field =444 and user>0 , of course, this statement is not going to run, certainly error, the error message is as follows:

• Error Type:

Microsoft OLE DB Provider for ODBC Drivers (0X80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] has a syntax error converting the nvarchar value ' sonybb ' to a column with a data type of int.
/lawjia/show.asp, line 47th.

But an ulterior motive. From this error message, you can get the following information: The station uses MS_SQL database, with ODBC connection, the connection account name is: Sonybb. The so-called SQL injection (SQL injection), is to use the programmer of the user input data to detect the legality of lax or not detection characteristics, intentionally from the client to submit special code, so as to collect procedures and server information, so as to obtain the information. Usually the goal of an ulterior motive is to get the webmaster's account number and password. For example, when someone knows that the webmaster account exists in the table login, the admin account name is admin, he wants to know the administrator password, here he then submits such a URL from the client:
http://localhost/lawjia/show.asp?ID=444 and (Select password from login where user_name= ' admin ') > 0, the error message returned is as follows:

• Error Type:

Microsoft OLE DB Provider for ODBC Drivers (0X80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] will varchar value '! @#*&admin ' syntax error converting to a column with a data type of int.
/lawjia/show.asp, line 47th.

Do you know? The red section above is the Admin Account Admin password! Although it is very complicated, let a person see several times can not remember, but it is shown in front of you, then you can use this account and password to take over the people's website! At this point you may also say that if he did not know in advance that the Administrator account exists in the table login, and know that the administrator account is admin, then he will not be able to obtain the administrator password. You are wrong, as long as people are willing to spend more time to try, he will be able to access the database to connect the account access to all the information available! For specific procedures, see this article on the Web: Full access to SQL injection vulnerabilities.

Of course, this process is very cumbersome and will take a lot of time, if only this manual way of SQL injection intrusion, then many of the SQL injection vulnerabilities of ASP Web sites will be much more secure, not a loophole does not exist, but the cost of exploiting this vulnerability is too high. But if the use of specialized hacking tools to invade, then the situation is greatly different. Manual SQL injection intrusion requires at least half a day, or even a few days, and the use of special tools to invade just a few minutes of time (depending on the speed of the decision), and then use the access to management accounts and passwords, upload a download from the Internet ASP backdoor procedures, easy access to the entire site Management Authority, Even administrative permissions for the entire server. The most famous SQL injection intrusion tool is NBSI 2.0, now out of the 2.0 version, but the official name is not called SQL injection intrusion tool, but is called Web site Security vulnerability Detection Tool. With this so-called detection tool, so that the intrusion of SQL injection vulnerabilities in the ASP Web site became a pediatric game, those who do not understand the ASP and do not understand SQL, young men are often able to invade more than 10 ASP Web sites in a day, they get the heart of great satisfaction. They also seem to be very professional ethics, often do not damage the site data and systems, the common means of destruction is mostly simply to change the homepage of the site, leaving a "friendly warning", such as: Your site has SQL injection vulnerabilities, please administrator to do precautions! And declare "I did not destroy the data and system", and some also want to publish his advocacy: "The domestic site do not invade, have the ability to invade small Japan!" "And, finally, signing his fame is an essential procedure.

Such a big achievement in most cases only need to move the mouse to do it. Open the latest version of the NBSI 2.0, as shown in Figure 1: Enter the address to a zone, note that the URL must be the type with passing parameters, click on the right detection button, that is out of B area information, showing the current user for SONYBB permissions for public, the current library is Lawjia. A pity, if it is the SA permission, can be injected across the library. However, this permission is sufficient to obtain the webmaster account and password. Point C area under the automatic Guess Solution button, that is out of the current library Lawjia in a variety of tables, wow, login table must be stored Administrator account number and password? Select it, and then click on the D-section of the Automatic Guess solution button, immediately out of the Login table column name, is sure to store the user name and password ah, great! Quickly hit the hook, can't wait to click on the e-section of the Automatic Guess solution button. Exciting moment is coming, only a few swish, the account and password all out. The rest is to identify which account is the administrator.

Figure 1 (the example Web site in the figure is running on the author's local computer)

What do you think of the example of an ASP programmer who didn't notice SQL injection vulnerabilities? Do you think this so-called Web Site Security vulnerability Detection Tool SBSI 2.0 is Ms_sql Enterprise Manager? Just don't need the account number and password to be able to view all the information in your database. If your site is so easily invaded by people, do you want to spit a few liters of blood? Perhaps you have tried for the system security, install patches, Ann Firewall, install antivirus software, cleverly configure IIS and database user rights, but you are not aware of SQL injection vulnerabilities, so "sink, Shan." Firewall and antivirus software for SQL injection is no way to prevent, because the SQL injection intrusion and ordinary Web page access is no different, so often is not very defensive. and a server placed on the site is often there are many, server administrators can not be a site to each page to review whether there is a SQL injection vulnerability. So how should you guard against SQL injection intrusion? What should be done separately as a server administrator or a Web site programmer? The main thing a server administrator does is configure IIS and database user rights, and web programmers are primarily prepared to guard against SQL injection intrusion in program code writing. The following detailed description:

For the server administrator, if you can't check each Web site for SQL injection vulnerabilities, then come up with a trick. This trick can effectively prevent SQL injection intrusion and "worry and effort, the effect is really good!" "SQL injection intrusion is based on the ASP error message given by IIS, and if you set IIS to whatever the ASP error, give only one error message, that is, HTTP 500 error, then there is no way to invade." Please refer to Figure 2 for specific settings. Main 500:100 This error default prompt page C:\WINDOWS\Help\iisHelp\common\500-100.asp change to
C:\WINDOWS\Help\iisHelp\common\500.htm can, at this time, no matter what the ASP run wrong, the server will only prompt HTTP 500 error.

Figure 2, IIS error information settings

But this set a bad place is the programmer wrote code error, the server does not give detailed error message, the programmer will bring great inconvenience. However, the server is not the place to test the code, should insist on security and stability first, so that the setting is understandable, in fact, many of the server error information is so set.

The server administrator should also set the execution permissions for each Web site in IIS, and never give a static web site a "script and execute" permission. In general, it's enough to give a "script-only" permission, for those who pass the website Backstage Management Center uploads the file to store the directory, is more stingy, the execution authority set for "None" good, this is to prevent others upload ASP trojan, executive permission set to "None", others upload ASP Trojan Horse also can not run. In general, the SQL injection vulnerability is only related to a site security, if someone through this vulnerability upload ASP Trojan and run up, the whole server has fallen. So visionary, responsible server administrators should be very stingy to configure IIS to execute permissions.

The same stingy attitude should apply to the database user's permissions configuration, of course, the database here refers to Ms_sql, Access does not have user rights to configure this step. If public permissions are sufficient to use never give high privileges, you should never give the SA level of authority casually to others ah. The so-called Web Site Security vulnerability Detection Tool NBSI 2.0 can have a cross library for SQL injection function Ah, if you give the SA permissions to the existence of SQL injection vulnerabilities of the library, then the other libraries will not protect! Chengmenthe, implicating. People can also get the highest privileges of the system by invoking the xp_cmdshell command. The concrete step is to refer to the article "Full contact of SQL injection Vulnerability" mentioned above.

The next step is to talk about the programmer's precautions. Program mainly to do two things, the most important thing, of course, the client submitted variable parameters are carefully tested. To check the client-submitted variables to prevent SQL injection, there are a variety of ways to search the http://community.csdn.net/ , you can get a lot of useful information. Here to introduce a ready-made method, others have written a test code, to use, do not have their own hard work. That is, "Maple Leaf sql generic Anti-injection V1.0 ASP Version", this is a user submitted through the URL of the variable parameters to check the code, found that the client submitted parameters are "exec, insert, select, Delete, from, update, Count, User, xp_cmdshell, add, net, ASC, etc. used in SQL injection, stop executing ASP and give warning message or turn to error page immediately. You can search the Internet, download this code, save as an ASP page, such as checksql.asp, this page include to each need to query SQL database with parameters of the ASP page, remember, just add one line such <!--#include file= " Checksql.asp "--> code on the line.

The second thing programmers need to do is encrypt the user's password. Like using MD5 encryption. MD5 is not a reverse algorithm, can not decrypt. People even know that after the encryption of the database in the code like garbled, he can not know the original password. However, someone can use the Update method to replace your password with his password, but this operation is still a bit troublesome, people may be afraid of trouble and give up. and the so-called Web Site Security vulnerability Detection Tool NBSI 2.0 is not provided with the update operation function, so with MD5 encryption, people only use NBSI 2.0 and not supplemented by manual operation, it is impossible to get the Webmaster account password, which will block many rookie-level attackers, At least those who do not understand the ASP and do not understand the SQL, young male youth is no way!

Article to write this, has long enough, originally also want to those so-called website security flaw detection tool such as NBSI the hacker tool of the stream to carry on a kind of rational discussion, seem to still give up. In order to enhance the security of the website, it is necessary to understand the attacking means however, exploiting vulnerabilities to exploit specialized hacking tools to make it easy for those who do not have the necessary network technology and network security knowledge (that is, "neither ASP nor SQL, Young male youth") easily invade a Web site, Besides creating trouble for many network administrators, does it also have the effect of enhancing network security awareness and improving the level of network security?