Universal password SQL injection vulnerability from C # perspective

before learning to infiltrate, although also played the Universal password SQL Injection Vulnerability landing site backstage, but only will use, do not understand its principle.

Today learning C # Database This piece, just learned this knowledge, just understand the original is how.

Well-known universal password SQL Injection vulnerability, we believe very familiar with.

Do not understand the simple understanding of the next, understand Daniel directly floating can.

*****************************************************************************

When we scan with a scanner like a sword or something that has this universal password SQL injection into the background of the vulnerability website,

Open Web page, enter the following content, do not need to know the account password can also log in the background.

Http://www.*******.com/admin/admin_login.asp

Account Number: DJLFJDSLAJDFJ (discretionary input) password:1' or '1' = '1

So why?

In fact, the principle is simple:

Let's look at a common database query statement:

1. Normal query statements directly in the database:

Select *  from where username='root' and password=' Root ';

2. This is often done in web development,t_users is the table name , username is the field name in the database, and name and PWD are variables.

"select  * form t_users username= '   "name + "    "+" and password= ' + pwd + "  

< Span style= "color: #0000ff;" > If the variable name is assigned a value of root , the PWD variable is assigned root . There's no problem at all, just the same as above.

That is equivalent to "Select from T_users username=root and password=root "

3. However, if the variable name is assigned: random input, and PWD is assigned a value of 1 or 1=1,

Then the whole statement becomes this way:

"Select from T_users username=adsfafsf and password=1 or 1=1 "

As you can see, the entire query statement return value is always true at this time.

The simulation test database is as follows:

Analog universal Password SQL injection Vulnerability source code is as follows:

usingSystem;usingSystem.Data.SqlClient;namespaceFirst database program {classProgram {Static voidMain (string[] args) {            //solve the database add data, two MDF problem conflict problem code, that is.            /***************************************************/                 stringDataDir =AppDomain.CurrentDomain.BaseDirectory; if(Datadir.endswith (@"\bin\debug\")                || Datadir.endswith (@"\bin\release\") ) {DataDir=System.IO.Directory.GetParent (DataDir).                Parent.Parent.FullName; AppDomain.CurrentDomain.SetData ("DataDirectory", DataDir); }            /************************************************/Console.WriteLine ("Please enter user name:"); stringuser =Console.ReadLine (); Console.WriteLine ("Please enter your password:"); stringPWD =Console.ReadLine (); //establish a connection to the database            using(SqlConnection conn =NewSqlConnection (@"Data source=.\sqlexpress; attachdbfilename=| Datadirectory|\database1.mdf;integrated security=true; User instance=true") {Conn. Open ();//Open Connection//Create SQL statement commands                using(SqlCommand cmd =Conn. CreateCommand ()) {//SQL statement Query commandCmd.commandtext ="select * FROM [t_users] where username= '"+ user +"'"+"and password= '"+ pwd +"'" ; inti = Convert.ToInt32 (cmd). ExecuteScalar ());//returns the value of the first column in the first row                    if(I >0) {Console.WriteLine ("Landing Success! "); }                    Else{Console.WriteLine ("Login failed! ");        }}} Console.readkey (); }    }}

Program run:

Normal input, the wrong password can not be logged in:

Enter the correct password, login success:

Enter the universal password, login success!

So how do we solve this problem?

The solution source code is as follows:

usingSystem;usingSystem.Data.SqlClient;namespaceFirst database program {classProgram {Static voidMain (string[] args) {            //solve the database add data, two MDF problem conflict problem code, that is.            /***************************************************/                 stringDataDir =AppDomain.CurrentDomain.BaseDirectory; if(Datadir.endswith (@"\bin\debug\")                || Datadir.endswith (@"\bin\release\") ) {DataDir=System.IO.Directory.GetParent (DataDir).                Parent.Parent.FullName; AppDomain.CurrentDomain.SetData ("DataDirectory", DataDir); }            /************************************************/Console.WriteLine ("Please enter user name:"); stringuser =Console.ReadLine (); Console.WriteLine ("Please enter your password:"); stringPWD =Console.ReadLine (); //establish a connection to the database            using(SqlConnection conn =NewSqlConnection (@"Data source=.\sqlexpress; attachdbfilename=| Datadirectory|\database1.mdf;integrated security=true; User instance=true") {Conn. Open ();//Open Connection//To create a SQL command statement                using(SqlCommand cmd =Conn. CreateCommand ()) {//SQL query StatementsCmd.commandtext ="SELECT * from t_users where [email protected] and [email protected]"; Cmd. Parameters.Add (NewSqlParameter ("NAME", user));//Name and PW are parameters, and the names are taken at their own discretion, but must be consistent with the above. Cmd. Parameters.Add (NewSqlParameter ("PW", PWD)); inti = Convert.ToInt32 (cmd). ExecuteScalar ());//function returns the value of the first column of the first row                    if(I >0) {Console.WriteLine ("Landing Success! "); }                    Else{Console.WriteLine ("Login failed! ");        }}} Console.readkey (); }    }} 

Normal input, the wrong password can not be logged in:

Enter the correct password, login success:

Universal Password Login failed!