View database security from the instance of security Attack (iii) Analysis of database attack principle

absrtact: This article will analyze the technology of SQL injection attack and the principle of database encryption technology and the protection effect, in order to discriminate database security technology misunderstanding "database encryption can solve SQL injection", and this paper also gives the protection method of SQL injection.

1. Database Security Error

For the April 2015 large-scale Internet coverage of 30 provinces and cities of the national Social Security and other industry user information leakage incident, Anwarking on the black cloud history of social security industry related loopholes in the centralized analysis, the conclusion is: a large number of information leakage is mainly due to the SQL injection vulnerability exists in the software caused by hackers, We can compare SQL injection to a hacker attack database "Sharp spear".
With the spear of the attack, we'll look at the Defensive Shield: The database encryption technology really realizes the encrypted storage of sensitive data, adopts the mainstream encryption algorithm at home and abroad, ensures that the encrypted data can not be exploited illegally in 10 years after being acquired through abnormal means, and through independent right control and application binding. To prevent database access that bypasses legitimate applications and to control the operations of internal high-privileged personnel, known as the Crown in database security, we can compare database cryptography to "strong shields" in data security measures.
"Han Fei son difficult One" in the story mentioned: "exists, trapped son of Shield, how?" "Although this is a well-known story, but the reality version of the" Spear and shield "story happened in the university teaching material" Information system security Introduction ", we first quoted the original text in the textbook:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/72/E9/wKioL1Xv8ASAdNHwAAFHoEIcU5A906.jpg "title=" Gjsl_3 _1.jpg "alt=" Wkiol1xv8asadnhwaafhoeicu5a906.jpg "/>

Is it possible for security administrators to prevent SQL injection through database encryption? Before explaining the two types of attack and defense techniques in detail, we correct a misunderstanding: The database encryption technology cannot resist SQL injection . The reason is that the database encryption to solve the problem of credit card information storage security, and SQL injection is to exploit the weaknesses of the application to steal data, because legitimate applications can certainly see the plaintext information card data, so the encryption defense is invalid.

How does SQL injection properly protect it? Let's look at the rationale behind SQL injection attacks.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/72/EC/wKiom1Xv7gyyBXHcAAGa7AfQSoU397.jpg "title=" Gjsl_3 _2.jpg "alt=" Wkiom1xv7gyybxhcaaga7afqsou397.jpg "/>

This is also necessary for security administrators, as it is important not only to understand the means of protection, but also to gain insight into the principles of SQL injection and to achieve targeted security protection.

2. Analysis of the principle of SQL injection attack

SQL injection database attack refers to the construction of special inputs as parameters to the Web application, such as through the submission of form text box input, and these inputs are mostly in the SQL syntax of some combination, by executing the SQL statement to perform the action of the attacker, The main reason is that the program does not carefully filter the user input data, resulting in illegal data intrusion system.

There are two common cases of SQL injection, one is camouflage login application, the other is to find the SQL injection point in the text box of subsequent submission form in the application system, and then use the injection point to steal data in bulk. Enter the following two figures:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/72/E9/wKioL1Xv8FzAU2seAADetge5CPM817.jpg "title=" Gjsl_3 _3.jpg "alt=" wkiol1xv8fzau2seaadetge5cpm817.jpg "/>650" this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/72 /ec/wkiom1xv7jztmwsbaadzifvobay005.jpg "title=" gjsl_3_4.jpg "alt=" Wkiom1xv7jztmwsbaadzifvobay005.jpg "/>

Typical scenario one for SQL injection, stealing data by masquerading login, primarily through the OR operator.

Stealing data

Assume that the background splicing statement for the SELECT * from table where column1= ' text box input value ';

EG1: If the input value is "abc ' or ' 1 ' = ' 1", then the statement is spliced to select *...where column1= ' abc ' or ' 1 ' = ' 1 '; since ' 1 ' = ' 1 ' is a constant, you can see all the data for the entire table.

Cheat Login

The general system login needs to enter the user name, password, background stitching statement for SELECT * from T where name= ' username ' and pwd=md5 (' Password ');

EG1: If you enter the username "ABC ' or 1=1 or 1= ' def", the password "ABCD" is the statement stitching:

Select ... where name= ' abc ' or 1=1 or 1= ' def ' and pwd = MD5 (' ABCD '); Since 1=1 is constant, the statement is always true and can be successfully logged in.

SQL Injection Typical scenario two, probing (by and operation).

Detecting System Variables

... and user>0

We know that user is a built-in variable for SQL Server whose value is the user name of the current connection and the type is nvarchar. Take a nvarchar value compared with the number of int 0, the system will first try to convert the value of nvarchar to int, of course, the process will certainly be wrong, SQL Server error prompt is: the nvarchar conversion int exception, XXXX cannot be converted to int.

Probe System Object Name

First guess the table name

... and (Select count (*) from table name) <>0

Guess Column Name

... and (Select count (column name) from table name) <>0

3, database encryption Protection effect analysis

Face risk	Coping strategies
Database files are stored in clear text	Encrypt the name, ID card, credit card, and other sensitive information in the credit card information table by encrypting it as a selective unit.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/72/E9/wKioL1Xv8IGwKIqyAAE4htK_ZaA180.jpg "title=" Gjsl_3 _5.jpg "alt=" Wkiol1xv8igwkiqyaae4htk_zaa180.jpg "/>

Face risk	Coping strategies
Database normal operations and sensitive data access operations cannot be separated from permissions.	Through independent rights control system, improve safety through separation; avoid direct access to clear text data by database maintenance personnel

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/72/EC/wKiom1Xv7oeCiq4DAAD70zxv3BI328.jpg "title=" Gjsl_3 _6.jpg "alt=" Wkiom1xv7oeciq4daad70zxv3bi328.jpg "/>

Face risk	Coping strategies
Bypass access to the application server.	By differentiating legitimate access sources through client permissions, you can authenticate access to the source's IP, access time, and access the data only through legitimate access sources.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/E9/wKioL1Xv8MmDStviAAD93sJ1hFM777.jpg "title=" Gjsl_3 _7.jpg "alt=" Wkiol1xv8mmdstviaad93sj1hfm777.jpg "/>

Face risk	Coping strategies
Bypasses access to the application.	Application authentication is implemented by applying binding technology. Protected sensitive data can only be accessed through legitimate applications.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/EC/wKiom1Xv7tvz5kHQAAE4Rh5FPpQ003.jpg "title=" Gjsl_3 _8.jpg "alt=" Wkiom1xv7tvz5khqaae4rh5fppq003.jpg "/>

Face risk	Coping strategies
Database backup plaintext storage.	The database file is directly encrypted, after the database backup file export content remains ciphertext, backup files are still ciphertext after restore.

Summary of database encryption protection:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/72/EC/wKiom1Xv7uvBaaaBAAE_qRWqJYA204.jpg "title=" Gjsl_3 _9.jpg "alt=" Wkiom1xv7uvbaaabaae_qrwqjya204.jpg "/> 4. Conclusion: How to protect SQL injection 650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/72/E9/wKioL1Xv8SOgborPAAGjkywIINs646.jpg "title=" Gjsl_3 _10.jpg "alt=" Wkiol1xv8sogborpaagjkywiins646.jpg "/>

Karl's SQL injection attack is to use the weaknesses of legitimate applications to obtain information card data, even if the database credit card information encryption, from the storage file is ciphertext, but for legitimate applications sent over the query statement, the database will also be decrypted after the plaintext data sent back to the Web application system.

Database security expert An Huaqin and recommends the combination of WAF and database firewall for effective protection of SQL injection. WAF intercepts the content of the form with the SQL injection feature through the blacklist mechanism, and the database firewall can effectively intercept the SQL injection behavior by constructing the behavior model of the legitimate application and the SQL injection feature database, while also intercepting the malicious operations of the operation and maintenance terminal.

This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1693174

View database security from the instance of security Attack (iii) Analysis of database attack principle