Web security-SQL Injection

I. SQL Injection

SQL injection is a code injection technology that exploits security vulnerabilities at the application database layer. It is usually prone to some scenarios. For example, escape characters embedded in SQL statements are not properly filtered out or user input is not of a strong type, leading to abnormal execution. SQL injection is a common type of injection-type vulnerability attacks. Injection-type vulnerability attacks may occur at any time when one programming language or script language is embedded into another. SQL injection is one of the common application layer injection technologies.

An example of an SQL injection using the scan tool WebCruiser-Web Vulnerability Plugin:

Ii. Types of SQL Injection

1. The escape characters are not properly filtered.
This injection attack occurs when the escape characters entered by the user are not filtered. User input is passed to an SQL statement, so that malicious users can manipulate statements in the database. The following code demonstrates this vulnerability:

statement = "SELECT * FROM users WHERE name = '" + userName + "';"

This code is used to retrieve a specific user from the user table, but if the user name is forged by a malicious user in a specific way, the operations executed by this statement may not be what the code author expects. For example, set the username variable:

a' or 't'='t

The corresponding original SQL statement is:

SELECT * FROM users WHERE name = 'a' OR 't'='t';

If this code is used in an authentication process, this example forces the system to select a valid user name, because the value 'T' ='t is always correct.
On Some SQL servers, for example, in SQL Server, any SQL command can be injected using this method, including executing multiple statements. Assigning username to the value of the following statement will delete the users table and obtain all data in the userinfo table, resulting in user information leakage.

a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't

The final SQL statement of this input is:

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

Most SQL Server implementations allow multiple statements to be called and executed at a time. Some SQL APIs, such as PHP mysql_query (), are not allowed for security reasons. This can prevent attackers from injecting completely independent queries, but cannot prevent them from modifying queries.
2. Incorrect type Processing
If a field provided by a user is not a strong type, or the type constraints are not checked, this type of attack will occur. When a numeric field is used in an SQL statement, an injection occurs if the programmer does not check the validity of user input (whether it is Numeric:

statement := "SELECT * FROM userinfo WHERE id = " + a_variable + ";"

The statement shows that the programmer wants a_variable to be a number related to the "id" field. However, if the input is a string, for example, set a_variable:

 

1;DROP TABLE users

The users table will be deleted, because the statement actually executed is:

SELECT * FROM userinfo WHERE id=1;DROP TABLE users;

3. Database Server Vulnerabilities
Sometimes, database server software also has vulnerabilities, such as the MySQL server's mysql_real_escape_string () function vulnerability. This vulnerability allows attackers to use the wrong Unicode encoding (unified character encoding) to smoothly Execute SQL injection attacks, even though user input has been transcoded. This bug is fixed in version 5.0.22.
4. Blind SQL injection attacks
When a web application is vulnerable to SQL injection attacks and attackers cannot see the injection results, a blind SQL injection attack occurs. Web pages with vulnerabilities may not display data, but different contents are displayed based on the results of logical statements injected into valid statements. This attack is quite time-consuming because a new statement must be carefully constructed for each acquired byte. Once the vulnerability location and target information are determined, you can use some software to automate the attack.

4.1 conditional response

There is an SQL injection that forces the database to calculate the value of a logical statement on a normal application screen:

SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND 1=1;

This will display a normal page, and the statement

SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND 1=2;

When the page is vulnerable to SQL injection attacks, it may give a different result.
Such injection may prompt attackers to inject SQL statements blindly, which may cause attackers to damage the execution of statements that can judge authenticity Based on the Content Design of other columns or tables.
4.2 conditional errors

If the WHERE statement is true, this type of blind SQL injection causes an SQL error by forcing the database to calculate a wrong statement, for example:

SELECT 1/0 FROM users WHERE username='Ralph'

Apparently, if the user Ralph exists, Division by zero will lead to an error.
4.3. Time Delay

Time delay is a blind SQL injection. According to the injection logic, it can cause the SQL engine to execute a long queue or a time delay statement. Attackers can measure the page loading time to determine whether the injection statement is successful.
Ii. Measures for defending against and checking SQL Injection
1. Use parameterized filter statements
To defend against SQL injection, user input cannot be directly embedded into SQL statements. On the contrary, user input must be filtered or parameterized. Parameterized statements use parameters instead of embedding user input into statements. In most cases, SQL statements can be corrected. Then, user input is limited to one parameter.

The following is an example of using Java and JDBC APIs:

　　PreparedStatement prep = conn.prepareStatement("SELECT * FROM USERS WHERE PASSWORD=?");    prep.setString(1, pwd);

 

How to force the use of parameterized statements?

Database-level forcible: currently, only H2 databases support forced parameterized queries.
Code-level force: Use the object link ing library to avoid the need to write SQL code. The ORM library can generate parameterized SQL statements from object-based code. Of course, you can also check whether non-parameterized SQL statements exist in the Code through code review.
2. Transcoding
A direct, but error-prone method to avoid injection is to escape dangerous characters. One of the reasons for its error-prone mechanism is that it is a blacklist with lower robustness than the whitelist. For example, each time a single quotation mark (') appears in a parameter, it must be replaced with two single quotation marks ('') to form a valid SQL string. In PHP, before sending an SQL query, the following parameters are commonly used for transcoding query by the mysql_real_escape_string function:

$query = sprintf("SELECT * FROM Users where UserName='%s' andPassword='%s'",mysql_real_escape_string($Username),mysql_real_escape_string($Password));mysql_query($query);

For query parameters, You need to filter fields that cause damage to the database, such as update, delete, and drop.
3. Prevent SQL injection and avoid detailed error messages because hackers can use these messages. A standard input validation mechanism should be used to verify the length, type, statement, and enterprise rules of all input data.
4. Use Web vulnerability scanning tools