White Hat speaks Web security seventh Chapter injection attack

Tag:ann    No    c++   view   lin     Delete    base    use    jin   

First, SQL injection:  1, the essence of injection attack: the user input data as code execution.       key points of attack: 1, user can control input;                    & nbsp;      2, the original program to execute code,  2, blind (Blind injection): The server does not have error echo when the injection attack completed.  3, Time series attack (Timing Attack): Using the benchmark () function (a function in MySQL to test function performance), you can have the same function execute several times, so that the results return longer than usual, through the change of time, You can determine whether the injected statement succeeds. This is a side channel attack.   Edge channel attack (side channel attack SCA), also known as Side channel attack: The method of attacking a cryptographic device for the time consumption, power consumption or electromagnetic radiation of the encrypted electronic device during operation is called Edge Channel attack. The effectiveness of this new type of attack is much higher than the mathematical method of cryptographic analysis, which poses a serious threat to the cryptographic devices.    database attack Skill  webshell: Is the ASP, PHP, JSP program file that the attacker implanted on the attacked website, the attacker after invading a web system, often in these asp, PHP, The JSP Trojan backdoor file is placed in the Web server's web directory, mixed with normal web site files. Then the attacker can access the ASP, PHP, JSP program Trojan backdoor control Web server through normal Web Access, including creating, modifying, deleting files, uploading and downloading files, viewing the database, executing arbitrary program commands, etc.  UDF (user-defined Functions): User-defined function, this concept appears in MySQL, Interbase, Firebird, fluent, based on the user's actual application needs to develop their own functions. A basic user-defined function is a class of code that expands the functionality of the MySQL server by adding new functions, such as using the local MySQL function abs () or concat (). UDFs are written in C (or C + +). Maybe you can use basic,c# or some other language. http://www.jincon.com/archives/88/http://blog.csdn.net/x728999452/article/details/52413974   Attack stored Procedure:  encoding problem:  

White hat Talk web security seventh injection attack