Write something about SQL Injection Detection

 

Background: why have I been confused about this?

Posts posted on the csdn Forum

Recently, I am working on a project for my teacher. The whole system is used for Database Access Audit. Specifically, the system is used between the server and the database to audit all database query requests submitted from the server. You can add rules and create whitelists. One function to be implemented now is to determine whether the SQL statement submitted by the server is injection. If it is an injection statement, it must be detected to ensure database security.

At present, I still don't know how to do it. SQL injection is ever-changing, and it is obviously impossible to solve the problem. In addition, the system is highly efficient to detect tens of thousands of pieces of data per second, which is more difficult. I have discussed with a senior student that he believes that SQL Injection detection is generally performed on the front-end web end and rarely between backend servers and databases. But the teacher said that I had to do this, and I couldn't help. Ask people familiar with the matter and give me some tips on how to do it. Thank you.

Thanks again. I hope you can help me.

 

 

In the reply below, the reaching people on csdn put forward their own views. Some people think that this is not feasible. Anti-injection should be prevented on the client. Why should we put it on the background. To do this, you should:
First, set the monitoring points and where to perform monitoring. Obviously, the server passes an SQL statement, which should be checked by the statement after the where keyword, which contains a String constant, that is, the part between ''must be noted. To achieve this, we should analyze the SQL statement before we can implement specific anti-injection detection.
Another reply mentions the following two difficulties:
1. How to efficiently record the SQL statements executed. --> we recommend that you use SQL profiler to record the SQL statements to the data table.
2. How to set rules for detecting and filtering. --> the key is to find the characteristics of the injection attack syntax.
As for the syntax features and common rules, it is difficult to find them, and pattern recognition may be involved. It is obvious that you cannot do anything without doing anything.

 

I searched on csdn and found that some people proposed the following methods to implement anti-injection in the front-end:

First, you can use a stored procedure. The stored procedure will automatically block injection for you. Although this method is useful, it also has disadvantages, because you cannot write a simple SQL statement, such as select * From tb_aa where id = + Request ("ID"). Using Stored Procedures is too trivial.

Method 2: [Trying]
Add the following content to the <system. Web> node in the config file
<Httphandlers> <add verb = "*" Path = "*. aspx" type = "urlrewriter"/> In this way. all aspx requests are mapped to the urlrewriter class for processing, which can be used in urlrewriter at will, using string url = context. request. rawurl; get the current request path, and then check whether there are any special characters or something. After blocking, It will be allowed. I will not be allowed this location, because it must be allowed with the. aspx file after the release, so that it will be executed to this class.

The third method is to write a class to check whether the string contains special characters. You can input a string.
Add
String url = request. rawurl; then call the testa (URL) method to determine.

 

In the background, I had to give it a try. I tried to inject SQL into the topic and paste it once. I felt that many of them were talking about the client, and they were helpless. The useful information in the article is extracted as follows:

First, determine the environment, find the injection point, and determine the database type.

Secondly, according to the injection parameter type, the original appearance of the SQL statement is reconstructed in mind. There are three types of parameters:

(A) id = 49 These injection parameters are numeric. The SQL statement is roughly as follows:
Select * from table name where field = 49
The injected parameter is id = 49 and [query condition], that is, the generated statement:
Select * from table name where field = 49 and [query condition]

(B) Class = the injection parameters of the series are simplified. The SQL statements are roughly as follows:
Select * from table name where field = 'series'
The injected parameters are class = series and [query conditions] And ''= ', that is, the generated statement:
Select * from table name where field = 'series' and [query conditions] And ''=''

(C) If parameters are not filtered during search, such as keyword = keyword, the original appearance of the SQL statement is roughly as follows:
Select * from table name where field like '% keyword %'
The injected parameter is keyword = 'and [query condition] And' % 25' = ', which is the generated statement:
Select * from table name where field like '%' and [query condition] And '%' = '%'

Here is my opinion:

Number-related injection: 1 = + 1 = in (), 1 <> <2
I take it for granted the solution: first find the key symbols, such as =, In, <,>, and determine whether the symbols are digits before and after them. If they are all considered as injection, whether it is true or false, the 1 = 2, 1 = 1 will not be produced in normal statements.

Character-related injection: mainly involves non-matching '', and prompts for --, #,/**/statements with annotations.
Solution: search directly.

Some functions: exec, xp_cmdshell, which are found on the internet below

Those who have basic SQL language have a much higher success rate than those who are not familiar with SQL injection. We need to improve our SQL level, especially some common functions and commands.

Access: ASC (character) sqlserver: Unicode (character)

Purpose: return the ASCII code of a character.

Access: CHR (number) sqlserver: nchar (number)

Function: opposite to ASC, returns Characters Based on the ASCII code.

Access: Mid (string, n, l) sqlserver: substring (string, N, L)

Purpose: return the substring of the string that starts from n characters and ranges from N to N + L.

Access: ABC (number) sqlserver: ABC (number)

Purpose: return the absolute value of a number (used to guess Chinese characters)

Access: A between B and C sqlserver: A between B and C

Purpose: Determine whether a is between B and C.

Solution: Find the function and prompt

It's terrible to be exhaustive. You can only do something in this simple way.