SQL Injection Attack and Defense Study Notes (1) ----What is SQL Injection

How Web Apps Work

MCV Architecture

Presentation layer (browser), logic layer (programming language), storage layer (database)

Understanding SQL Injection

SQL injection is an attack that inserts or adds code to an application's input parameters, which are then passed to a back-end SQL server for parsing and execution.

The main method of SQL injection is to insert malicious code into parameters, which will be placed into SQL commands to be executed;
the indirect attack method is to insert malicious code into strings, which are then saved in the database. Data tables or as metadata, when the stored strings are placed into dynamic SQL commands, malicious code will be executed.

Example:

Target: http://www.victim.com/products.php?val=100
Payload : http://www.victim.com/products.php?val=100 'OR'1'='1
Purpose: View database All products in

Understand the generation process of SQL injection

Construct dynamic string

1. Improper handling of escape strings: The SQL database parses the single quote character (') into the dividing line between code and data. The content outside the single quote is the code that needs to be run, and the content inside the single quote is the data.

   escape character

   single quote
   space
   double vertical bar
   comma
   dot

   Enter a single quote in the field of the URL or Web page to identify whether the website is vulnerable to SQL injection attacks

2. Mishandling of types: When dealing with numeric data, it is not necessary to enclose numeric data in single quotes.

   Example:

   SELECT * FROM TABLE
   WHERE
   USERID = 1 UNION ALL SELECT LOAD_FILE('etc/passwd') --

3. Improper assembly of the query statement: During the program development stage, the table or field to be queried is unknown, so the table and field are controllable by the user.

   http://www.victim.com/user_details.php?table=users&column1=user&column2=password&column3=Super_priv

   Among them, table, column1, column2, and column3 are all controllable.

4. Mishandling of errors: Detailed internal error messages are displayed to attackers, giving attackers important clues about potential flaws in the website.
5. Improper handling of multiple submissions: When there are multiple form submissions, only the first form is validated.

   Insecure database configuration

   System administrator account:
   SQL Server --> sa
   MySQL --> root / anonymous
   Oracle --> SYS / SYSTEM / DBSNMP / OUTLN