The ASP programming threshold is very low, and the novice is easy to go. In a short period of time, novices often have to make a more perfect dynamic website. In terms of function, the older can do it, the novice can do. So do you have no difference between novice and old hands? This is big, it can be big, but the foreigner is hard to see it. In terms of friendly, operating performance, and security of the website are three concentration points between novice and old hands. In terms of security, the issue of newers easily ignored is the problem of SQL injection vulnerability. Some of the ASP websites on the Internet are slightly scanned with NBSI 2.0, and many ASP websites have SQL injection vulnerabilities. Some of the vulnerabilities in the internal institutions in education networks are more common, which may be because these websites are mostly some If you do, although you are very smart, you have no experience, and it is in your studies, it is inevitable that there is much more vulnerabilities. This article mainly tells the prevention measures of SQL injection, and it is necessary to understand the use of these prevention measures, and must first explain the process of using SQL injection vulnerability invasion. Nonts understand.
A considerable number of programmers do not judge the legality of the user input data when writing code, so that the application has security hazards. If this is a normal URL http: //localhost/lawjia/show.asp? Id = 444, after submitting this URL to the server, the server will make a query similar to the Select * from a table name where field = "& id (id is The parameters submitted by the client, this example is 444), then return the query result to the client, if the client is deliberately submitting such a website: http://localhost/lawjia/show.asp? Id = 444 and user> 0, at this time, the server runs the select * from a table name where field = 444 and user> 0 This query, of course, this statement is not going on, it is definitely wrong, the error message is as follows:
· Error type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07) [Microsoft] [ODBC SQL Server Driver] [SQL Server] transitions nvarChar value 'SonybB' to a quotient error when the data type Int is int. /LAWJIA/show.asp, line 47
However, don't have the heart from this error message, you can get the following information: This station uses the MS_SQL database, connects with an ODBC, the connection account name is: Sonybb. The so-called SQL Injection is the characteristics that use programmers to detect unscrupulous or non-detection of user input data, deliberately submit special code from the client, giving information and server information, giving information you want. . Usually, there are other objectives to get the account and password of the website administrator. For example, when a person knows that the website administrator account exists, the administrator account name is admin, he wants to know the administrator password, here he submits such a website from the client: http://localhost/lawjia/show.asp ? Id = 444 and (select password from login where user_name = 'admin')> 0, the return information is as follows:
· Error type:
Microsoft Ole DB Provider for ODBC Drivers (0x80040E07) [Microsoft] [ODBC SQL Server Driver] [SQL Server] will "VARCHAR value"! @ # * & Address' The syntax error occurs when converted to a column of data type INT. /LAWJIA/show.asp, Chapter 47 Do you know? The part of the red-named red is the password of the administrator account admin! Although it is very complicated, it can't remember it, but it is displayed in front of you, then you can use this account and password to take over the website! At this time, you may also say that if he is not knowing that the administrator account exists in the table login, and knowing the administrator account is admin, he can't get an administrator password. You are wrong, as long as people are willing to spend more time try, he will get all the information you can get within the database connection account permission!
Of course, this process is very cumbersome and takes a lot of time. If you can only use this manual way SQL injection invasion, then many ASP sites with SQL injection vulnerabilities will be safe, not a vulnerability does not exist, but The cost of using this vulnerability is too high. But if you use a special hacking tool to invade, then the situation is great. Manual way SQL injection invasion is at least half a day or day or many days, while using specialized tools to invading only a few minutes (quick dependency slow down), then use the obtained management account and password, upload one The ASP latte program downloaded from the Internet will easily obtain administrative privileges for the entire website, and even administrative privileges for the entire server. The most famous SQL injection invasion tool is NBSI 2.0, which has been released from version 2.0, but the official name is not called SQL injection intrusion tool, and the website security vulnerability detection tool is called. With this so-called detection tool, the ASP website with SQL injection vulnerabilities has become a pediatric game, those who don't understand ASP and SQL, and young men are often invading more than 10 ASPs within one day. Website, they have been greatly satisfied with this. They seem to have a professional ethics. They often do not destroy the website data and system. Most of the common destruction methods are only the homepage of the website, leaving "goodwill warnings", such as: Your website has SQL injection vulnerability, please Administrators do preventive measures! And declare "I don't destroy the data and system", some will also take the opportunity to release his advocacy: "Don't invade the domestic website, there is a small Japanese!", Finally, the big name of his trip is Less procedures.
In most cases, it is only necessary to move the mouse in most cases. Open the latest version of NBSI 2.0, as shown in Figure 1: Enter the address to the A area, pay attention to the type of transfer parameters, click on the detection button, that is, the B area information, display the current user for Sonybb PUBLIC, the current library is Lawjia. A a high unfortunately, if it is SA permission, you can inject it across the library. However, this permission is also enough to get the website administrator account and password. The automatic guess button under the point C area, that is, the various tables in the current library Lawjia, wow, the login table must be a save administrator account and password? Select it, then click the Auto Guess button under the D area, immediately come out the column name in the Login table, and it is a big name, great! Hurry up and hook, I can't wait to click the Auto Guess button under the E-area. If you are exciting, you will come, you only see a few times, all the accounts and password come out. The rest is to identify which account is administrator. Figure 1 (The sample website in the figure runs on the author local computer)
I don't know what ASP programmers who have not paid to SQL injection vulnerabilities have seen the examples of the above picture. What do you want to do? Is it feel that this so-called website security vulnerability detection tool SBSI 2.0 is simply MS_SQL's corporate manager? Only you don't need your account and password to view all the information in your database. If your website is invaded by people, do you want to spit a few boosts? Maybe you have been thinking about system security, loading, security firewall, loading virus software, clever configuration IIS and database user privileges, but you have not noticed that SQL injection vulnerability, so "Thousands of miles of embankment, collapsed in ant hole" . The firewall and anti-virus software have no way to prevent SQL injection, because SQL injection invasion with ordinary web page access has no difference, so it is often a defense. And the site placed on a server often has a lot, and the server administrator is not possible to review it on a website to review whether there is SQL injection vulnerability. So how should I prevent SQL injection invasion? What should be done as a server administrator or a website programmer? The server administrator must do is to configure IIS and database user privileges, and the website programmer is mainly to prevent SQL injection invasion on program code. The following detailed description:
For the server administrator, since you can't check if you have SQL injection vulnerabilities, you will come to a trick. This absorbing can prevent SQL injection of intrusion and "saving and labor-saving, the effect is good!" SQL injection intrusion is invaded according to the ASP error prompt information given by IIS, if you set IIS to no matter what ASP error Only a wrong prompt information is given, that is, HTTP 500 error, then people have no way to invade. Please refer to Figure 2 for details. Mainly, the default prompt page C: /Windows/help/iishelp/common/500-100.ASP of this error is changed to C: /Windows/help/iishelp/common/500.htm, at this time, What is wrong in the ASP running, and the server only prompts the HTTP 500 error.
Figure 2, IIS error message setting
But this setting is a bad place is the code error written by the programmer, the server does not give a detailed error message, which will bring a lot of inconvenience to the programmer. However, after all, the server is not a test code. It should be insisted on safe and stable first, so setting is also unfair, in fact, the error information of many servers is so setting.
Server administrators should also set permissions for each website in IIS, don't give people a static website with "script and executable" permissions. In general, give a "pure script" permission is enough. For the directory stored by the files uploaded by the website background management center, the execution permission is set to "None", this is to prevent people Upload ASP Trojans, the execution permission is set to "None", people upload ASP Trojans can't run. Under normal circumstances, SQL injection vulnerabilities are only involved in a website security. If people pass this vulnerability upload ASP Trojans and run, the entire server is lost. So far-sighted, responsible server administrators should configure IIS's execution permissions. The same 配置 配置 配置 配置 配置 配置 指 指 指 指 指 指If the public permissions are sufficient to use it, don't give the SA level permissions, you can give it casual. The so-called website security vulnerability detection tool NBSI 2.0 can have a function of SQL injection in libraries. If you give SA authority to the library with SQL injection vulnerability, then other libraries are not guaranteed! The city gate is fire, and the pool fish. People can also get the highest authority of the system by calling the xp_cmdshell command. For details, please refer to the article "SQL injection vulnerability full contact" mentioned above.
The next steps to talk about the programmer's prevention measures. The program mainly do two things, the most important thing, of course, is carefully detected by variable parameters submitted by the client. Check the variable submitted by the client to prevent SQL injection, there are various ways to search on http://community.9cbs.net/, you can get a lot of beneficial information. Here is an existing way, others have written the test code, use it, don't have it hard. That is "Maple SQL General Declaration V1.0 ASP Edition", this is a code for checking the variable parameters submitted by the user through the URL, found in the parameters submitted by the client "Exec, Insert, Select, Delete, from Update, count, user, xp_cmdshell, add, net, ASC ", immediately stop executing the ASP and gives a warning message or a steering error page immediately when it is used for SQL injection. You can search online, download this code, save this asp page, such as Checksql.asp, put this page include to each need to query the SQL database ASP page, remember, just add such! - # include file = "Checksql.asp" -> The code is OK.
The second thing to do for programmers is to encrypt the user password. For example, encrypt with MD5. The MD5 is no reverse algorithm and cannot be decrypted. Even if you know the same password like garbled after encryption, he can't know the original password. However, people can use the UPDATE method to replace your password with his password, but this operation is still a bit trouble, people may be afraid to give up. And the so-called website security hole detection tool NBSI 2.0 is not provided, so after using MD5 encryption, people can use NBSI 2.0 to not be manually operated, it is impossible to obtain the password of the website administrator account, this Will block a lot of rookie-level attackers, at least those who don't understand the ASP and I don't understand SQL, the young male youth is not a way!
