Author: Feng Qingyang Source: E-generation V4
Network attacks since recent times seem more, many sites have been black or even changing to the home page for no reason. Most of the reasons for the attack are mostly due to the vulnerabilities on site programs, and the attacker gets WebShell and then promoting the server host authority. However, the WEBSHELL will also focus on the attack method of SQL Injection. What is SQL injection attack? From the official interpretation: SQL injection attack occurs when the application uses input content to construct a dynamic SQL statement to access the database. If the code uses a stored procedure, these stored procedures are passed as a string that contains unfilled users, and SQL injection attacks will also occur. SQL injection may cause an attacker to enable commands in the database using the application. This problem becomes very serious if the application is connected to the database with an excessive account. In other words: SQL injection attack utilizes an easily attacked data access code and allows an attacker to perform any commands in the database. If the application uses unrestricted accounts in the database, the threat being received is even greater because the attacker can perform queries and commands more freely. It is worth noting that traditional security measures (such as using SSL and IPSec) cannot prevent SQL injection attacks.
Make the data access code is easy to be affected by SQL injection attacks, including: this article reprints the e-generation time E3i5.com
· Weak input verification
· Dynamically constructed SQL statement when not using the type of security
· Login using privileges
To respond to SQL injection attacks, please pay attention to:
· Limit and purify input data
· Data access is performed using the type-safe SQL parameter. These parameters can be used with the stored procedure, or the SQL command string of dynamically constructed. Parameter execution type and length check, and ensure that the code in the injection database is considered text data (rather than executable statements) This article reprints the E-generation Time E3i5.com
· Use accounts with limited permissions in the database. Ideally, you should only grant execution permissions to the selected stored procedure in the database without providing direct table access.
· Verify the type, length, format, and range of the input content. Don't accept them if you don't want to get values. You should consider where the input content comes. If it comes from a trusted source, you know that it has been performed for this source to perform a thorough input verification, you can choose to ignore data verification in the data access code. If the data comes from being untrusted or for deep defense, the data access method and component should verify the input.
In summary.
How to prevent SQL INJECTION attacks have become a focus of safety protection: this article reprints the e-generation time E3i5.com
Due to the easy-learning and universality of ASP, many sites have chosen to build their own web sites using ASP languages. The ASP language is a scripting-level programming language, which is VBScript or JavaScript. More sites chose the VBScript script as the basis for writing. However, unfortunately, VBScript has a lot of declarations for exceptions and data types, and there is no mandatory requirement, which brings a hidden danger that is convenient. (Due to some programmers' habits, the declaration of exceptions and data types are often ignored when using the VBScript to write ASP programs), so aspects of preventing Web injection attacks will appear "Heart, and inadequate." Go back to our topic: Talking about SQL Injection, we first think of looking for an injection point. In many cases, the injection of web methods is dominated by ASP Request objects.
Quote: Example (1):
http: //target/index.asp? id = 10
Ending an end to SQL injection attacks is to monitor user input from ASP Request objects (Request, Request.QueryString, Request.Form, Request.Cookies, and Request.ServerVariables) to ensure the reliability of SQL instructions. . Like other ways of other attack methods entered by other users from the ASP Request object (Reques, Request.QueryString, Request.Form, Request.Cookies, and Request.SerVariables), the input variables that are expected to be expected in scripts are digital variables (ID). On (as Example 1), of course we can't just look at digital variables: this article reprints the e-generation time E3i5.comQuote: Example (2):
http: //target/index.asp? username = wind clear
The variables referenced in Example (2) are transmitted in a string variable.
The way to transfer variables through the URL is probably transmitted in the above two ways. First, a digital variable; second, a string variable. The emergence of SQL INJECTION vulnerabilities is that the programmer's negligence and generality, not taken filtering or filtering is not tightly left to the attacker attack. Let's take a specific introduction to how to prevent:
· Active protection This article reprints the source E-generation E3i5.com
What is active protection? Active protection refers to filtering the illegal string, but actively gives a string input range to prevent the attack of SQL INJECTION. Many sites are in programs in filters from the ASP Request object, and only passive some known attack characters are filtered. For example, the following procedures: block (1)
Quote: Function Htmlencode (STR)
Str = replace (str, ";", ";")
Str = Server.htmlencode (STR)
Str = Replace (STR, "'", "'")
Str = Replace (STR, "-", "-")
Str = Replace (Str, "/", "/")
Str = Replace (Str, VBCRLF, "
")
HTMLENCODE = STR
END FUNCTION
The above program blocks are transferred from a forum program that filters special characters such as semicolons, <,>, single quotes, -, /, &, and converting for soft return. Imagine, if the above filtration is not tight, that is, the remarks are collapsed. Such as "../" strings are not filtered, in some single sheets, there may be some unnecessary trouble and hidden dangers in some single sheets. If we take a proactive way to limit the input character set, a regular expression of higher efficiency, such as [0-9A-ZA-Z]: block (2)
Quote: Regularity of Chinese characters: / [^ / X00- / XFF] / g
Email Regular: / ^ [/ w .-] @ ([0-9A-Z] [/ w -] /.) [A-Z] {2,3} $ / i
String consisting of numbers, 26 English letters or underline: ^ / W $
Correct URL: ^ [A-ZA-Z] : / / (/ W / w ) *) (/. (/ W / W ) *) * (/? / S *)?
Positive integer: ^ [0-9] * [1-9] [0-9] * $
Full digital format: / [^ / d] / g
application:
Function Checkexp (PATRN, STRNG) DIM Regex, Match
SET Regex = New Regexp
Regex.pattern = PATRN
Regex.ignorecase = TRUE
Regex.global = TRUE
Matches = regex.test (strng)
Checkexp = matches
END FUNCTION
example:
If the STR is a string consisting of numbers, 26 English letters or underline, returns to false.
Use the active restrictions to limit the input type of the character to improve the efficiency of the exhaustion of the dangerous characters, and the relative security is also greatly improved. Only filter illegal characters, hu ~ Who knows which characters are illegal characters? So still have to take the initiative, actively do filtering. Address, what we advocate is limited to input character sets, not to let everyone use character limit, under specific conditions, filter characters will be much better than limit input. Everyone must learn to be flexible.
· Database query method This article reprints the E-generation time E3i5.com
It is found that there are many sites to perform database queries, or use RS.eOF or RS.BOF as a judgment of the query results. The EOF and BOF attributes of the RS (Cursor) are represented as a cursor in the data end or data lead, and the meaning is not shown to find the corresponding data. Most sites use the following ways to log in to the user, the user registration, the following methods: block (3)
Quote:
If the block (3) displayed, if the variable username and password are not filtered or filtering due to programmer's negligence or other reasons, it will cause a vulnerability of SQL INJECTION. It is only unsafe to use RS.BOF or RS.EOF as database data traversal. From the security perspective, we should use the following way as the basis for judgment: block (4) This article reprints the e-generation time E3i5.com
Quote:
With IF RS ("Username") = UserName Then's presence (red part), makes verification have to be detected, not only to meet the correctness of SQL query statements, but also make queries and input The correct judgment is given when the data is consistent.
· Database other ways to check
It is necessary to have a lot of sites in this link, in fact, this issue is also the most easily solved. Many programmers have only achieved features without good programming habits, and do not pay attention to the security of their programs, or not not notice the more details, this is also an aspect of the site program being attacked. The specific problem is mainly concentrated in several aspects:
1. Return to the field value for query
Many friends like to use the following statements to work, such as block (5)
Quote: SQL = "Select * from [user] where uid =" & id & "order by uid desc"
Simple seems to say that if there is a restriction on the digital variable (ID), the entire statement may be safe. But using SELECT * to query all fields sometimes bring more security issues. I recommend it, especially in the individual written programs, use SELECT * to query the fields in the data table, which field is required to use which field requirements.
2. Variables in digital format Test this article Reprint E-generation Time E3i5.com
This should be the most used variable type in the ASP program. Many people feel that the use of string type variables are difficult to do when filtering, so many of them are transmitted as variables. And often excessive uses make the programmer easy to forget whether a digital ID has detected the variable type. As mentioned earlier, the VBScript script is strict in other languages for the declaration of the data type. Defining a new variable in Java is first to define the data type of the variable such as quote: 1. String a = "good day";
2. INT A = 3;
3. Public Static String Madethisexample (String PWD, INT SOLD)
{
String key = string.concant (PWD, SOLD);
String Result = loopaddr ("Madethisout", Key);
Return Result;
}
With strict data types, we can do different filtration or abnormal capture according to different data types. However, ASP security is the most advantageous at this point. As of the following ASP program fragment: this article reprints the e-generation time E3i5.com
Quote: DIM STR_A, INT_B
STR_A = Request ("STR_A")
INT_B = Request ("int_b")
In the above sequence we can see the string STR_A, shaping digital INT_B we expect, however, can define data-free data, which makes the program writer to pay attention to the data type of some variables, And do an abnormal capture. For example, plastic variable INT_B as a shaped judgment:
Quote: DIM INT_B
INT_B = CINT (Request ("int_b"))
In this way, int_B is forced to be a shaped variable. When INT_B is non-oily, the program generates an error: "Character type does not match"
We generally use the following functions when judged by the digital variables:
Quote: CINT, CLNG, ISNULL, ISEMPTY, ISNUMERIC, etc.
In our commonly used programs, the above judgment functions are sufficient, and the integrated operation of all REQUEST object data types is integrated. You can even write a universal check function to perform global checks. Regarding the verification function, this will not be mentioned. There are many friends on the Internet to write some filtering functions. You can search as a reference.
3. Verification of string format reprint. Source E-generation Time E3i5.com
Using a string as a variable does not have a function like a shaping variable judgment, is it very difficult to feel like this variable. In the case where it is unable to go, only the illegal character of the dead plate will only be filtered. It feels that there is too much things that should be filtered, and more depressed is to filter the characters and users are in use. What should I do? I blamed myself when I first wrote the program, and there were many characters that were about to be shielded during the discovery of problems. In fact, similar to a string format variable is similar to the methods mentioned earlier.
(1) You can only enter the specified character in a manner. Please check the block block (2) for specific methods (2)
(2) Using a cursor data check, method is similar to the writing of users. For example: block (6)
Quote: DIM SQL, RS
DIM TYPE
TYPE = Request ("stype")
SQL = "SELECT ARTICLEID, Articles, Articles, ARTICLE, ARTICLEWRTER, ADDDATEPES = '" & TY &' "Order by ArticleId Desc" set = conn.execute (SQL)
IF not (rs.eof or rs.bof) THEN
IF RS ("Articles") = TYPE THEN
Article list operation
Else
Variable error operation
END IF
END IF
As shown by the block (6), regardless of the content of the string variable, it is illegal to treat the content of this string variable as long as it cannot pass the IF RS ("Articles") = Type THEN. This will be much better than the illegal characters that are illegally filtered. The ghost knows no new injection method, even if some special characters are masked, other methods can be injected.
4. The length of the variable is detected in this article. Reprinted to E-generation Time E3i5.com
Why do you have to increase the length after you have already detected? (Oh, some friends still don't worry. Laughter DE) This also depends on the procedure needs, the restriction of the front stage level is only limited to a client filter. As an attacker can break through some means to break through the client limit, then Preventing such an attack, we can only start from the server program, plus the length of the single table restriction again, one can prevent data from writing to the database from excessive length of the string failed; More effectively prevent SQL INJECTION attacks. Limit variable length: block (7)
QUOTE: We use the Len () function to determine the length of the string, for more than the length requirements or returns the error message, and terminate the program down. Such as:
5. Prevent remote injection issues
This situation is really easy to forget. This includes the mobile network forums, such as file uploaded data processing files do not check the information and untrusted source information, plus a little bit of small bug on the verification program, a little bit on the server Security configuration issues, the entire website is "black". I believe that many friends are suffering from harm. Not light is a forum program, and the data processing programs in some other sites have neither permission verification, and there is no filtering for untrusted areas. This makes I don't know the password can change you. There is a situation in the situation page. To remind a little thing, many friends are afraid that their site is black, and the backstage of the free procedure will be a lot of money, especially the landing page and the data processing page are not on the same page, and the data processing page does not Filtered for requests for untrusted areas, even if you change the landing port, the attacker can also fake data to log in. Especially in some non-URL injection attacks, such as SQL injection on a single table, only the script level filtration of the page list table, and the attacker is not filtered on the discovery data processing page, generally In the local counterfeit page, the illegal illegal sentence is submitted, that is, it is unable to prevent it. The following will give the code to prevent remote injection: Block (8) This article reprints the E-generation. Light E3i5.com
Quote:
· Description of data security
Still to mention, friends who use SQL database server machine machine pay attention, the opening permissions of the database account should be as close to the ideal case, only to grant execution permission to the selected stored procedure in the database, and do not provide direct Table access, and delete or rename some special commands and files for the server. Users who use Access databases should pay attention to the security of Conn.asp files, and it is best to use exception to capture the error message to connect the database connection. To prevent the leakage of sensitive information. Such as: block (9)
Quote:
In addition, friends using the Access database should pay attention to the database's anti-download protection, steps for:
1. Write OLE data to the database using the ASP program, and write content is <%
2. Files the Database End of the ASA, because the IIS server is higher than the ASA file, so we select the ASA file as an end extension of the Access database file.
3. Add a ## in the changed database name to prevent the operation of "cross-library query" when the SQL INJECTION problem occurs.
Finally don't forget to delete the installation file of the site program, otherwise it is "black" should drop, because this will be long-term.
· Postscript
Seeing recently in the network, I feel that this article is written out to help or remind you of the webmasters. Take a look at the procedure on your station, say that there is more problems on which inconspicuous page. Hu ~ More worry is that there are similar problems in some domestic portals, even some security companies, national institutions. The form seems to be imminent, and the administrators should work, raise their hands. This article reprints the e-generation time E3i5.com
If you have any questions, please ask www.e3i5.com. Thank you!
references:
1.
http://www.securiteam.com/securityreviews/5dp0n1p76e.html
2.
Http://msdn.microsoft.com/msdnmag/issues/04/09/sqlinjection/default.aspx
3.
http://www.4guysfromrolla.com/webtech/061902-1.shtml
