Introduction With the development of B / S mode application development, programmers who use this model to write applications are more and more. However, due to the high entry threshold in this industry, the level and experience of programmers are uneven. A considerable part of the programmer does not judge the legality of the user input data when writing code, so that the application has security hazards. Users can submit a database query code, obtain certain data he wants, based on the result returned by the program, which is the so-called SQL INJECTION, that is, SQL injection.
SQL injection is accessed from normal WWW port, and the surface looks with the general web page access, there is no difference in web page access, so the current market firewall will not issue an alert to SQL injection. If the administrator does not view the habit of IIS logs, it may be invaded Will not find out for a long time.
However, the technique of SQL injection is quite flexible, and there will be many unexpected situations when injected. Can you analyze according to the specific situation, construct a smart SQL statement, so that the desired data is successfully obtained, it is the fundamental difference between the master and the "rookie".
According to national conditions, domestic websites use ASP Access or SQLServer to account for more than 70%, PHP MySQ accounts for L20%, and there are less than 10% of others. In this article, we will introduce the approach, advanced to advanced explanation of ASP injection methods and techniques, and PHP injected article written by another friend of the NB Alliance Zwell, I hope to use the security workers and programmers. For friends who know the ASP injection, please do not skip the entry, because some people have misunderstandings about the basic judgment methods of the injected. Are you ready? Lets go ...
Entry
If you haven't tried SQL injection, then the first step will first put the IE menu => tool => Internet option => Advanced => Show friendly HTTP error message to go out. Otherwise, no matter what the server returns, IE is only displayed as an HTTP 500 server error, and more prompt information cannot be obtained.
Section 1, SQL injection principle
Here we start starting from a website www.19cn.com (Note: This article has been approved before the discipline of the station, most of which is real data).
On the homepage of the website, there is a link to "IE can't open a new window", the address is http://www.19cn.com/showdetail.asp?id=49, we add single after this address Quotation marks', the server will return the following error tips:
Microsoft Jet Database Engine Error 80040E14
String's syntax error in Query Expression ID = 49.
/SHOWDETAIL.ASP, line 8
From this error prompt we can see the following:
1. The website is used by the Access database, connects the database via the JET engine, not through the ODBC.
2. The program does not determine whether the data submitted by the client meets the program requirements.
3. This SQL statement is inquired with a field of ID.
From the above example we can know that the principle of SQL injection is to submit a special code from the client, resulting in the collection of procedures and servers, giving the information you want to get.
In the second section, it is determined whether SQL injection can be performed.
After reading the first quarter, some people will feel: I am also often the test can be injected. Is this not very simple? In fact, this is not the best way, why?
First, it is not necessarily that the IIS of each server is returned to the client. If the program is added to the client, if the program is added, SQL injection is not successful, but the server will also report an error, the specific prompt information is Error on the server when processing the URL. Please contact the system administrator.
Second, some of the programmers who have a little understanding of SQL injection is considered to be safe, this situation is not a few, if you use a single quotation test, it is not an injection point.
So, what kind of test method is more accurate? The answer is as follows:
1http://www.19cn.com/showdetail.asp? Id = 49
2http://www.19cn.com/showdetail.asp? Id = 49 ;; And 1 = 1
3http://www.19cn.com/showdetail.asp? Id = 49 ;; and 1 = 2
This is the classic 1 = 1, 1 = 2 test method, how to judge? See what the three URLs returned above:
Performance of can be injected:
1 Normal display (this is inevitable, otherwise it is wrong)
2 Normal display, content is basically the same as 1
3 prompts BOF or EOF (when the program does not do any judgment), or the record is not found (judge RS.eof), or the display is empty (the program adds an ON Error Resume next)
It is easier to judge if it cannot be injected, and 1 is also normal display, 2 and 3 generally have a program defined error message, or an error occurred during the prompt type.
Of course, this is just the incoming parameter is the judgment method used by the digital type. When actual application, there will be character types and search type parameters, I will analyze the "SQL Injecting General Steps" in the intermediate level.
In the third quarter, judgment the database type and injection method
Different database functions, the injection method is different, so before the injection, we must also judge the type of database. General ASP's most frequently matched databases are ACCESS and SQLSERVER, one of more than 99% of websites online.
How to let the program tell you what database it uses? come and see:
SQLServer has some system variables, if the server IIS prompt is not closed, and SQL Server returns an error prompt, you can get directly from the error information, the method is as follows:
http://www.19cn.com/showdetail.asp?id=49 ;; And user> 0
This sentence is very simple, but it contains the essence of SQLServer's unique injection method. I also found this efficient susceptibility in a unintentional test. Let me see its meaning: First, the front statement is normal, focus on and user> 0, we know, User is a built-in variable of SQL Server, which is the user name currently connected, type NVARCHAR . Take a nVarchar value to the intra 0 comparison, the system will try to turn nvarchar's value to int type. Of course, the process will definitely errors in the process, and SQL Server error prompt is: convert the nVARCHAR value "ABC" conversion data type When INT's column, the syntax error occurs, huh, ABC is the value of the variable user, so that the power of the database is not scrapped. In the subsequent space, everyone will see a lot of statements with this method. By the way, it is well known that SQLServer's user sa is a role of equivominstrators permissions, got SA permissions, almost certainly gets the host's Administrator. The above method can be very convenient to test whether it is logged in with sa, if it is the SA login, the prompt is a column that converts "DBO" into an int to errors, not "SA".
If the server IIS is not allowed to return an error prompt, how do you determine the database type? We can start from Access and SQL Server and distinguish, Access and Sql Server have its own system table, such as storing all objects in the database, Access is in system table [msysObjects], but read the table in the web environment " No permissions, "SQL Server is in the table [sysObjects], which can be read normally in a web environment.
In the case where you can inject, use the following statement:
http://www.19cn.com/showdetail.asp?id=49 ;; And (select count (*) from sysobjects> 0
http://www.19cn.com/showdetail.asp?id=49 ;; And (select count (*) from msysobjects> 0
If the database is SQL Server, then the page of the first URL with the original page http://www.19cn.com/showdetail.asp?id=49 is roughly the same; and the second URL, because the table MsysObjects can not be found. Will prompt an error, even if the program has fault tolerance, the page is completely different from the original page.
If the database uses Access, then the situation is different, the page of the first URL is completely different from the original page; the second URL, depending on whether the database settings are allowed to read the system table, generally not allowed Therefore, it is also completely different from the original website. In most cases, use the first URL to know the database type used by the system, and the second URL only uses authentication when IIS error prompt.
