https://baike.baidu.com/item/sql%E6%B3%A8%E5%85%A5/150289 1 (refer to website)
1. What is SQL injection:
SQL injection which means the web application does not judge the legality of lax or filter user input data, an attacker can add additional pre-defined SQL query statement on the good end of the web application, without the knowledge of the Administrator achieved in the case of an illegal operation, in order to achieve any queries deception database server to perform unauthorized to further obtain the corresponding data .
2, the injection process:
The first step: SQL injection point detection. SQL injection detection point is a critical step, through appropriate analytical applications, SQL injection point can determine what areas. Usually as long as the input submitted with dynamic web pages, and dynamic web access to the database, SQL injection vulnerability may exist. If the programmer is not strong awareness of information security, the use of dynamically constructed SQL statements to access the database, and user input validation is not performed, there is a great possibility of SQL injection vulnerabilities. Usually by being given the information page to determine whether SQL injection vulnerability.
Step two: Gather background database information. Injection method different databases, functions are different, so before the injection, we need to determine what type of database. Many determination database type method, can enter special characters, such as single quotation marks, so that the program returns an error message, we determined according to the error information presentation; may also use the specific function to determine, such as the input "1 and version ()> 0 ", the program returns to normal, indicating version () function is executed, and to identify the database, the version () function is a function specific to MySQL, it can be inferred background database is MySQL.
The third step: guess user names and passwords. Database table and field names are generally regular. By constructing a special SQL statements followed guess the table name in the database, field names, the number of fields, the user name and password.
Step Four: Find the Web Admin portal. WEB background management does not usually ordinary users Open, to find the login URL management background, you can use Web directory scanning tools (such as: wwwscan, AWVS) quickly search may sign-in address, and then one by one to try, you can find the login background management platform URL.
Step five: the invasion and destruction. General management background have a higher authority and more functions, previously deciphered using the user name and password after successful login background management platform, you can destroy any, such as uploading Trojans, tampering with web pages, modify and steal information, you can also further mention the right to invade the Web server and database server.
3, SQL injection mode is roughly divided into two types: numeric injection, injection character, (there is a search-type: text LIKE '% {$ _ GET [' search ']}%' ")
@ 1, numeric injection:
when the input parameter is an integer, such as ID, age, page numbers, if present injection vulnerability, it may be considered to be a digital type implant. This appears most digital type implant ASP, PHP and other weakly typed language, a weakly typed language is derived automatically variable type, e.g., the parameter id = 8, PHP automatically derived variable of type int id data type, id = 8 and 1 = 1, it will derive the type string, which is characteristic of a weakly typed language. For Java, C # Such a strongly typed language, if you try to convert a string to an int type, an exception appears unable to continue. So, there is a strongly typed language rarely numeric injection vulnerability. [7]
@ 2, character injection
when the input parameter is a string, called the character. Numeric and character injection biggest difference is that: the digital type single quotation marks do not need to close, while the string type is generally used to close single quotes.
Attack Features:
SQL injection attack is one of the web application network attack is the most common means higher security risk, to a certain extent than buffer overflow vulnerabilities, and firewall on the market for SQL injection vulnerabilities can not be effective detection and prevention. Firewall In order to make the normal network applications to access data on the server side, must be allowed to forward connections from the Internet to the Web server, so there is injection vulnerability once the web web application, an attacker can obtain the rights to access the database and then get the server where the database access right in some cases, SQL injection attack risk is higher than all other vulnerabilities such as buffer overflow vulnerability. SQL injection attacks a wide range of common and easy to implement, and so large destructive
Notes techniques:
From the '#' character from the end of the line
From the '-' sequence to the end of the line, please note that "-" (dash) Note wind requirement after the second dash followed by a space character at least
From / to * after * the sequence / sequence, the sequence may not end in the same row, so that the syntax allows comment span multiple lines.
4, methods of attack:
@ 1, based on Boolean blinds
because the web pages returned values are True or False, so that the Boolean blind after injecting a way to get database information according to the page return value.
@ 2, Notes, based on blind time
when there is no injection of Boolean result (pages display properly) when it is difficult to judge whether the injected code is executed, the final analysis, this may be the injection point exists or not? This time Boolean injection will not be able to play its role in the. Time-based blind have come into being, so-called time-based blind that we judge whether the page is SQL injection point according to the time difference between the corresponding web page.
@ 3, the joint inquiry injection
using injection joint inquiry premise is that we want to inject a page must have a display position. I.e. a so-called joint inquiry implantation using two or more union merging result sets SELECT statement, you must select two or more of the same columns, and the data types of the columns are also the same. Queries can be injected into the joint to add the last link in order by 9 random numbers based on injection, according to the page returns the result to determine the number of field sites.
@ 4, error information based on the injection
method is not displayed in the page bit, but the echo mysql_error (); error output function of time before using. The advantage is fast injection rate, the disadvantage is more complex statements, but can only guess by sequentially limit. In general, in fact, is given injection method for injecting the formulation, mainly for not displaying the page bit, but substituting echo mysql_error (); error message using output.
5. Detection:
the SQL injection detection mode There are two major categories, the first: dynamic monitoring, i.e., a method generally used in the acceptance stage or system operation phase the system is running on the line, using dynamic monitoring system attacks its scan, and then based on whether SQL injection vulnerability scan results to determine. Second: static testing, also known as static code scanned, the code to do deep analysis. [5]
@ 1, motion detection
dynamic monitoring of two types: manual monitoring and monitoring tools. With respect to the high costs and high missing rate manually monitored, the actual production process is more interested in monitoring tools, monitoring tools but equally serious limitations. The reason is that the tool is to use the message to determine whether SQL injection to take effect, but only by the message is difficult to accurately determine whether there is SQL injection, there is a high false alarm rate.
@ 2, stationary detection
false alarm rate relatively low static detector, characterized in SQL code is mainly due to obvious vulnerabilities injection.
(1) interaction code database;
(2) constructed using the string concatenation dynamic SQL statements;
(3) using an untrusted unfiltered data.
It exists in conventional systems when troubleshooting application SQL injection vulnerability due to static code scanning obvious characteristics, low false alarm rate and directly read the relevant code, reduce the amount of work benefits, usually using static scanning.
6, injected precautions
SQL injection attacks causing great harm, and firewall attacks difficult to intercept, attack prevention method is mainly SQL injection, in particular in the following areas.
1, hierarchical management
of users classification management, strictly control the user's permission, for the average user, prohibit giving database to create, delete, modify, and other related rights, only the system administrator has to add, delete, change, check permissions. For example, the above example the user was added drop table in the query. Certainly not be allowed to be executed, otherwise the database system's security can not be guaranteed. Therefore limited by the design authority. So that even if a malicious attacker is embedded in the code data submitted to the relevant attacks. But because the permissions are set so that the code can not be executed. SQL injection to reduce security threats to the database.
2, the parameter value passed
programmers in writing SQL language, writes directly to prohibit the variable SQL statement must pass the relevant variables by setting the corresponding parameters. SQL injection is suppressed. Input data can not be directly embedded into the query statement. While the contents of the input filter, the input data to filter out unsafe. Or using the parameters passed by value input variable transmission. So you can maximize prevent SQL injection attacks.
3, basic filter and secondary filter
SQL injection before the attack, the intruder submit "and" other special characters by modifying the parameters to determine whether there are loopholes, then inject SQL statements written by various characters select, update and so on. Thus precautions to SQL injection user input check to ensure the security of data input, the input variables or to check the specific submitted for single and double quotation marks, colon or other character conversion filter, thereby effectively preventing SQL injection. Of course there are a lot of dangerous characters, on getting user input parameters submitted first to the foundation filtered, and then the second filter based on the likelihood function and the user program's input to ensure the security of the system.
4, the use of security parameters
The impact of the attack in order to effectively suppress SQL database SQL injection. SQLServer database design during set up a special SQL security parameters. To make use of security parameters should write a program to prevent injection attacks. To ensure the security of the system.
Parameters collection SQLServer database provided, which functions in the database is the data type and length validation checking, when added to the Parameters collection programmer programming, the system will automatically filter out the code execution in the user input, which is identified character value. If malicious code is contained in the user input, the database can also be performed to check filtered off. At the same time the Parameters collection can be enforced check. Once the check value is out of range. The system will be abnormal error while sending the information system administrator for administrators make the appropriate preventive measures.
5, vulnerability scanning
in order to more effectively prevent SQL injection attacks, as system management settings in addition to effective preventive measures, should discover security vulnerabilities exist SQL attack system. System administrators can purchase some of the specialized system of SQL vulnerability scanning tool, through professional scanning tool that can scan a timely manner to the appropriate vulnerability exists in the system. Although vulnerability scanner can only scan to the SQL injection vulnerability, not protect against SQL injection attacks. However, system administrators can take to security vulnerabilities by scanning depending on the circumstances appropriate precautions block corresponding vulnerability, so the SQL injection attacks to shut the door to ensure the safety of the system.
6, multi verify
the current site system functions increasingly large and complex. To ensure the safety of the system, visitor data input must undergo a rigorous verification to enter the system, not by input validation is denied direct access to the database, and sends the wrong message to the upper system. Also verify that visitors enter information related to the client access program, so as to more effectively prevent simple SQL injection. However, if the multi-layered verification if the verification of the underlying data, then the attacker to bypass the client will be able to freely access the system. Therefore, when performing multi-layered verification, to cooperate with each other at every level, only if the client systems and end all for effective verification of protection to better guard against SQL injection attacks.
7, database encryption
The traditional method of encryption and decryption can be roughly divided into three types:
(1) symmetric encryption: encryption side and the decryption side i.e. use the same encryption algorithm and key, a save key of this solution is critical, because the algorithm is disclosed , and the key is kept secret, once the key is compromised, hackers can still be easily decrypted. Common symmetric encryption algorithms: AES, DES, etc.
(2) asymmetric cryptography: i.e., using a different key for encryption and decryption keys are divided into public and private keys, data encrypted with the private key must be decrypted using the public key, the same data must be encrypted with the public with the corresponding private key to decrypt, common non-symmetric encryption algorithms: RSA like.
(3) Irreversible encryption: the use of hashing algorithm to encrypt the data after the data can not be decrypted back to the original, so the hash algorithm commonly used are: md5, SHA-1 and so on.
Note: The blog there are sqli-labs and exercises complete summary, the basic situation is the same.