1. What is sql injection?
The so-called SQL injection is by inserting SQL commands into the web form to submit or input the query string of the domain name or page request, and finally deceive the server to execute malicious SQL commands.
2. The principle of SQL injection attack.
SQL injection is a relatively common attack method against databases . In this attack method, the attacker inserts some malicious code into the string. The string is then passed to an instance of the SQL Server database for analysis and execution by various means. As long as this malicious code complies with the rules of the SQL statement, it will not be discovered by the system when the code is compiled and executed.
3. The main forms of SQL injection attacks
One is to insert code directly into user input variables that are concatenated with SQL commands and made to execute. Because it is directly tied to the SQL statement, it is also called the direct injection attack method.
The second is an indirect attack method that injects malicious code into strings to be stored in a table or as original data. The stored string is concatenated into a dynamic SQL command to execute some malicious SQL code.
The injection process works by prematurely terminating the text string and then appending a new command. Take the direct injection attack as an example. That is, when the user enters a variable, first use a semicolon to end the current statement. Then insert a malicious SQL statement. Since the inserted command may append additional strings before execution, attackers often terminate the injected string with a comment mark "—". When executing, the system will consider the following statement as a comment, so the subsequent text will be ignored and will not be compiled and executed.
4. When are you most vulnerable to injection attacks?
SQL injection attacks occur when an application uses the input to construct dynamic SQL statements to access the database. SQL injection can also occur if the code uses stored procedures that are passed as strings containing unfiltered user input. SQL injection can cause an attacker to use the application login to execute commands in the database. The relevant SQL injection can be performed by the testing tool pangolin. This problem can be exacerbated if the application connects to the database using an over-privileged account. In some forms, the content entered by the user is directly used to construct dynamic SQL commands, or as input parameters of stored procedures, and these forms are particularly vulnerable to SQL injection attacks. While many website programs are written without judging the legitimacy of user input or improper handling of variables in the program, the application program has potential security risks. In this way, the user can submit a piece of database query code, and obtain some sensitive information or control the entire server according to the results returned by the program, so SQL injection occurs.
5. How to prevent SQL injection
1. Never trust user input. Validate the user's input by using regular expressions or limit the length; for single quotes and
Double "-" for conversion, etc.
2. Never use dynamic assembly sql, you can use parameterized sql or directly use stored procedures for data query and access.
3. Never use database connections with administrator privileges, use separate database connections with limited privileges for each application.
4. Do not store confidential information directly
5. The exception information of the application should give as few hints as possible, and it is best to use custom error information to wrap the original error information
6. The detection method of sql injection generally adopts auxiliary software or website platform to detect. The software generally adopts the sql injection detection tool jsky, and the website platform has the Yisi website security platform detection tool. MDCSOFTSCAN et al.
6. General steps for SQL injection
1. Determine the environment, find the injection point, and determine the database type
2. According to the injection parameter type, reconstruct the original appearance of the SQL statement in your mind, which is mainly divided into the following three types according to the parameter type:
(A) The injected parameters such as ID=1 are numeric, and the original appearance of the SQL statement is roughly as follows:
Select*from table name where field=1
The injected parameter is ID=1 And [query condition], that is, the generated statement:
Select*from table name where field=1 And [query condition]
(B) Class=The parameters injected in this type are character type, and the original appearance of the SQL statement is roughly as follows:
Select*from table name where field='Everyone'
The injected parameters are Class=Everyone' and [query condition] and ''=', that is, the generated statement: Select * from table name where field='Everyone' and [query condition] and''='' copy;
If there are no filtering parameters during search, such as keyword=keyword, the original SQL statement is roughly as follows: Select * from table name where field like'%keyword%'
The injected parameters are keyword=' and [query condition] and '%25'=', that is, the generated statement: Select * from table name where field like '%'and [query condition] and '%'='%'
3. Replace the query conditions with SQL statements and guess the table name, for example:
ID=1 And (Select Count(*) from Admin)>=0
If the page is the same as the one with ID=1, it means that the additional condition is established, that is, the table Admin exists, otherwise, it does not exist. And so on until the table name is guessed.
After the table name is guessed, replace Count(*) with Count(field name), and use the same principle to guess the field name.
4. After the table name and column name are guessed successfully, use the SQL statement to get the value of the field.
Speaking of this, everyone must be very aware of the importance of SQL injection. Applying the method of SQL injection when making software helps us solve these unnecessary troubles! Don't leave any chance for others! My understanding of SQL injection