Shulou(Shulou.com)06/03 Report--

This article mainly shows you the "sample analysis of SQL injection into .NET applications", which is easy to understand and well-organized. I hope it can help you solve your doubts. Let me lead you to study and learn the article "sample Analysis of SQL injection into .NET applications".

1. Preparation tools: SQL SERVER, Visual Studio

two。 Database scripts and .net code (c #)

3.SqlServer Profiler

SQL script code:

USE MASTER GO-- retrieves whether the SQLTMP database exists IF EXISTS (SELECT * FROM SYSDATABASES WHERE name = 'SQLTMP')-- deletes the SQLTMP database DROP DATABASE SQLTMPGO-- creates the database CREATE DATABASE SQLTMPGO-- uses the SQLTMP database USE SQLTMPGO- to create a table to verify the SQL injection vulnerability-retrieves the table for IF EXISTS (SELECT * FROM SYSOBJECTS WHERE Name = 'admin')-- Delete table DROP TABLE adminGO-- create table CREATE TABLE admin (id INT PRIMARY KEY IDENTITY (1) -- set primary key name VARCHAR (20) NOT NULL,-- username pass VARCHAR (20) NOT NULL-- password)-insert a test data-- INSERT INTO admin VALUES ('admin','admin')-- query insert data SELECT * FROM admin

The following is a C # code that verifies the username and password:

Using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;using System.Data;using System.Data.SqlClient;namespace SQLTmp {class Program {/ / database connection string public static String strCon = "Data Source=.;Initial Catalog=SQLTMP;Integrated Security=True"; / / create database connection object static SqlConnection SqlCon = new SqlConnection (strCon); static void Main (string [] args) {Console.WriteLine ("Please enter user name:"); String name = Console.ReadLine () Console.WriteLine ("Please enter password:"); String pass = Console.ReadLine (); try {Program p = new Program (); / / Open database connection p.Open (); string sql = "SELECT COUNT (*) FROM admin WHERE name ='" + name+ "'AND pass ='" + pass+ "'"; SqlCommand sqlcom = new SqlCommand (sql, SqlCon); int I = (int) sqlcom.ExecuteScalar (); if (I > 0) {Console.WriteLine ("Login successful!") ;} else {Console.WriteLine ("login failed!");} Console.ReadLine ();} catch (Exception) {throw;} finally {/ / close database connection pass.Clone ();}} / / Open database connection public void Open () {/ / Open database connection if (SqlCon.State = = ConnectionState.Closed) {SqlCon.Open () Open database connection if (SqlCon.State = = ConnectionState.Broken) {/ / close SqlCon.Close (); SqlCon.Open ();}} / close database connection public void Close () {if (SqlCon.State = = ConnectionState.Open | | SqlCon.State = = ConnectionState.Broken) {SqlCon.Close ();}

Let's test it.

Enter the correct account password:

Admin admin

Login succeeded

Enter the wrong account password:

Test test

Login failed

We typed in the user name:'or 1, 1 muri-

Password: 123

You will find that you can log in successfully!

If you don't have this account password in the database, will you log in successfully?

Why?

0x03 analysis

Let's analyze the running process of the SQL statement.

Use my SQL statement tracking tool (SQL Server Profiler)

Click the link

Running

Let's take a look at the SQL statement when typing the correct account password.

Execute it in our SQL Server and see if there is qualified data.

Let's take a look at the SQL statement when we enter the wrong account password.

Check out the execution in our SQL Server. There is no qualified data.

Let's take a look at the SQL statement of the last account password entered.

Let's take a look at the SQL statement in the picture and compare our above SQL statement.

SELECT COUNT (*) FROM SQLTMP WHERE name = 'admin' AND pass =' admin'SELECT COUNT (*) FROM SQLTMP WHERE name =''or 1'--'AND pass =' 123'

We will find that the user name we entered has become empty, followed by or 1. 1-'Why, what caused it?

We should take a look at this code from here:

String sql = "SELECT COUNT (*) FROM admin WHERE name ='" + name+ "'AND pass ='" + pass+ "'"

We can see that name and pass in SQL are variables and the account number and password entered by the user

Let's take a look at the user name entered:'or 1room1--

Then the user will automatically close name =''when typing''.

And or 1 will hold the where condition forever.

-- SQL means to comment out the following SQL statement!

So we can think that the SQL statement looks like this in the end.

SELECT COUNT (*) FROM SQLTMP WHERE name =''or 1'1

0x04 defense

There is a way of attack, there is a way of defense.

As far as I know, there are two commonly used ways:

1. Through SQLParameter

Benefits: pre-compiled SQL sentences to prevent change of mind

Usage:

String sql = "SELECT COUNT (*) FROM admin WHERE name = [url=home.php?mod=space&uid=116087] @ name [/ url] AND pass = @ pass"; / / create SParameter [] SqlParameter [] para = {new SqlParameter ("@ name", name), new SqlParameter ("@ pass", pass)}; SqlCommand sqlcom = new SqlCommand (sql, SqlCon); / / put para [] into sqlcom.Parameters.AddRange (para) through Parameters.addRange method; int I = (int) sqlcom.ExecuteScalar ()

The @ symbol represents the parameter, and we replace the splicing method with the parameter form.

two。 Stored procedure

1. First create a stored procedure in the database

CREATE PROC Login (@ name VARCHAR (20), @ pass VARCHAR (20)) ASSELECT COUNT (*) FROM admin WHERE name = @ name AND pass = @ passGO

two。 Call stored procedure

SqlParameter [] para = {new SqlParameter ("@ name", name), new SqlParameter ("@ pass", pass)}; SqlCommand sqlcom = new SqlCommand (); sqlcom.Connection = SqlCon;sqlcom.CommandText = "Login"; / / specify the execution type as stored procedure sqlcom.CommandType = CommandType.StoredProcedure;sqlcom.Parameters.AddRange (para); int I = (int) sqlcom.ExecuteScalar ()

The above is all the content of the article "sample Analysis of SQL injection into .NET applications". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.