Shulou(Shulou.com)06/01 Report--

A preface

Enter special characters in the customer query input box of the desktop software, and unexpectedly find that there is a sql injection vulnerability. Therefore, I decided to get this knowledge straight.

What is SQL injection?

When it comes to the concept, just take the explanation of Baidu encyclopedia to have a preliminary understanding.

Extracted from Baidu encyclopedia:

"the so-called SQL injection × × is to enter the query string requested by the field or page to trick the server into executing malicious SQL commands. In some forms, the content entered by the user is directly used to construct (or influence) dynamic SQL commands, or as input parameters of stored procedures. Such forms are particularly vulnerable to SQL injection × ×."

From the above explanation, it is not difficult to find that SQL injection is to deceive the server into executing malicious SQL commands after it is submitted to the server by constructing specific input, which is considered from the point of view of xxxxxx. If it is from the defender's point of view, it is necessary to conduct security testing before the product release to troubleshoot and fix possible SQL vulnerabilities.

Quick understanding of SQL injection

The above conceptualization may still feel at a loss, well, let's further describe how SQL injection is spoofed with a concise, intuitive diagram.

First of all, let's take the login interface of 51cto as an example to see a normal login scenario:

To describe the concept of sql injection, let's now simplify the processing logic of this login. If we enter the user name pingshan and password 1111, after clicking the login button, the backend server will execute the following sql statement:

Select count (*) from user where user_name='pingshan' and pass_word = '1111'

If the return value is empty, the login is successful.

Now suppose there is a sql injection vulnerability, and enter pingshan';--, for the user name as shown in the figure:

When we click the login button to submit, the backend server assembles the string, and the sql statement will be executed as follows:

Select count (*) from user where user_name='pingshan';--' and pass_word = '1111'

Did you find out?! The following password conditions are directly commented out (- comment symbol), that is to say, only know any user name, you can log in without secret, how terrible!

Fourth, how to prevent SQL injection

The ideas to prevent SQL injection are as follows:

1. To verify the user's input, you can convert special characters such as regular expressions, limiting length, single quotation marks and double "-"

two。 Use parameterized sql or directly use stored procedures for data query and access to avoid dynamic assembly of sql

3. Configure database connections with limited permissions for each application to avoid database connections with administrator privileges

4. Store important or confidential information after encryption

5. Exception messages give as few hints as possible, and it is best to wrap the original error messages with custom error messages

5 how to conduct SQL injection detection

SQL injection detection generally uses tools for automatic detection, and there are many tools in this area, two of which are introduced:

Sqlmap: a very powerful sql injection detection and auxiliary tool

Tool website: http://sqlmap.org/

SQLiv: a batch SQL injection vulnerability scanning tool

Introduction website: http://www.freebuf.com/column/150588.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.