Shulou(Shulou.com)06/03 Report--

This article mainly introduces the concept of "the SQL implantation of the report". In the daily operation, I believe that many people have doubts about the concept of the SQL implantation of the report. The editor consulted all kinds of data and sorted out a simple and easy-to-use method of operation. I hope it will be helpful to answer the doubts of "the concept of the SQL implantation of the report". Next, please follow the editor to study!

The concept of SQL implantation

First of all, what is a sql implant?

Sql injection is also often called SQL injection, which is submitted by inserting SQL commands into the query string of Web form items or page requests (Url), and finally deceives the server into performing malicious operations.

Common cases include cheating login authentication by implanting SQL. In the past, many film and television websites leaked the passwords of VIP members, many of which were implanted into WEB forms through sql, and such forms were particularly vulnerable to attack. Through SQL implantation, we can not only obtain account information illegally, but also tamper with and delete important data information.

Why is there a SQL implant?

Knowing the concept of sql implantation, we should also understand why SQL implantation occurs, and which part of the problem lies?

The figure above is the simplest application structure of three-tier architecture, including business presentation layer, data processing layer, and data source. It can also be understood as the front-end, background and background data sources we often talk about.

Among them, there is something called database in the data source, which is the most common way to manage and store data, while relational databases are more common, such as oracle, db2, mysql, and so on.

The developed application (data processing layer, that is, the background) must have an interface to communicate with the database, such as jdbc or odbc, in order to operate the database, which is also familiar to technicians or IT salespeople.

Sql language is commonly used for database operations, especially for relational ones. SQL is a high-level non-procedural language that only describes what to do without telling the database what to do. The SQL script is passed into the database as a string through api, and when the database receives the sql, it simply executes it and returns the result. For the database itself, it does not know whether the incoming sql is legal or illegal, and it is this complete trust that leads to the risk of sql implantation.

In the final analysis, SQL implantation exploits vulnerabilities in the application, and if the risk of sql implantation is not fully taken into account when writing code for data processing, attackers can easily plant sql commands into the background database engine for execution. These sql commands that are not executed according to the intention of the designer or developer will be considered malicious code.

How to attack?

Now that we understand the basic principles of sql implantation attacks, let's take a look at how to attack them. Some of the more common attacks include:

1. Special input parameters

2. Special characters "-" and "#" are not processed.

3. Make use of unreasonable database configuration

Case 1. Special input parameters

Common ones are union or or, which is a keyword within sql, one used for merging multiple sql, and the other commonly used in where conditions.

Take Union as an example, if an attacker spells "union select … from user" after a normally executable sql, then the user table information is completely exposed.

Where's Or? You can make the where condition true, taking "cheating login authentication" as an example:

In the program, we generally spell sql as: strSQL = "SELECT * FROM users WHERE userID ='" + userID + "'and pw ='" + passWord + "';"

If 1 or 1 is passed into userID and'1'or 1 is passed into passWord, the complete strSQL becomes: "SELECT * FROM users WHERE userID=1 OR 1, and pw ='1' OR 1;"

Obviously, when the where condition becomes true, you successfully cheat the authentication and log in to the system.

Case 2. Special characters are not processed

Take the commonly used comment character "-" as an example: it is used as an annotation character in general databases. In addition, mysql supports "#" comments.

Next, let's see how commentators fool login authentication.

The program sql is still defined as: strSQL = "select * from users where userID=" + userID+ "and password=" + psw

At this point, userID is passed in:''or 1: 1-

The complete sql is spelled as: select * from users where userID='' or 1-and password =...

The script after "-" is no longer executed as a comment, and the actual condition becomes true, successfully deceiving the verification and invading the system.

For mysql databases, changing "-" to "#" can also achieve injection.

Case 3, using unreasonable database configuration

It is common that the configuration of permissions is unreasonable and too high, there will be the risk of update and delele or even drop table.

Therefore, it is recommended that you never use administrator privileges to connect to the database, but instead use a separate database connection with limited permissions for each application.

What does the report have to do with SQL implantation?

Because most report tools provide parameter capabilities to filter the appropriate data according to the query criteria entered by the user, it provides an opportunity for SQL implantation.

For example, if you want to query data for a specified time period, you can pass the time period as a parameter to the report, and when the report fetches the number from the database, the report splices these parameters to the WHERE condition of fetching the number SQL, and you can take out different data according to different parameters for rendering. This approach requires that the query conditions be killed in advance, that is, the corresponding condition fields are fixed. For example, the following traditional practice:

Sql:select * from t where date > =? And date... AND data... AND date= 0) {

Return false

}

}

Return true

}

Public String getCause () {

String tmp = this.cause

This.cause = ""

Return tmp

}

}

B, check for some parameters

Private String cause = ""

Private List wordList = new ArrayList ()

/ *

* @ paramName validated parameter name

* @ inputValue validated parameter values

, /

Public boolean check (String paramName, String inputValue) {

/ / wordList.add ("select")

If (wordList = = null) {/ / if the list of detection keywords is empty, no check is made

Return true

}

If (paramName== "userID") {

If (inputValue = = null | | inputValue.length () = = 0) {/ / if the parameter value is empty, no need to check

Return true

}

For (int I = 0; I

< wordList.size(); i++){ inputValue = inputValue.toLowerCase();// 这里做，是为了不区分大小写 if(inputValue.indexOf(wordList.get(i).toLowerCase())>

= 0) {

StringBuffer sb = new StringBuffer ()

Sb.append ("verification failed,") .append (paramName) .append ("parameter contains the following words:") .append (wordList.get (I))

.append ("\ nlocation:") .append (inputValue.indexOf (wordList.get (I) .append ())

This.cause = sb.toString ()

Return false

}

}

}

Return true

}

C, Custom error message

Public boolean check (String paramName, String inputValue) {

/ / wordList.add ("select")

If (wordList = = null) {/ / if the list of detection keywords is empty, no check is made

Return true

}

If (inputValue = = null | | inputValue.length () = = 0) {/ / if the parameter value is empty, no need to check

Return true

}

For (int I = 0; I

< wordList.size(); i++){ inputValue = inputValue.toLowerCase();// 这里做，是为了不区分大小写 if(inputValue.indexOf(wordList.get(i).toLowerCase())>

= 0) {

StringBuffer sb = new StringBuffer ()

Sb.append ("parameters:") .append (paramName) .append ("failed the check,") .append ("contains the following sensitive words:") .append (wordList.get (I))

.append (".\ n remember:\ n"). Append ("thousands of roads\ nSpecification first\ ndata irregularity\ nrelatives two lines of tears")

This.cause = sb.toString ()

Return false

}

}

Return true

}

(2) configure custom classes

Xml (raqsoftConfig.xml):

ParamCheckClass sets the classpath for parameter value verification

Customize the effect of the error message:

Visit URL: http://localhost:6868/demo/reportJsp/showReport.jsp?rpx=a.rpx&arg2= North China union select * from users

At this point, the study of "the concept of SQL implantation of reports" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.