Shulou(Shulou.com)05/31 Report--

This article shows you how to carry out SQL injection vulnerability analysis and defense, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

What is a SQL injection vulnerability

The query parameters used for input are directly concatenated in the SQL statement, resulting in a SQL injection vulnerability. SQL injection attack refers to the introduction of Web applications by constructing special inputs as parameters, and most of these inputs are combinations of SQL syntax that execute SQL statements to perform the actions desired by the attackers. The main reason is that the program does not carefully filter the data entered by the user, resulting in illegal data intrusion into the system.

According to the related technical principles, SQL injection can be divided into platform layer injection and code layer injection. The former is caused by insecure database configuration or loopholes in the database platform, while the latter is mainly due to the fact that programmers do not carefully filter the input, thus performing illegal data queries. Based on this, the reasons for SQL injection are usually shown in the following aspects:

Improper type handling of ①

② insecure database configuration

Unreasonable query set processing in ③

Improper error handling of ④

Improper handling of ⑤ escape characters

Multiple ⑥ submissions were improperly handled.

II. Harm of SQL injection vulnerabilities

● database information disclosure: disclosure of users' privacy information stored in the database

● web page tampering: tampering with specific web pages by manipulating the database

● website is hung up to spread malware: modify the values of some fields in the database, embed network horse links, and carry out horse attack.

The ● database was maliciously operated: the database server was attacked and the system administrator account of the database was tampered with.

The ● server is remotely controlled and the back door is installed. Operating system support provided by the database server allows hackers to modify or control the operating system

● destroys hard disk data and paralyzes the whole system

Some types of database systems allow SQL instructions to manipulate the file system, which further magnifies the harm of SQL injection.

3. Analysis of classical SQL injection source code

Sun Tzu said in the Art of War, "know yourself and know the enemy, and you will not be defeated in a hundred battles." Only by knowing the opponent can we beat him better!

Use DVWA range low level SQL injection source code to analyze DVWA source code download address: http://www.dvwa.co.uk open: DVWA\ vulnerabilities\ sqli\ source\ low. As shown in the following php code. The first red box uses the transfer parameter of $_ REQUEST. The $_ REQUEST-HTTP Request variable contains an array of $_ GET,$_POST and $_ COOKIE by default. In other words, it doesn't matter whether it's get or post, just use $_ REQUEST to get the value of a key. The main problem is that it appears in the second red box, $query = "SELECT first_name, last_name FROM users WHERE user_id ='$id';"; this code uses the way of $_ GET transmission, directly splicing the parameter $name into the database query statement without doing any processing. It can also be concluded from the code that this may result in a character-type SQL injection, that is, an GET type injection.

Here are two simple examples:

1. $id inputs the conditions to be queried for the user, while the SQL syntax is closed in quotation marks. If you enter a single quotation mark, the syntax error will occur.

2. If you enter 1 or 1, the system determines that the query result will be output as long as a condition is true. Obviously, if 1 is true, the system will query the corresponding information.

4. How to defend 1. PreparedStatement (a simple and effective method)

A set of precompiled statements is used, which has the built-in ability to handle SQL injection, as long as it uses its setXXX method to pass values.

Benefits of use:

(1)。 Readability and maintainability of the code.

(2). PreparedStatement improves performance as much as possible.

(3)。 The most important point is that the security is greatly improved.

Principle:

SQL injection only destroys the preparation (compilation) of SQL statements.

While PreparedStatement is ready, the execution phase only treats the input string as data.

Instead of parsing and preparing SQL statements, the problem of SQL injection is avoided.

2. String filtering

One of the more general methods:

(| | parameters can be added according to the needs of your own program)

The above content is how to analyze and defend against SQL injection vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.