First sight of SQL injection

Preface

In the article "OWASP-TOP10 Injection", the reason for the injection is described: a malicious input is, and the application is not judged as invalid input or has not been intercepted and filtered. At this time, the injection vulnerability appears. Then the sql injection that this article will talk about is a malicious input to the database.

1. Definition

What is SQL injection? Baidu said: SQL injection refers to the fact that the web application does not judge the validity of the user input data or does not filter strictly. The attacker can add additional SQL statements to the end of the pre-defined query statement in the web application for management Illegal operations are realized without the knowledge of the personnel, so as to deceive the database server to perform unauthorized arbitrary queries, thereby further obtaining corresponding data information . My personal opinion is that the business logic does not perform security filtering on the parameters passed by the user, and directly splices them into the SQL statement, causing the database to be injected with malicious SQL commands. This process is called SQL injection.

2. Principle

The essence of SQL injection is that the database executes the data entered by the user as code. Because the developer himself did not reasonably analyze the data input by the user, the user input was directly transmitted to the database. The database only judges whether the SQL statement passed by the application has syntax errors, but cannot judge whether it is what the application developer expected. Action, so the database executed the SQL statement sent by the user that was not expected by the author, and output data that was not expected by the developer, resulting in data leakage.

3. Harm

1. The data has been tampered with;

2. The attacked person obtains sensitive data;

3. The attacked person performs the operation of the database administrator's authority;

4. When rights are escalated, the attacker can execute system commands, causing greater and immeasurable losses;

...

SQL injection vulnerabilities are currently classified as high-risk vulnerability camps, and the possible harms are countless. Therefore, it is very necessary to take precautions in advance.

Fourth, how to defend

1. Use stored procedures;

2. Use safety functions;

3. Use SQL statements to prepare and bind variables;

4. Strictly check the data type of the parameter input by the user;

5. When constructing SQL statements, use the form of parameters instead of direct splicing;

Five, common SQL injection categories

In this article, I will give a rough introduction to several types of injections, and I will publish articles detailing each type in the follow-up.

1. Classification according to whether the injection result is echoed

On a normal page of a website, the server executes SQL statements to query the data in the database, and the client displays the data on the page. The position where the data is displayed is called the echo position.

1.1 , there is an echo

1.1.1 . Error injection: according to the error data returned by the page, continue to test and inject;

1.1.2 , union joint inquiry injection: According to the results of the test again and again, to determine the table, library, field names, etc. Finally, the characteristics sql statement union operators are implanted.

1.2 . Blind if there is no echo

Without knowing the return value of the database, guess the content of the data and implement SQL injection. Generally, the database is tested based on the question of constructing true or false.

1.2.1. Boolean blind note: under the correct and wrong parameters, the information returned on the page is different. According to this feature, it is judged whether the SQL statement is correct or not, so as to inject;

1.2.2. Time blind note: Judge whether the execution is successful according to time, add sleep class parameters to the constructed statement, if the statement is correct, it will be delayed, if it is wrong, it will not be delayed. According to this feature, judge whether the SQL statement is correct. Here to inject;

2. Classification according to the type of injection point

Enter different parameters to inject;

2.1. Digital injection: when the input parameters are integers, such as age, serial number, ID number, etc.;

2.2. Character injection: When the input parameter is a string type, such as name, school, gender, etc.;

3. Classification according to the location of data submission

3.1. Search injection: the injection location is in the search box;

3.2. GET injection: the injection location is in the URL parameter;

3.3. Cookie injection: the injected location is in the cookie data;

3.4. POST injection: the location of injection is in the data submitted by POST;

3.5. HTTP header injection: the injection location is in the header information of the HTTP packet;