Home > Backend Development > PHP Tutorial > Summary of commonly used SQL injection attack methods_PHP tutorial

Summary of commonly used SQL injection attack methods_PHP tutorial

WBOY
Release: 2016-07-13 17:11:22
Original
1350 people have browsed it

In website development, we may accidentally cause a security problem to people. Below I will introduce a summary of some commonly used SQL injection attack methods. Novice friends can try to refer to it.

1. Escape characters are not filtered correctly

This form of injection or attack occurs when user input is passed to a SQL statement without escape character filtering. This results in end users of the application performing operations on statements on the database. For example, the following line of code demonstrates this vulnerability:

The code is as follows Copy code
 代码如下 复制代码

"SELECT * FROM users WHERE name = ' " + userName + " ' ;"

"SELECT * FROM users WHERE name = ' " + userName + " ' ;"

This code is designed to remove a specific user from its user table. However, if the username is forged in a specific way by a malicious user, the operation performed by this statement may not only be This is exactly what the author of the code expected. For example, if the username variable (i.e. username) is set to: a' or 't' = 't, the original statement changes:
 代码如下 复制代码

SELECT * FROM users WHERE name = 'a' OR 't' = 't';

The code is as follows Copy code

SELECT * FROM users WHERE name = 'a' OR 't' = 't';

If this code was used in an authentication process, then this example would be able to force the selection of a valid username, since the assignment 't' = 't' would always be correct.

 代码如下 复制代码

a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '%

On some SQL servers, such as SQL Server, any SQL command can be injected through this method, including executing multiple statements. The value of username in the following statement will cause the "users" table to be deleted and all data to be selected from the "data" table (actually revealing information about each user).

The code is as follows Copy code
a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '%
 代码如下 复制代码

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '%';

Makes the final SQL statement look like this:

The code is as follows Copy code

SELECT * FROM users WHERE name = 'a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '%';

Other SQL implementations do not execute multiple commands in the same query as a security measure. This prevents an attacker from injecting a completely independent query, but it does not prevent an attacker from modifying the query.

 代码如下 复制代码

"SELECT * FROM data WHERE id = " + a_variable + ";"

2. Incorrect type handling This form of attack is launched if a user-supplied field is not of a strong type, or if type coercion is not implemented. This attack can occur if the programmer fails to check the validity of the user input (whether it is numeric) when using a numeric field in a SQL statement. For example:
The code is as follows Copy code
"SELECT * FROM data WHERE id = " + a_variable + ";"

As can be seen from this statement, the author hopes that a_variable is a number related to the "id" field. However, if the end user selects a string, the need for escape characters is bypassed. For example, set a_variable to: 1; DROP TABLE users, it will delete the "users" table from the database, and the SQL statement becomes:

The code is as follows Copy code
 代码如下 复制代码

SELECT * FROM data WHERE id = 1; DROP TABLE users;

SELECT * FROM data WHERE id = 1; DROP TABLE users;

3. Vulnerabilities in the database server

Sometimes, there are vulnerabilities in database server software, such as the mysql_real_escape_string() function vulnerability in MYSQL server. This vulnerability allows an attacker to perform a successful SQL injection attack based on incorrect Unicode encoding.

4. Blind SQL injection attack

So-called blind SQL injection attacks occur when a web application is vulnerable to an attack but the results are invisible to the attacker. A vulnerable web page may not display data, but instead display different content based on the results of logical statements injected into legitimate statements. This attack is quite time-consuming because a new statement must be carefully constructed for each byte obtained. But once the location of the vulnerability and the location of the target information are established, a tool called Absinthe can automate the attack.

5. Conditional response

Note that there is a SQL injection that forces the database to evaluate a logical statement on a normal application screen:
 代码如下 复制代码

SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND 1=1

The code is as follows Copy code

SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND 1=1

This results in a standard screen, while the statement

SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND 1=2 It may give a different result when the page is vulnerable to SQL injection attacks. Such an injection will prove that blind SQL injection is possible, which will allow the attacker to design a statement that can judge the authenticity based on the content of a certain field in another table.

6. Conditional errors

 代码如下 复制代码
SELECT 1/0 FROM users WHERE username='Ralph'。
If the WHERE statement is true, this type of blind SQL injection forces the database to evaluate an error-causing statement, resulting in an SQL error. For example:

Obviously, division by zero will cause an error if user Ralph exists.

7. Time delay

Time delay is a kind of blind SQL injection. Depending on the injected logic, it can cause the SQL engine to execute a long queue or iyige time delay statement. An attacker can measure the time it takes for a page to load to determine whether the injected statement is true.

The above is only a rough classification of SQL attacks. But technically speaking, today's SQL injection attackers are smarter and more comprehensive in how to find vulnerable websites. Some new SQL attack methods have emerged. Hackers can use a variety of tools to speed up the vulnerability exploitation process. We might as well take a look at the Asprox Trojan, which is mainly spread through a botnet that publishes emails. Its entire working process can be described as follows: First, the Trojan is installed on the computer through spam emails sent by the controlled host. A computer infected by this Trojan then downloads a piece of binary code that, when launched, uses the seo/seo.html" target="_blank">search engine to search for vulnerable websites that use Microsoft ASP technology to create forms. The search results become a target list for SQL injection attacks. Then, the Trojan will launch SQL injection attacks on these sites, causing some websites to be controlled and damaged. Users who visit these controlled and damaged websites will be deceived. A piece of malicious JavaScript code is downloaded from another site. Finally, this code directs the user to a third site, which contains more malware, such as a password-stealing Trojan

.

In the past, we often warned or recommended web application programmers to test and patch their code, although the probability of SQL injection vulnerabilities being discovered and exploited was not very high. But recently, attackers are increasingly discovering and maliciously exploiting these vulnerabilities. Therefore, developers should be more proactive in testing their code before deploying their software and patching the code as soon as new vulnerabilities emerge.


For example, some people may use this method to bypass the login window. If your query username and password look like this:

The code is as follows Copy code
[code='sql']
 代码如下 复制代码
[code='sql']
SELECT * FROM users WHERE username = {username} AND
password = {password }
[/code]
那么用户可以使用任意的用户名,使用这个密码:
[code='sql']' OR ''=''[/code]
从而使得你的验证用户名密码的MySQL查询变成:
[code='sql']
SELECT * FROM users WHERE username = 'anyuser' AND
password = '' OR ''=''
[/code]
SELECT * FROM users WHERE username = {username} AND password = {password} [/code] Then the user can use any username and use this password: [code='sql']' OR ''=''[/code] This makes your MySQL query to verify username and password become: [code='sql'] SELECT * FROM users WHERE username = 'anyuser' AND password = '' OR ''='' [/code]

Since the empty string is always equal to the empty string, the query condition is always true. Therefore, it can be seen that the risk of MySQL injection is still very high, because the attacker can see the data that should be accessed through logging in. It is very important to protect your website from injection attacks. Fortunately, PHP can help us prevent injection attacks.
MySQL will return all rows in the table. Depending on your program logic, all users may be logged in because they are all matched. Now, in most cases, people will turn on the magic_quotes_gpc option (which is also the default in PHP). Such a configuration will automatically add backslashes and escape all '(single quotes), "(double quotes), (backslashes ) and null characters. But things are not that simple to solve, because not all characters that cause risks are escaped. PHP has a function that can escape all MySQL characters that may cause redundant SQL clauses. This function is mysql_real_escape_string(). Be careful when using this function, because you may have turned on the magic_quotes_gpc option, and using mysql_real_escape_string() will cause a second escape. The following function avoids this problem by first judging
Whether the magic_quotes_gpc option is turned on, and then decide whether to execute mysql_real_escape_string().
[code='php']

if(get_magic_quotes_gpc()) {
The code is as follows Copy code
 代码如下 复制代码
//给变量加引号以保证安全
function quote_smart($value)
{
$link=mysql_connect('mysql_host','mysql_user','mysql_password');
//去转义
if(get_magic_quotes_gpc())
{
$value=stripslashes($value);
}
//给所有非数字加引号
if(!is_numeric($value))
{
$value="'".mysql_real_escape_string($value,$link)."'";
}
return $value;
}
?>

//Add quotes to variables to ensure safety
function quote_smart($value)
{
$link=mysql_connect('mysql_host','mysql_user','mysql_password'); //De-escape
$value=stripslashes($value); }

//Quote all non-digits

if(!is_numeric($value)) $value="'".mysql_real_escape_string($value,$link)."'"; } return $value; } ?> [/code] It should be noted that the quote_smart() function will automatically add quotes to the string, so you do not need to add them yourself.
In addition, it should be noted that because different MySQL versions have different filtering requirements, mysql_real_escape_string() requires a MySQL connection to work, so a MySQL connection must be passed in as the second parameter. If MySQL is installed on the local machine, it can be omitted. However, if MySQL is not installed on the local machine or is connected to MySQL remotely, this parameter is essential, otherwise mysql_real_escape_string() will return an empty string.
http://www.bkjia.com/PHPjc/629608.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629608.htmlTechArticleIn website development, we may accidentally cause a security problem to people. Let me introduce some commonly used ones. Summary of SQL injection attack methods, novice friends can try to refer to it. 1. No...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template