Kuedzwa kweSQL Injection Vulnerabilities

SQL Injection kushorwa kunokonzera ngozi dzakawanda kune web applications izvo zvinotarisana ne database backend kuti iite zvinyorwa zvine simba. Mukurwisana uku, vatengesi vanoshandisa web application pakedza kuisa yavo maSQL mirairo kune izvo zvakabudiswa nedata rekodhi. Kune muenzaniso, ona sarudzo yeSQL Injecting Attacks pane Databases. Muchikamu chino, tinotarisa nzira dzakasiyana siyana dzaunogona kuedza maitiro ako webhutori kuti uone kana vari kushungurudzwa nekurwiswa kweSQL Injection.

Automated SQL Injection Scanning

Imwe inogona kunge iri kushandisa inoshandiswa ye web web kushungurudzika kuchinja, zvakadai se HP's WebInspect, IBM's AppScan kana Cilc's Hailstorm. Zvishandiso izvi zvose zvinopa nyore, nzira dzekutsvaga kuongorora yako web applications yekuti SQL injection inogona kukanganisa. Zvisinei, inodhura zvikuru, inomhanya kusvika ku $ 25,000 pachigaro.

Bhuku reSQL Injection Test

Chii chisiri chekushanda webunyanisi yekuita? Iwe unogona kunyatsoedza zvimwe zvidzidzo zvinokosha kuti uongorore ma web applications ako eSQL Injecting vulnerability usingashandisi chinhu chinopfuura web browser. Chokutanga, shoko renyevero: miedzo yandinorondedzera inongotarisa zvitsva zve SQL Injection. Havazocherechedzi maitiro akafambidzana uye anonyanya kuoma kushandisa. Kana iwe uchikwanise kuzvipa, enda nechinongedzo chekutengesa. Zvisinei, kana iwe usingakwanisi kutakura mutengo wemutengo uyu, kuongororwa kwemashoko ndiyo danho guru rekutanga.

Nzira yakareruka yekuongorora kana kushandiswa kwacho kuchivhiringidzika kuedza nekushaya njodzi kuisira injodzi iyo isingakuvadzi zvakanyanya database yako kana ikabudirira asi ichakupa huchapupu hwunoda kugadzirisa dambudziko. Somuenzaniso, ngatiti iwe wakanga uine webhusaiti yekushandura iyo inotarisa mumwe munhu mu database uye inopa ruzivo rwekubatana semugumisiro. Peji iyoyo ingashandisa iyi yomuform URL:

http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike

Tinogona kufunga kuti peji ino inoita sedata rekuverenga, uchishandisa mubvunzo wakafanana neiyi inotevera:

SELECT foni FROM directory WHERE lastname = 'chapple' uye firstname = 'mike'

Ngatitsvakei izvi zvishoma. Nekufungidzira kwedu pamusoro, tinogona kuita shanduko shoma kune URL inongedza SquL injection attack:

http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike'+AND+(select+count())kubva +fake)+%3e0+OR+'1'%3d'1

Kana iyo web application isina kunyatsodzivirirwa kurwiswa kweSQL, inongobata zita iri rekunyengedza mumashoko eSQL iyo inoshandisa maererano ne database, zvichiita kuti:

SELECT foni FROM directory WHERE lastname = 'chapple' uye firstname = 'mike' uye (sarudza count (*) kubva kune chakaipa)> 0 OR '1' = '1'

Iwe uchacherechedza kuti syntax pamusoro apa inopesana zvishoma pane iyo muIndaneti yepakutanga. Ndakatora rusununguko rwokushandura shanduko ye URL-encoded ye ASCII yavo yakaenzana kuitira kuti zvive nyore kutevera muenzaniso. Somuenzaniso,% 3d i-URL-encoding ye '='. Ini zvakare ndakawedzera mamwe mapoka ezvimwe zvinangwa.

Kuongorora Mhinduro

Muedzo unouya apo unoedza kuisa peji yewebhu ne URL yakanyorwa pamusoro apa. Kana iyo web application yakanyatsozvibata, ichabvisa zvinyorwa zvayo kubva pane zvaunotanga usati wapfuura mubvunzo ku database. Izvi zvinongoguma nekutsvaga kwakasimba kune mumwe munhu ane zita rokutanga iro rinosanganisira boka reSQL! Iwe uchaona mhosho yemashoko kubva kubasa rakafanana kune iri pasi apa:

Mhosva: Hapana mushandi anowanikwa ane zita rokuti mike + AND + (sarudza + count (*) + kubva pane + fake) +% 3e0 + OR + 1% 3d1 Chapple!

Kune rumwe rutivi, kana chikumbiro chacho chiri nyore kujowa kweSQL, ichapfuura chirevo chacho zvakananga kune database, zvichiita chimwe chezviitiko zviviri. Chokutanga, kana seva yako ine mhinduro yakawandisa yemapikicha yakagadzirirwa (iyo iwe haifaniri kuita!), Uchaona chimwe chinhu chakadai:

Muchengetedzi weOLE DB waOlBC yeODBC Vanokanganisa '80040e37' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Zita risina kuvhiringidza 'fake'. /directory.asp, mutsara 13

Kune rumwe rutivi, kana web server yako haina kuratidza zvakadzama zvinyorwa zvemashoko, iwe uchawana kukanganisa kwakawanda, zvakadai se:

Internal Server Error Server yakasangana nekanganisa mukati kana kusanzwisiswa uye haina kukwanisa kupedza chikumbiro chako. Ndapota taurai ne server server kuti muzivise nguva iyo kukanganisa kwakaitika uye chero chinhu chipi zvacho chaungave chaita chingave chakakonzera kukanganisa. Dzimwe ruzivo pamusoro peiyo mhosho inogona kuwanika muvharegi yekangororo yegiyo.

Kana iwe uchigamuchira imwe yezvikanganiso zviviri pamusoro apa, sarudzo yako inonetseka ku SQL injection attack! Zvimwe matanho aungatora kuti udzivirire maitiro ako kurwisana neSQL Injection attacks inosanganisira:

• Shandisai parameter chekuongorora pane zvese zvinoitwa. Somuenzaniso, kana uri kukumbira mumwe munhu kupinda nhamba yevatengi, iva nechokwadi chokuti inopi nhamba asati agadzira mhinduro .
• Deredza zvibvumirano zvebhuku rinoita SQL mibvunzo . Mutemo wekodzero yakawanda inoshanda. Kana iyo sarudzo yakashandiswa kuita sarudzo haina mvumo yekuitikisa, haizobudiriri!
• Shandisa nzira dzakachengetedzwa (kana nzira dzakadaro) kudzivirira vashandi kuti vataure zvakananga neSQL code.