Kev Xeem rau Kev Txhaj Tshuaj SQL

SQL Txhaj tawm tsam teeb meem ntxim ntxub heev rau cov kev siv web uas nyob ntawm seb ib qho database backend los ua cov ntsiab lus dynamic. Nyob rau hauv no hom nres, hackers muab lub web daim ntawv thov nyob rau hauv ib qho kev sim kom hno lawv tus kheej SQL commands rau cov neeg muab los ntawm lub database. Rau ib qho piv txwv, saib tsab xov xwm SQL Txhaj Xwm Ceev rau Databases. Hauv no tsab xov xwm, peb siv ob peb txoj kev uas koj tuaj yeem kuaj koj daim ntawv thov nkag web site los txiav txim seb lawv puas muaj kev tiv thaiv rau SQL Txhaj tawm tsam.

Pwm Automated SQL Txhaj Tshuaj

Ib qho kev siv tau yog siv qhov web site automated vulnerability scanner, xws li HP's WebInspect, IBM's AppScan lossis Cenzic's Hailstorm. Cov cuab yeej txhua yam no muaj kev yoojyim, kev siv cuab yeej los soj ntsuam koj cov kev siv web site rau SQL Injection vulnerabilities. Txawm li cas los xij, lawv tseem kim heev, khiav ntawm $ 25,000 ib zaug.

Kev Tuav SQL Txhaj Tshuaj Tua

Dab tsi yog tus tsim daim ntawv thov kom ua? Koj tuaj yeem khiav tau qee cov kev sim yooj yim los ntsuam xyuas koj cov ntaub ntawv hauv web rau SQL Txhaj vulnerabilities siv tsis muaj dab tsi ntau tshaj li lub web browser. Ua ntej, ib lo lus ceeb toom: cov kev ntsuam xyuas kuv piav qhia tsuas yog nrhiav SQL SQL Injection flaws. Lawv yuav tsis paub txog cov tswv yim zoo tshaj thiab yog me ntsis siv yooj yim. Yog tias koj them taus nws, mus nrog ib lub tshuab ntaus suab paj nruag. Txawm li cas los xij, yog tias koj tuaj yeem tsis tau ua tus nqi tag, kev kuaj kev ntsuas yog thawj kauj ruam zoo.

Qhov yooj yim tshaj plaws los ntsuam xyuas seb puas tsim nyog thov yog ib qho kev sim uas muaj kev tiv thaiv tsis muaj kab mob uas yuav tsis ua mob rau koj cov ntaub ntawv yog tias lawv ua tiav tab sis yuav muab pov thawj tias koj xav tau kho qhov teeb meem. Piv txwv, piv txwv tias koj muaj ib daim ntawv thov lub vev xaib uas zoo li ib tus neeg nyob rau hauv ib qho chaw khaws ntaub ntawv thiab muab xov xwm sib tiv tauj vim li ntawd. Cov nplooj ntawv no yuav siv qhov URL nram qab no:

http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike

Peb muaj peev xwm xav tias qhov nplooj ntawv no ua ib qho kev tshawb nrhiav database, siv cov lus nug uas zoo sib xws rau cov hauv qab no:

SELECT xov tooj FROM directory qhov twg lastname = 'chapple' thiab firstname = 'mike'

Peb sim ua nrog qhov no me ntsis. Nrog peb cov assumption saum toj no, peb tuaj yeem ua qhov kev hloov yooj yim rau qhov URL uas kuaj rau kev txhaj tshuaj SQL injection:

http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike'+AND+(select +count (***) +from+fake)+%3e0+OR+'1'%3d'1

Yog hais tias lub web daim ntawv thov tsis tau zoo tiv thaiv SQL txhaj, nws tsuas ntsaws qhov fake thawj lub npe rau hauv cov lus SQL nws executes tiv thaiv database, ua rau:

SELECT tus xov tooj ntawm qhov chaw nyob ntawm lub npe qhov twg? Lastname = 'chapple' thiab firstname = 'Mike' THIAB (xaiv suav (*) los ntawm fake)> 0 LOSSIS '1' = '1'

Koj mam li pom tias cov syntax saum toj no txawv me ntsis tshaj li hauv qhov URL thawj. Kuv tau muab txoj kev ywj pheej ntawm hloov qhov URL-encoded kuj sib txawv rau lawv ASCII cov sib npaug los ua kom nws yooj yim dua ua raws qhov piv txwv. Piv txwv,% 3d yog URL-encoding rau qhov '=' lub cim. Kuv kuj ntxiv ib co kab so rau cov hom phiaj zoo sib xws.

Ntsuas Kev Ntsuam Xyuas

Qhov kev sim no pib thaum koj sim thauj khoom lub webpage nrog qhov URL sau rau saum toj no. Yog tias lub web daim ntawv thov zoo-coj, nws yuav tawm ntawm cov quotes ntawm cov tswv yim ua ntej dhau cov lus nug rau cov database. Qhov no yuav tsuas tshwm sim nyob rau hauv ib qho weird lookup rau ib tug neeg uas muaj ib lub npe uas muaj xws li ib pawg ntawm SQL! Koj yuav pom ib qho lus yuam kev los ntawm daim ntawv thov zoo ib yam li hauv qab no:

Yuam kev: Tsis muaj neeg siv nrog lub npe Mike + THIAB + (xaiv + suav (*) + ntawm + fake) +% 3e0 + LOS YOG + 1% 3d1 Chapple!

Ntawm qhov tod tes, yog tias daim ntawv thov yog lam tau lam ua rau kev txhaj tshuaj SQL, nws yuav kis tau ncaj qha mus rau lub database, uas ua rau ib ntawm ob lub sijhawm. Ua ntej, yog hais tias koj cov neeg rau zaub mov muaj cov ncauj lus kom ntxaws yuam kev (uas koj yuav tsum tsis txhob!), Koj yuav pom tej yam zoo li no:

Microsoft OLE DB Tus Zov Me Nyuam rau ODBC Tsav Tsheb yuam kev '80040e37' [Microsoft] [ODBC SQL neeg rau zaub mov tsav] [SQL neeg rau zaub mov] Invalid kwv lub npe 'fake'. /directory.asp, kab 13

Ntawm qhov tod tes, yog tias koj lub web neeg rau zaub mov tsis tso saib cov lus qhia yuam kev, koj yuav tau txais kev yuam ntau tshaj, xws li:

Internal Server Error Qhov neeg ua num tau ntsib ib qho yuam kev lossis ua yuam kev thiab tsis tuaj yeem sau koj cov lus thov. Thov hu rau tus thawj coj hauv tsev kawm ntawv paub txog lub sij hawm qhov yuam kev tshwm sim thiab txhua yam uas koj yuav tau ua uas tau ua rau qhov yuam kev. Cov lus qhia ntxiv txog qhov yuam kev no tej zaum yuav muaj nyob hauv cov neeg rau zaub mov yuam kev.

Yog tias koj tau txais ib qho ntawm ob qhov kev ua yuam kev saum toj no, koj daim ntawv thov yog lam tau lam ua rau kev txhaj tshuaj tiv thaiv kab mob SQL! Qee cov kauj ruam uas koj tuaj yeem coj los tiv thaiv koj cov ntaub ntawv tawm tsam SQL Txhaj tawm muaj xws li:

• Siv parameter checking on all applications. Piv txwv li, yog tias koj tau thov ib tug neeg nkag mus rau tus neeg siv khoom, xyuas kom cov tswv yim yog cov zauv ua ntej ua tiav cov lus nug .
• Txwv cov cai ntawm tus account uas ua raws li cov lus nug SQL . Cov cai ntawm qhov tsawg tshaj plaws yog siv rau. Yog tias tus account siv los coj cov lus nug tsis tau tso cai rau coj nws, nws yuav tsis ua tiav!
• Siv cov txheej txheem khaws cia (los yog cov tswv yim zoo sib xws) los tiv thaiv cov neeg los ntawm kev sib txuas lus nrog SQL code.