1

TN CNG KIU SQL INJECTION -

TC HI V PHNG TRNH
L nh Duy
Khoa Cng Ngh Thng Tin, Trng H Khoa Hc T Nhin Tp. HCM.
Email: ldduy@fit.hcmuns.edu.vn

1. SQL Injection l g?
Khi trin khai cc ng dng web trn Internet, nhiu ngi vn ngh rng vic m bo an ton, bo
mt nhm gim thiu ti a kh nng b tn cng t cc tin tc ch n thun tp trung vo cc vn
nh chn h iu hnh, h qun tr c s d liu, webserver s chy ng dng, ... m qun mt
rng ngay c bn thn ng dng chy trn cng tim n mt l hng bo mt rt ln. Mt trong
s cc l hng ny l SQL injection. Ti Vit Nam, qua thi k cc qun tr website l l vic
qut virus, cp nht cc bn v li t cc phn mm h thng, nhng vic chm sc cc li ca cc
ng dng li rt t c quan tm. l l do ti sao trong thi gian va qua, khng t website ti
Vit Nam b tn cng v a s u l li SQL injection [1]. Vy SQL injection l g ?
SQL injection l mt k thut cho php nhng k tn cng li dng l hng trong vic kim tra d
liu nhp trong cc ng dng web v cc thng bo li ca h qun tr c s d liu "tim vo"
(inject) v thi hnh cc cu lnh SQL bt hp php (khng c ngi pht trin ng dng lng
trc). Hu qu ca n rt tai hi v n cho php nhng k tn cng c th thc hin cc thao tc
xa, hiu chnh, do c ton quyn trn c s d liu ca ng dng, thm ch l server m ng
dng ang chy. Li ny thng xy ra trn cc ng dng web c d liu c qun l bng cc
h qun tr c s d liu nh SQL Server, MySQL, Oracle, DB2, Sysbase.
2. Cc dng tn cng bng SQL Injection
C bn dng thng thng bao gm: vt qua kim tra lc ng nhp (authorization bypass), s
dng cu ln SELECT, s dng cu lnh INSERT, s dng cc stored-procedures [2], [3].
2.1. Dng tn cng vt qua kim tra ng nhp
Vi dng tn cng ny, tin tc c th d dng vt qua cc trang ng nhp nh vo li khi dng
cc cu lnh SQL thao tc trn c s d liu ca ng dng web.
Xt mt v d in hnh, thng thng cho php ngi dng truy cp vo cc trang web c
bo mt, h thng thng xy dng trang ng nhp yu cu ngi dng nhp thng tin v tn
ng nhp v mt khu. Sau khi ngi dng nhp thng tin vo, h thng s kim tra tn ng nhp
v mt khu c hp l hay khng quyt nh cho php hay t chi thc hin tip.
Trong trng hp ny, ngi ta c th dng hai trang, mt trang HTML hin th form nhp liu
v mt trang ASP dng x l thng tin nhp t pha ngi dng. V d:
login.htm
<form action="ExecLogin.asp" method="post">
Username: <input type="text" name="fUSRNAME"><br>
Password: <input type="password" name="fPASSWORD"><br>
<input type="submit">
</form>

2

execlogin.asp
<%
Dim vUsrName, vPassword, objRS, strSQL
vUsrName = Request.Form("fUSRNAME")
vPassword = Request.Form("fPASSWORD")

strSQL = "SELECT * FROM T_USERS " & _
"WHERE USR_NAME=' " & vUsrName & _
" ' and USR_PASSWORD=' " & vPassword & " ' "

Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."

If (objRS.EOF) Then
Response.Write "Invalid login."
Else
Response.Write "You are logged in as " & objRS("USR_NAME")
End If

Set objRS = Nothing
%>
Thot nhn, on m trong trang execlogin.asp dng nh khng cha bt c mt l hng v an ton
no. Ngi dng khng th ng nhp m khng c tn ng nhp v mt khu hp l. Tuy nhin,
on m ny thc s khng an ton v l tin cho mt li SQL injection. c bit, ch s h
nm ch d liu nhp vo t ngi dng c dng xy dng trc tip cu lnh SQL. Chnh
iu ny cho php nhng k tn cng c th iu khin cu truy vn s c thc hin. V d, nu
ngi dng nhp chui sau vo trong c 2 nhp liu username/password ca trang login.htm l:
' OR ' ' = ' '. Lc ny, cu truy vn s c gi thc hin l:
SELECT * FROM T_USERS WHERE USR_NAME ='' OR ''='' and USR_PASSWORD= '' OR ''=''
Cu truy vn ny l hp l v s tr v tt c cc bn ghi ca T_USERS v on m tip theo x l
ngi dng ng nhp bt hp php ny nh l ngi dng ng nhp hp l.
2.2. Dng tn cng s dng cu lnh SELECT
Dng tn cng ny phc tp hn. thc hin c kiu tn cng ny, k tn cng phi c kh
nng hiu v li dng cc s h trong cc thng bo li t h thng d tm cc im yu khi
u cho vic tn cng.
Xt mt v d rt thng gp trong cc website v tin tc. Thng thng, s c mt trang nhn ID
ca tin cn hin th ri sau truy vn ni dung ca tin c ID ny. V d:
http://www.myhost.com/shownews.asp?ID=123. M ngun cho chc nng ny thng c vit kh
n gin theo dng

<%
Dim vNewsID, objRS, strSQL
vNewsID = Request("ID")

strSQL = "SELECT * FROM T_NEWS WHERE NEWS_ID =" & vNewsID
3

Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."

Set objRS = Nothing
%>
Trong cc tnh hung thng thng, on m ny hin th ni dung ca tin c ID trng vi ID
ch nh v hu nh khng thy c li. Tuy nhin, ging nh v d ng nhp trc, on m ny
l s h cho mt li SQL injection khc. K tn cng c th thay th mt ID hp l bng cch
gn ID cho mt gi tr khc, v t , khi u cho mt cuc tn cng bt hp php, v d nh: 0
OR 1=1 (ngha l, http://www.myhost.com/shownews.asp?ID=0 or 1=1).
Cu truy vn SQL lc ny s tr v tt c cc article t bng d liu v n s thc hin cu lnh:
SELECT * FROM T_NEWS WHERE NEWS_ID=0 or 1=1
Mt trng hp khc, v d nh trang tm kim. Trang ny cho php ngi dng nhp vo cc
thng tin tm kim nh H, Tn, on m thng gp l:
<%
Dim vAuthorName, objRS, strSQL
vAuthorName = Request("fAUTHOR_NAME")

strSQL = "SELECT * FROM T_AUTHORS WHERE AUTHOR_NAME =' " & _
vAuthorName & " ' "

Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."


Set objRS = Nothing
%>
Tng t nh trn, tin tc c th li dng s h trong cu truy vn SQL nhp vo trng tn tc
gi bng chui gi tr:
' UNION SELECT ALL SELECT OtherField FROM OtherTable WHERE ' '=' (*)
Lc ny, ngoi cu truy vn u khng thnh cng, chng trnh s thc hin thm lnh tip theo
sau t kha UNION na.
Tt nhin cc v d ni trn, dng nh khng c g nguy him, nhng hy th tng tng k tn
cng c th xa ton b c s d liu bng cch chn vo cc on lnh nguy him nh lnh DROP
TABLE. V d nh: ' DROP TABLE T_AUTHORS --
Chc cc bn s thc mc l lm sao bit c ng dng web b li dng ny c. Rt n gin,
hy nhp vo chui (*) nh trn, nu h thng bo li v c php dng: Invalid object name
OtherTable; ta c th bit chc l h thng thc hin cu SELECT sau t kha UNION, v nh
vy mi c th tr v li m ta c tnh to ra trong cu lnh SELECT.
Cng s c thc mc l lm th no c th bit c tn ca cc bng d liu m thc hin cc thao
tc ph hoi khi ng dng web b li SQL injection. Cng rt n gin, bi v trong SQL Server, c
hai i tng l sysobjects v syscolumns cho php lit k tt c cc tn bng v ct c trong h
thng. Ta ch cn chnh li cu lnh SELECT, v d nh:
' UNION SELECT name FROM sysobjects WHERE xtype = 'U' l c th lit k c tn tt c cc
bng d liu.
4
2.3. Dng tn cng s dng cu lnh INSERT
Thng thng cc ng dng web cho php ngi dng ng k mt ti khon tham gia. Chc
nng khng th thiu l sau khi ng k thnh cng, ngi dng c th xem v hiu chnh thng tin
ca mnh. SQL injection c th c dng khi h thng khng kim tra tnh hp l ca thng tin
nhp vo.
V d, mt cu lnh INSERT c th c c php dng: INSERT INTO TableName VALUES('Value One',
'Value Two', 'Value Three'). Nu on m xy dng cu lnh SQL c dng :
<%
strSQL = "INSERT INTO TableName VALUES(' " & strValueOne & " ', ' " _
& strValueTwo & " ', ' " & strValueThree & " ') "

Set objRS = Server.CreateObject("ADODB.Recordset")
objRS.Open strSQL, "DSN=..."


Set objRS = Nothing
%>
Th chc chn s b li SQL injection, bi v nu ta nhp vo trng th nht v d nh: ' + (SELECT
TOP 1 FieldName FROM TableName) + '. Lc ny cu truy vn s l: INSERT INTO TableName
VALUES(' ' + (SELECT TOP 1 FieldName FROM TableName) + ' ', 'abc', 'def'). Khi , lc thc hin
lnh xem thng tin, xem nh bn yu cu thc hin thm mt lnh na l: SELECT TOP 1
FieldName FROM TableName
2.4. Dng tn cng s dng stored-procedures
Vic tn cng bng stored-procedures s gy tc hi rt ln nu ng dng c thc thi vi quyn
qun tr h thng 'sa'. V d, nu ta thay on m tim vo dng: ' ; EXEC xp_cmdshell cmd.exe
dir C: '. Lc ny h thng s thc hin lnh lit k th mc trn a C:\ ci t server. Vic ph
hoi kiu no tu thuc vo cu lnh ng sau cmd.exe.
3. Cch phng trnh
Nh vy, c th thy li SQL injection khai thc nhng bt cn ca cc lp trnh vin pht trin ng
dng web khi x l cc d liu nhp vo xy dng cu lnh SQL. Tc hi t li SQL injection
ty thuc vo mi trng v cch cu hnh h thng. Nu ng dng s dng quyn dbo (quyn ca
ngi s hu c s d liu - owner) khi thao tc d liu, n c th xa ton b cc bng d liu, to
cc bng d liu mi, Nu ng dng s dng quyn sa (quyn qun tr h thng), n c th iu
khin ton b h qun tr c s d liu v vi quyn hn rng ln nh vy n c th to ra cc ti
khon ngi dng bt hp php iu khin h thng ca bn. phng trnh, ta c th thc hin
hai mc:
3.1. Kim sot cht ch d liu nhp vo
phng trnh cc nguy c c th xy ra, hy bo v cc cu lnh SQL l bng cch kim sot cht
ch tt c cc d liu nhp nhn c t i tng Request (Request, Request.QueryString,
Request.Form, Request.Cookies, and Request.ServerVariables). V d, c th gii hn chiu di ca
chui nhp liu, hoc xy dng hm EscapeQuotes thay th cc du nhy n bng 2 du nhy
n nh:
<%
Function EscapeQuotes(sInput)
sInput = replace(sInput, " ' ", " ' ' ")
EscapeQuotes = sInput
5
End Function
%>
Trong trng hp d liu nhp vo l s, li xut pht t vic thay th mt gi tr c tin on l
d liu s bng chui cha cu lnh SQL bt hp php. trnh iu ny, n gin hy kim tra
d liu c ng kiu hay khng bng hm IsNumeric().
Ngoi ra c th xy dng hm loi b mt s k t v t kha nguy him nh: ;, --, select, insert,
xp_, ra khi chui d liu nhp t pha ngi dng hn ch cc tn cng dng ny:
<%
Function KillChars(sInput)
dim badChars
dim newChars

badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_")
newChars = strInput

for i = 0 to uBound(badChars)
newChars = replace(newChars, badChars(i), "")
next

KillChars = newChars
End Function
%>
3.2. Thit lp cu hnh an ton cho h qun tr c s d liu
Cn c c ch kim sot cht ch v gii hn quyn x l d liu n ti khon ngi dng m ng
dng web ang s dng. Cc ng dng thng thng nn trnh dng n cc quyn nh dbo hay sa.
Quyn cng b hn ch, thit hi cng t.
Ngoi ra trnh cc nguy c t SQL Injection attack, nn ch loi b bt k thng tin k thut
no cha trong thng ip chuyn xung cho ngi dng khi ng dng c li. Cc thng bo li
thng thng tit l cc chi tit k thut c th cho php k tn cng bit c im yu ca h
thng.
Tham chiu
[1]. Danh sch cc website b li SQL injection: http://www.security.com.vn/
[2]. SQL Injection FAQ: http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3
[3]. Advanced SQL Injection : http://www.nextgenss.com/papers/advanced_sql_injection.pdf
[4]. Preventing SQL Injection: http://www.owasp.org/asac/input_validation/sql.shtml
[5]. SQL Injection Attacks - Are You Safe? http://www.sitepoint.com/article/794