这是否code prevent SQL注入? [英] Does this code prevent SQL injection?
问题描述
背景
我一直在承包来分析现有数据提供,我知道下面的code出现故障;但为了指出这是多么糟糕,我需要证明它是容易受到SQL注入。
问题
什么关键参数可能会折断 prepareString 功能,并允许我执行 DROP 语句?
$ C $
公共共享功能GetRecord(BYVAL键作为字符串)作为记录
昏暗SQL作为新的StringBuilder()
用sql
.Append(SELECT * FROM表名)
如果String.IsNullOrEmpty(局)然后
.Append(ORDER BY DateAdded)
其他
.Append(其中key =)
.Append(prepareString(密钥))
。附加(')
结束如果
结束与
返回的executeQuery(Sql.ToString())
端功能
公共共享功能prepareString(BYVAL值作为字符串)作为字符串
返回Value.Replace('',')_
。更换(', '') _
.Replace(','')_
。更换, '') _
。更换( - , )
端功能
在回答你的直接的问题:这是否code prevent SQL注入:否
下面是证明 - 通过prepareString方法,按下此字符串:
暗淡输入='&放大器;字符(8)及;删除表表名; - &放大器;字符(8)及 -
昏暗的输出= prepareString(输入)
Console.WriteLine(输入)
Console.WriteLine(输出)
我修改了GetRecord方法,你贴返回全prepared SQL字符串,而不是从数据库中的记录:
Console.WriteLine(GetRecord(输出))
这是输出
输入=; DROP TABLE表名; -
输出='; DROP TABLE表名; -
查询= SELECT * FROM表名其中key =''; DROP TABLE表名; -
添加了code 1多余的:
My.Computer.Clipboard.SetText(输入)
和你有你需要正确的复制到剪贴板粘贴到你的输入字段在网站上完成您的SQL注入字符串:
'; DROP TABLE表名; - -
[注意到控制字符被从后输出的StackOverflow忽略,所以你必须遵循code例子创建你的输出]
在运行prepareString方法后,就会有相同的输出 - CHR(8)ASCII code是退格,将删除多余的'你要追加到我的这将关闭您的字符串,然后我可以自由添加任何我想要的结束。您的prepareString没有看到我 - 因为我实际使用 - - 与退格字符删除空格
产生的SQL code,你正在构建将执行我的DROP TABLE语句不受阻碍和及时忽略你查询的其余部分。
在好玩的事有关是,你可以使用非打印字符基本上绕过任何字符检查,你可以发明。因此,它是最安全的使用参数化查询(这是不是你问什么,而是要避免这种情况的最佳路径)。
Background
I've been contracted to analyze an existing Data Provider and I know the following code is faulty; but in order to point out how bad it is, I need to prove that it's susceptible to SQL injection.
Question
What "Key" parameter could break the PrepareString function and allow me to execute a DROP statement?
Code Snippet
Public Shared Function GetRecord(ByVal Key As String) As Record
Dim Sql As New StringBuilder()
With Sql
.Append("SELECT * FROM TableName")
If String.IsNullOrEmpty(Agency) Then
.Append(" ORDER BY DateAdded")
Else
.Append(" WHERE Key = '")
.Append(PrepareString(Key))
.Append("'")
End If
End With
Return ExecuteQuery(Sql.ToString())
End Function
Public Shared Function PrepareString(ByVal Value As String) As String
Return Value.Replace("''", "'") _
.Replace("'", "''") _
.Replace("`", "''") _
.Replace("´", "''") _
.Replace("--", "")
End Function
In answer to your direct question: Does this code prevent SQL injection: No
Here's the proof - push this string through the PrepareString method:
Dim input = "'" & Chr(8) & "; Drop Table TableName; - " & Chr(8) & "-"
Dim output = PrepareString(input)
Console.WriteLine(input)
Console.WriteLine(output)
I modified the GetRecord method you posted to return the fully prepared SQL string rather than get the record from the database:
Console.WriteLine(GetRecord(output))
And this is the output
Input = ; Drop Table TableName; --
Output = '; Drop Table TableName; --
Query = SELECT * FROM TableName WHERE Key = ''; Drop Table TableName; --'
Add 1 extra line of code:
My.Computer.Clipboard.SetText(input)
And you've got the string you need copied right to your clipboard to paste into your input field on the website to complete your SQL injection:
'; Drop Table TableName; - -
[Noting that the control characters have been omitted from the post output by StackOverflow, so you'll have to follow the code example to create your output]
After the PrepareString method is run, it will have the exact same output - the Chr(8) ASCII code is the backspace which will remove the extra "'" that you're appending to mine which will close your string and then I'm free to add whatever I want on the end. Your PrepareString doesn't see my -- because I'm actually using - - with a backspace character to remove the space.
The resulting SQL code that you're building will then execute my Drop Table statement unhindered and promptly ignore the rest of your query.
The fun thing about this is that you can use non-printable characters to basically bypass any character check you can invent. So it's safest to use parameterized queries (which isn't what you asked, but is the best path to avoid this).
这篇关于这是否code prevent SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
