证明SQL注入 [英] Proving SQL Injection
问题描述
我想在这里简单地证明这个简单的功能不足以阻止世界上的每一次sql注入:
I'm trying to simply prove here that this simple function isn't good enough to prevent every sql injection in the world:
Function CleanForSQL(ByVal input As String) As String
Return input.Replace("'", "''")
End Function
这是我们其中一个应用程序的典型插入语句:
Here is a typical insert statement from one of our apps:
Database.DBUpdate("UPDATE tblFilledForms SET Text1 = '" + CleanForSQL(txtNote.Text) + "' WHERE FilledFormID = " + DGVNotes.SelectedRows(0).Cells("FilledFormID").Value.ToString)
我知道它不安全,因为在Google StackOverflow.com上进行了谷歌搜索和查找其他问题。 这里是我发现的一个问题,其中所有此类功能
I know its not secure, because of googling and looking up other questions on StackOverflow.com. Here is one question that I found in which all functions such as the one I presented above are irrelevant and pointless.
因此,根据我链接到的帖子,只需键入
So based on the post I linked to, simply typing
'Chr(8);更新tblMaint SET Value1 = 2 WHERE ValueID = 2-
'Chr(8); update tblMaint SET Value1 = 2 WHERE ValueID = 2--
进入txt注意应足以清除整个tblFilledForms中text1中的每个值表,然后将tblmaint表的第二行更新为2正确吗?
into txtNote should be enough to clear every value in text1 in the entire tblFilledForms table, and then update the tblmaint table's second row to be 2 correct?
这里应该发生的是VB将其解释为
What SHOULD happen here is that VB will interpret this as
UPDATE tblFilledForms SET Text1 ='''Chr(8);更新tblMaint SET Value1 = 2 WHERE ValueID = 2--'WHERE FilledFormID = 5120327
UPDATE tblFilledForms SET Text1 = '''Chr(8); update tblMaint SET Value1 = 2 WHERE ValueID = 2--' WHERE FilledFormID = 5120327
并将其发送到SQL,该SQL将进行内部执行Chr(8)删除将产生的第三个'
and send it to SQL which will intern execute the Chr(8) to erase the third ' which would produce
UPDATE tblFilledForms SET Text1 =''; update tblMaint SET Value1 = 2 WHERE ValueID = 2--'WHERE FilledFormID = 5120327
UPDATE tblFilledForms SET Text1 = ''; update tblMaint SET Value1 = 2 WHERE ValueID = 2--' WHERE FilledFormID = 5120327
要在数据库上正确执行吗?
to be actually executed on the database correct?
然后我从剪贴板复制了一个Chr(8),并用剪贴板中的内容替换了文本框中的Chr(8),但还是不行。它将整个字符串直接放入没有问题的字段中。
I then coppied a Chr(8) from the clipboard and replaced the Chr(8) in the textbox with the clipboard contents and still a no-go. It puts the whole string directly into the field w/o problems.
那我在做什么错了?还是可以做些什么来打破它?
技术和背景:
我正在使用MS SQL Server 2005和VB .NET 2005。
数据库中的Text1字段是Varchar(600)字段(不要问我为什么它不是MAX,它毫无意义,我知道)
表中有某些触发器会阻止大规模的更新,例如这样,如果注入实际上工作正常,则会引发一些错误。
Technologies and background: I'm using MS SQL Server 2005, and VB .NET 2005. the Text1 field in the database is a Varchar(600) field (don't ask my why its not MAX, its pointless, i know) There are certain triggers on the table that would prevent a mass update such as this and throw some errors if the injection actually worked right.
PS。我知道参数化查询是解决问题的办法,而我并不是在寻找诸如好吧,我不知道为什么它不起作用,但是参数化查询才是解决之道之类的答案。我正在寻找能够证明我们的软件已损坏并且需要使用更好的原理对其进行重写的功能。
PS. I know parametrized queries are the way to go here and I'm not looking for answers like "well i dunno why it doesn't work, but parametrized queries are the way to go". I'm looking for the ability to prove that our software is broken and that we need to rewrite it using better principles.
对于阅读此问题的人来说,如何更好地过滤您的文本字段,答案是不要!使用参数!
To anyone reading this question to figure out how to better filter your text fields, the answer is DON'T! Use the parameters! they are much better, safer, and easier!
推荐答案
Chr(8)是引用的文字字符串的一部分,就像这样更新语句,因此SQL Server不会将其解释为函数调用。在此示例中,Text1将设置为文字值:
The Chr(8) is part of the quoted literal string, as is the update statement, so SQL Server is not going to interpret it as a function call. With this example, Text1 will be set to the literal value:
'Chr(8); update tblMaint SET Value1 = 2 WHERE ValueID = 2--
(是,包括单引号)
因此,在此示例中,您的代码是是安全的。对SQL注入的大多数困扰是偶然地失败来验证和引用值,在正确引用的SQL语句中没有天生的不安全之处。
So, with this example, your code is secure. Most hang-wringing over SQL injection is about accidentally failing to validate and quote values, there is nothing inherently unsafe in a properly-quoted SQL statement.
这篇关于证明SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
