向老板演示SQL注入攻击 [英] Demonstrating SQL injection attacks to my boss

问题描述

因此，我有一个正在进行的项目，试图教我的老板开始使用准备好的SQL语句，但是他可以不在乎，并说这没什么大不了的。我想知道如何向他证明这很重要，但我只是想不通如何在我们已经建立的开发测试服务器上注入一个drop table命令。我为一家处于测试阶段的公司开发了一个应用程序，由于我正在使用他的SQL代码，因此我希望将其删除（备份）以向他提出问题。我试图让公司养成使用准备好的语句的习惯，但是我似乎是唯一想要更改的人，而他们却没有。有人可以通过SQL注入帮助我破解此数据库吗？谢谢!!

So I have a project with work to try and teach my boss to start using prepared SQL statements, but he could care less and says it's not a big deal. I want to know how to prove to him it is a big deal, but I just can't figure out how to inject a drop table command on the development test server we have set up. I developed an application for a company that is in its testing phase and I want to take it down (have back up) to present to him the issue, as I am using his SQL code. I am trying to get the company to get in habit of using prepared statements, but I seem to be the only one wanting change and they don't. Can someone help me "crack" this database with SQL injection? Thanks!!

要提交的表单上有一个注释框，当它看到撇号时会引发错误：

There is a comment box on the form to be submitted and when it sees an apostrophe it throws the error:

无法进行查询：您的SQL语法有错误；请查看与您的MySQL服务器版本相对应的手册，以在第78行附近使用正确的语法在's;'，'100'，'100'）'处

Unable to Make Query:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's";', '100', '100')' at line 78

我已经尝试过

foo'); DROP TABLE cabletypes;--

但给出相同的错误，在提交表单之前在textarea中键入内容时如何使其成功注入？textarea提交至评论列和值。

but gives same error. How can I make it inject successfully when I am typing in the textarea prior to form submission? The textarea submits to the 'comments' column and value.

SQL

$sql="INSERT INTO cabletypes
        (cable_type,
        sample_no,
        sample_date,
        section_lg,
        wet_dry,
        avgofppf,
        sheath_type,
        plastic_wt,
        inner_sheath,
        inner_al_wt,
        inner_steel_wt,
        cable_guard,
        guard_al_wt,
        guard_steel_wt,
        guard_other_wt,
        total_pairs_a,
        pair_count_gauge_a,
        copper_wt_a,
        total_pairs_b,
        pair_count_gauge_b,
        copper_wt_b,
        total_pairs_c,
        pair_count_gauge_c,
        copper_wt_c,
        total_pairs_d,
        pair_count_gauge_d,
        copper_wt_d,
        sum_pairs,
        copper_wt,
        copper_percent,
        lead_wt,
        lead_percent,
        contains_lead,
        waste_wt,
        sampler,
        supervisor,
        comments,
        cable_no,
        section_no)
        VALUES (
        '$cable_type',
        '$sample_no',
        '$sample_date',
        '$section_lg',
        '$wet_dry',
        '$avgofppf',
        '$sheath_type',
        '$plastic_wt',
        '$inner_sheath',
        '$inner_al_wt',
        '$inner_steel_wt',
        '$cable_guard',
        '$guard_al_wt',
        '$guard_steel_wt',
        '$guard_other_wt',
        '$total_pairs_a',
        '$pair_count_gauge_a',
        '$copper_wt_a',
        '$total_pairs_b',
        '$pair_count_gauge_b',
        '$copper_wt_b',
        '$total_pairs_c',
        '$pair_count_gauge_c',
        '$copper_wt_c',
        '$total_pairs_d',
        '$pair_count_gauge_d',
        '$copper_wt_d',
        '$sum_pairs',
        '$copper_wt',
        '$copper_percent',
        '$lead_wt',
        '$lead_percent',
         0,
        '$waste_wt',
        '$sampler',
        '$supervisor',
        '$comments',
        '$cable_no',
        '$section_no')";
    }

mysql_query($sql) or die ("Unable to Make Query:" . mysql_error());

print("Sample Sheet Submitted Successfully!");

推荐答案

您无法在PHP的数据库中发布多查询SQL ext / mysql 接口。所以你不能做;删除表学生的绝招。这是支持不推荐使用的mysql扩展的几个要点之一。

You can't issue multi-query SQL in PHP's ext/mysql interface. So you can't do the ; DROP TABLE Students trick at all. This one of the few points in favor of the deprecated mysql extension.

具有讽刺意味的是，默认情况下，PDO支持所有查询的多查询。而且，只有在您明确调用 mysqli :: multi_query（）时，Mysqli才支持它。

Ironically, PDO supports multi-query by default for all queries. And Mysqli supports it only if you explicitly call mysqli::multi_query().

但是，DROP TABLE并不是攻击者尝试使用SQL注入进行处理的唯一非法行为。实际上，执行DROP TABLE的攻击是恶意的，但没有给攻击者任何价值。大多数SQL注入攻击都是更有条理的。

But DROP TABLE is not the only illicit thing an attacker may try to do with SQL injection. In fact, an attack that does DROP TABLE is malicious, but gains the attacker nothing of value. Most SQL injection attacks are more methodical.

我可以想到您的示例INSERT语句的利用：

I can think of an exploit for your example INSERT statement:

http://yourapp.example.com/cable_types.php?supervisor=jflay',(SELECT GROUP_CONCAT(CONCAT(table_name,'.',column_name)) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_schema=DATABASE()), NULL, NULL) --

Voilà！我刚刚创建了一种电缆类型，其注释可以告诉我数据库中的所有表和列。然后，我可以在以后尝试利用您站点中的其他页面时使用这些知识。

Voilà! I have just created a cable type whose comment tells me all the tables and columns in your database. I can then use this knowledge in subsequent attempts to exploit other pages in your site.

（实际上，这可能不是一个确定的示例，因为GROUP_CONCAT的长度限制为默认情况下为1024个字符，并且您的完整列集可能更长。您可以使用此漏洞获取相同的信息，但可能需要执行多个INSERT查询。）

(Actually, this may not be a sure example, because GROUP_CONCAT has a length limit of 1024 characters by default, and your full set of columns is probably longer than that. You can use this exploit to get the same information but perhaps it'll take several INSERT queries.)

无论如何，您的老板确实出于安全性考虑，也应使用参数化查询，也为了支持包含撇号的字符串，还应简化编码并提高性能。告诉他编写的语句比非语句快14％准备好的语句。

Anyway, your boss really should use parameterized queries for the sake of security, and also for the sake of supporting strings containing apostrophes, but also ease of coding and for performance. Tell him that prepared statements perform 14% faster than non-prepared statements.

这篇关于向老板演示SQL注入攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！