如何暴露坏代码的弱点 [英] How to expose the weakness of bad code

问题描述

您好，我一再被告知不要在我的 sql 代码中使用连接，以免发生sql 注入攻击.但是我已经尝试破解我自己的代码，没有成功.甚至可以通过窗口形式sql-inject吗?请在下面找到相关的代码段:

Hi I've been repeatedly told not to use concatenation in my sql code for fear of an sql-injection attack. However I've tried to crack my own code with No success. Is out even possible to sql-inject through a window form? Please find the relevant piece of code below:

SqlConnection con = new SqlConnection(
  "Data Source=PV10\\LOCALSERVER;Initial Catalog=dbtest;Integrated Security=True");

con.Open();

SqlCommand cmd = new SqlCommand(
  "select * from Creds where Username= '" + 
   textBox1.Text + 
  "' and Password='" + 
   textBox2.Text + 
  "'", 
  con);

SqlDataReader dr;
dr = cmd.ExecuteReader();
while(dr.Read())
{
   ...
}

推荐答案

很多伟大的事情都可以做:

Many a great thing can be performed:

销毁:放入*'或1 = 1；将表 Creds -- 放入 textBox1.Text 中，查询将是

Destruction: put *' or 1 = 1; drop table Creds -- into textBox1.Text and the query will be

 select * from Creds where Username= '*' or 1 = 1;
 drop table Creds -- and Password=''

您有两个查询；第二个掉落 creds 表

you have two queries; the second one drops creds table

删除:放*'或1=1；从 Creds -- 删除到 textBox1.Text ，查询将是

Deletion: put *' or 1 = 1; delete from Creds -- into textBox1.Text and the query will be

 select * from Creds where Username= '*' or 1 = 1;
 delete from Creds -- and Password=''

您有两个查询；第二个清除creds表

you have two queries; the second one clears creds table

间谍:将 '/* 放入 textBox1.Text 和 */或 '*' = '*> 进入 textBox2.Text 并且查询将是

Espionage: put ' /* into textBox1.Text and */ or '*' = '* into textBox2.Text and the query will be

 select * from Creds where Username= ' ' /*  and Password= '*/ or '*' = '*'

此查询返回所有用户及其密码.启动监视器/嗅探器并读取返回的值.你想从其他表中获取一些数据吗?就放' union all select SecretField, TopSecretField from Secrets -- 到 textBox2.Text ，你会得到

this query returns all the users with their passwords. Start monitor/sniffer and read the values returned. Do you want some data from other table? Just put ' union all select SecretField, TopSecretField from Secrets -- into textBox2.Text and you'll get

select * from Creds where Username= '' and password = ''
union all
select SecretField, TopSecretField from Secrets --'  

Hack:你能看到一条记录大老板"、绝密密码"吗?是时候用这个登录了用户名/密码并输入*' 或 1 = 1;更新信用设置工资 = 1000000/*适度*/where userName = 'PoorLittleMe'-- 到 textBox1.Text并且查询将是

Hack: can you see a record "Big boss", "Top secret password"? It's very time to login with this username/password and put *' or 1 = 1; update Creds set salary = 1000000 /*be modest*/ where userName = 'PoorLittleMe'-- into textBox1.Text and the query will be

  select * from Creds where Username= '*' or 1 = 1;
  update Creds set salary = 1000000 /*be modest*/ where userName = 'PoorLittleMe' -- and Password=''

同样，你有两个查询，很容易猜出第二个查询做了什么；那你可能想买一张去阿根廷的机票.

again, you have two queries, and it's quite easy to guess what does the second query do; you may want to buy a ticket to Argentina then.

技巧:将自己注册为d'Artagnan；这样的名字在查询时完全正确

Trick: register youself as d'Artagnan; such a name being perfectly right when put into query

select * from Creds where Username= 'd'Artagnan' and Password='mypassword'

将导致语法错误(并且很可能是资源泄漏 - 你还没有包装 IDisposable - Connection、Command、Reader变成using)

will cause a syntax error (and most probably resourse leakage - you haven't wraped IDisposable - Connection, Command, Reader into using)

最后，应该怎么做:

   // wrap IDisposable into using
   // do not hardcode the connection string
   using (SqlConnection con = new SqlConnection(/*read the connection string here*/)) {
     con.Open();

     // Make Sql being readable 
     // You don't want at least Username field to be returned (you have in textBox1.Text)
     string sql = 
       @"select Permissions, --TODO: put right fields here
                Status
           from Creds
          where PasswordHash = @prm_PasswordHash and -- do not store password as plain text
                Username = @prm_UserName"; 

     // wrap IDisposable into using
     using (SqlCommand cmd = new SqlCommand(sql, con)) {
       // do not store password as a plain text, but as a hash
       //TODO: AddWithValue is not the best choice; put actual parameters' types here 
       cmd.Parameters.AddWithValue("@prm_PasswordHash", ComputeHash(textBox2.Text));
       cmd.Parameters.AddWithValue("@prm_UserName", textBox1.Text);

       using (dr = cmd.ExecuteReader()) {
         while (dr.Read()) {
           ...
         }
       } 
     }
   }

这篇关于如何暴露坏代码的弱点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！