Uvavanyo lweSQL Injection Vulnerability

Ukuhlaselwa kwe-SQL Ukuhlasela kakubi kubangelwa ingozi kwiimfuno zewebhu ezixhomekeke kwi-backend database ukuze kuveliswe umxholo onamandla. Kulo hlobo lokuhlaselwa, abahlaseli baxhaphaza isicelo sewebhu kwizame zokufaka imiyalelo yabo ye-SQL kulezo zikhutshwe nguvimba. Ngokomzekelo, jonga i-SQL Injecting Attacks kwi-database. Kule nqaku, sijonga ngeendlela eziliqela ongayivavanya izicelo zakho zewebhu ukuchonga ukuba ngaba zisengozini ekuhlaselweni kwe-SQL.

Ukukhangela kwe-SQL Injection

Enye inokusebenzisa i-web-automated scanner scanner, njenge-WebInspect ye-HP, i-IBM ye-AppScan okanye i-Cilc's Hailstorm. Ezi zixhobo zonke zibonelela ngezindlela ezilula, ezizenzekelayo zokuhlalutya izicelo zakho zewebhu zokungabikho kwe-SQL Injection. Nangona kunjalo, zibiza kakhulu, zigijima zifikelela kuma-25,000 kwihlalo.

Uvavanyo lwe-SQL Injection Test

Yintoni umqhubi wesicelo ohluphekileyo ukuyenza? Ungakwazi ukuqhuba ezinye iimvavanyo ezisisiseko ukuvavanya izicelo zakho zewebhu ze-SQL Injectection vulnerabilities usebenzisa enye into engaphezulu kwesiphequluli sewebhu. Okokuqala, ilizwi lokulumkisa: iimvavanyo endizichazayo zijonga kuphela iziphene ze-SQL ezingenayo. Abayi kufumanisa ubuchule obuphambili kwaye banomsebenzi onzima. Ukuba unako ukuyifumana, hamba nge-scanner. Nangona kunjalo, ukuba awukwazi ukuphatha itekisi yentengo, ukuvavanywa kwimiqulu yindlela yokuqala yokuqala.

Indlela elula yokuvavanya ukuba ngaba isicelo sinobuthathaka kukuzama ukuhlaselwa ngamagciwane okungahlambulukiyo okungeyikulimaza ingcaciso yakho ukuba iphumelele kodwa iya kukunika ubungqina bokuba ufuna ukulungisa ingxaki. Ngokomzekelo, cinga ukuba unesicelo esilula sewebhu esibheka umntu kwisiseko sedatha kwaye unikezela ngolwazi loqhagamshelwano njengesiphumo. Leli phepha lingasebenzisa le fom ye URL elandelayo:

http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike

Singacinga ukuba eli phepha lenze i-lookup yolwazi, usebenzisa umbuzo ofanayo olandelayo:

UKUKHETHA ifowuni KUNYE kwirekhodi LAPHO igama lokugqibela = 'chapple' kunye firstname = 'mike'

Makhe sizame oku kancinci. Ngokucinga kwethu ngasentla, sinokwenza utshintsho olulula kwi-URL ehlola izilwanyana ze-SQL:

http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike'+AND+(select+count(*)+from +fake)+%3e0+OR+'1'%3d'1

Ukuba isicelo sewebhu asizange sikhuselwe ngokufanelekileyo kwi-injection ye-SQL, ilula nje eli gama lokuqala lokungena kwi-SQL isitatimende esenzayo malunga nesiseko sedatha, okubangela ukuba:

UKUKHETHA ifowuni KUNYE kwirekhodi LAPHO igama lokugqibela = 'chapple' kunye firstname = 'mike' NAKHO (khetha inani (*) kwi-fake)> 0 OK '1' = '1'

Uya kuphawula ukuba i-syntax ngasentla ihluke kakhulu kunokuba i-URL yasekuqaleni. Ndathatha inkululeko yokuguqula iinguqu ze-URL ezifakwe kwi-ASCII ngokulinganayo ukuze kube lula ukulandela umzekelo. Umzekelo, i-% 3d yi-URL-encoding ye '' ''. Ndaphinda ndonge ezinye iifom zecala ngeenjongo ezifanayo.

Ukuphonononga iziphumo

Uvavanyo luza xa uzama ukulayisha iphepha lewebhu kunye ne-URL echazwe ngasentla. Ukuba isicelo sewebhu siziphatha ngokufanelekileyo, siya kuluhlula iicatshulwa ezivela kwigalelo ngaphambi kokuba uphendule umbuzo kwi database. Oku kuya kubangela ukuba umntu ophethe igama lokuqala elibandakanya iqela le-SQL! Uza kubona umyalezo wephutha kwisicelo esifana nesezantsi:

Iphutha: Akukho msebenzisi ofunyanwa ngegama elingu-mike + no-+ (khetha + isibalo (*) + ukusuka ku-fake) +% 3e0 + OKANYE + 1% 3d1 I-Chapple!

Ngakolunye uhlangothi, ukuba isicelo sichaphazelekile kwi-injection ye-SQL, siya kudlula le nkcazo ngqo kwiziko ledatha, okubangele enye yezinto ezimbini. Okokuqala, ukuba umncedisi wakho unemiyalezo ephuthumayo yemilayezo eyenziwe (ongayifanelekanga!), Uya kubona into enje:

Umboneleli we-Microsoft OLE DB ye-ODBC Umqhubi '80040e37' [iMicrosoft] [ODBC SQL Server Driver] [SQL Server] Igama elingavumelekanga igama 'inkohliso'. /directory.asp, umgca 13

Ngakolunye uhlangothi, ukuba umncedisi wakho wewebhu engabonakali imilayezo ephosakeleyo yemilayezo, uya kufumana impazamo eyongezelelweyo, njengale:

Iphutha lomSebenzi lwangaphakathi Umncedisi wadibana nephutha langaphakathi okanye ukungafani kakuhle kwaye akazange akwazi ukugqiba isicelo sakho. Nceda uqhagamshelane nomlawuli womncedisi ukuba uxelele ixesha elaphukileyo kunye nantoni na enokwenzayo eyayibangele iphutha. Ulwazi oluninzi malunga nale mpazamo lunokufumaneka kwilogi yephutha lomncedisi.

Ukuba ufumana enye yeziphene zilapha ngasentla, isicelo sakho sisengozini yokuhlasela kwe-SQL! Amanye amanyathelo onokuyithatha ukukhusela izicelo zakho ngokuhlaselwa kwe-SQL Ukuhlasela kwe-Injection ziquka:

• Phunyezwa iparameter ukuhlola zonke izicelo. Umzekelo, ukuba ucela umntu ukuba angene kwinamba yomthengi, qinisekisa ukuba igalelo liyinani ngaphambi kokuba wenze umbuzo .
• Nciphise iimvume ze-akhawunti ezenza imibuzo ye-SQL . Ukulawulwa kwelungelo elincinci kusebenza. Ukuba i-akhawunti esetyenziselwa ukuqhuba umbuzo ayinayo imvume yokuyiqhuba, ayiyi kuphumelela!
• Sebenzisa iindlela ezigcinwe (okanye iindlela ezifanayo) ukukhusela abasebenzisi ukuba bangene ngqo ngqo nekhowudi ye-SQL.