Ukuvivinya Ukuhlukunyezwa Kwe-SQL Injection

Ukuhlaselwa kwe-SQL Injecting kubangela izingozi ezinkulu kwizinhlelo zokusebenza zewebhu ezixhomeke kwi-backend database ukuze zenze okuqukethwe okunamandla. Kulolu hlobo lokuhlaselwa, abaduni benza uhlelo lokusebenza lwewebhu ngomzamo wokufaka imiyalo yabo ye-SQL kulabo abakhishwe yi-database. Isibonelo, bheka i-athikili ye-SQL Injecting Attacks ku-yolwazi. Kulesi sihloko, sibheka ngezindlela eziningana ongahlola ngazo izinhlelo zakho zokusebenza zewebhu ukuthola ukuthi ngabe zisengozini ekuhlaselweni kwe-SQL Injection.

I-Automatic SQL Injection Scanning

Enye kungenzeka ukusebenzisa isithwebuli se-web application esenzakalelayo, njenge-HP's WebInspect, i-IBM's AppScan noma isichotho se-Cenzic. Lawa mathuluzi wonke anikela ngezindlela ezilula, ezenziwe ngezindlela ezizenzakalelayo zokuhlaziya izicelo zakho zewebhu zokukhubazeka okungenzeka kwe-SQL Injection. Noma kunjalo, zibiza kakhulu, zigijima zifika ku-$ 25,000 ngesihlalo ngasinye.

Ukuhlola kwe-Manual SQL Injection

Yini umthuthukisi wesicelo ompofu okumelwe akwenze? Ngempela ungasebenzisa izivivinyo ezithile eziyisisekelo ukuhlola izinhlelo zakho zewebhu ze-SQL Injection vulnerabilities besebenzisa okungaphezu kwesiphequluli sewebhu. Okokuqala, izwi lokuqapha: ukuhlolwa engikuchazayo kubheka kuphela amaphutha okuyisisekelo we-SQL Injection. Ngeke athole amasu athuthukile futhi ayenzima ukuwasebenzisa. Uma ungakwazi ukukukhokhela, hamba ngesithwebuli esenzakalelayo. Kodwa-ke, uma ungakwazi ukusingatha leyo tag tag, ukuhlolwa manual kuyisinyathelo sokuqala esikhulu.

Indlela elula yokuhlola ukuthi ngabe uhlelo lusizi yini ukuhlola ukuhlaselwa okungahlanzekile komjovo okungayikulimaza ngempela idatha yakho uma uphumelela kodwa kuzokunikeza ubufakazi bokuthi udinga ukulungisa inkinga. Isibonelo, ake sithi unesicelo sewebhu esilula esibheka umuntu ku-database futhi unikeza ulwazi lokuxhumana njengomphumela. Leli khasi lingasebenzisa ifomethi ye-URL elandelayo:

http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike

Singacabanga ukuthi leli khasi lenza i-database yokubuka, usebenzisa umbuzo ofana nalokhu okulandelayo:

Hlunga ifoni kusuka ku-directory lapho ukhona khona igama = 'chapple' kanye firstname = 'mike'

Ake sizame ngalokhu kancane. Ngokucabanga kwethu ngenhla, singenza ushintsho olulula ku-URL ehlola ukuhlasela kwe-SQL injection:

http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike'+AND+(ukhethe +count(*)+from +fake)+%3e0+OR+'1'%3d'1

Uma ngabe uhlelo lwewebhu aluvikelekile ngokumelene nomjovo we-SQL, ivele ixhumane leli gama lokufaka inkokhelo esitatimendeni se-SQL esisebenza ngaphandle kwedatha, okuholela eku:

Hlunga ifoni kusuka ku-directory lapho ukhona khona igama = 'chapple' kanye firstname = 'mike' NOMA (khetha ubala (*) kusuka ekukhohliseni)> 0 OR '1' = '1'

Uzoqaphela ukuthi i-syntax ngenhla ihlukile kancane kuneyakho ku-URL yangempela. Ngathatha inkululeko yokuguqula ukuguquguquka kwe-URL-encoded nge-ASCII yabo equals ukuze kube lula ukulandela isibonelo. Isibonelo, i-% 3d yi-URL-encoding yehlamvu '='. Ngiphinde nganezela ezinye izinhlu zezinhloso ngezinjongo ezifanayo.

Ukuhlola Imiphumela

Isivivinyo siza uma uzama ukulayisha ikhasi lewebhu nge-URL echazwe ngenhla. Uma uhlelo lokusebenza lwewebhu luziphatha ngendlela efanele, luzoqeda izingcaphuno ezilodwa kusuka kokufakwayo ngaphambi kokudlulisela umbuzo ku-database. Lokhu kuzokwenza ukuthi kube nomuntu ophethe igama lokuqala elihlanganisa iqembu le-SQL! Uzobona umlayezo wephutha kusuka kwesicelo esifana nesezansi:

Iphutha: Akekho umsebenzisi otholwe ngegama elithi mike + AND + (khetha + isibalo (*) + kusuka ku-fake) +% 3e0 + OR + 1% 3d1 Chapple!

Ngakolunye uhlangothi, uma isicelo sisengozini yejola le-SQL, lizodlula isitatimende ngqo ku-database, okuholela eminye yezindlela ezimbili. Okokuqala, uma iseva yakho inemiyalezo enemininingwane enikwe amandla (okungafanelekile!), Uzobona into enjengale:

Umhlinzeki we-Microsoft OLE DB we-ODBC Abashayeli bephutha '80040e37' [I-Microsoft] [ODBC SQL Server Driver] [SQL Server] Igama elingavumelekile igama elithi 'inkohliso'. /directory.asp, umugqa 13

Ngakolunye uhlangothi, uma isiphakeli sakho sewebhu singabonisi imilayezo yephutha eningiliziwe, uzothola iphutha lobukhulu ngokwengeziwe, njenge:

Iphutha leseva langaphakathi Iseva ihlangabezane nephutha langaphakathi noma ukuguqulwa okungalungile futhi ayikwazanga ukuqedela isicelo sakho. Sicela uxhumane nomlawuli wesiphakeli ukwazisa ngesikhathi kwenzeka iphutha futhi kwanoma yini okungenzeka ukwenzile okungenzeka yabangela iphutha. Ulwazi oluthe xaxa ngaleli phutha lungatholakala kugijimi lephutha leseva.

Uma uthola enye yeziphambeko ezimbili ezingenhla, uhlelo lwakho lokusebenza lusengozini ye-SQL injection attack! Ezinye izinyathelo ongazithatha ukuvikela izinhlelo zakho zokusebenza ngokulwa nokuhlasela kwe-SQL Injection zihlanganisa:

• Qalisa ukuhlola i-parameter kuzo zonke izinhlelo zokusebenza. Isibonelo, uma ucela othile ukuthi angene kwinamba yekhasimende, qinisekisa ukuthi okokufaka kuyinamba ngaphambi kokukhipha umbuzo .
• Nciphisa izimvume ze-akhawunti ezenza imibuzo ye-SQL . Ukubusa okungenani ilungelo kusebenza. Uma i-akhawunti esetshenziselwa ukwenza umbuzo ingenayo imvume yokuyikhipha, ngeke iphumelele!
• Sebenzisa izinqubo ezigcinwe (noma amasu afanayo) ukuvimbela abasebenzisi ukuba bahlanganyele ngokuqondile nekhodi ye-SQL.