网站数据库注入威胁研究.pdfVIP

Manipulating Microsoft SQL Server Using SQL Injection Author: Cesar Cerrudo (sqlsec@) APPLICATION SECURITY, INC. WEB: WWW .APPSECINC.COM E-MAIL: INFO@APPSECINC.COM TEL: 1-866-9APPSEC • 1-212-490-6022 INTRODUCTION This paper will not cover basic SQL syntax or SQL Injection. It is assumed that the reader has a strong understanding of these topics already. This paper will focus on advanced techniques that can be used in an attack on a (web) application utilizing Microsoft SQL Server as a backend. These techniques demonstrate how an attacker could use a SQL Injection vulnerability to retrieve the database content from behind a firewall and penetrate the internal network. This paper is meant to educate security professionals of the potential devastating effects SQL Injection could have on an organization. Web applications are becoming more secure because of the growing awareness of attacks such as SQL Injection. However, in large and complex applications, a single oversight can result in the compromise of the entire system. Specifically, many developers and administrators of (web) applications may have a false sense of security because they use stored procedures or mask an error messages returned to the browser. This may lead them to believe that they can not be compromised by this vulnerability. While we discuss Microsoft SQL Server in this paper, this is no way indicative that Microsoft SQL Server is any less secure than other database platforms such as Oracle or IBM DB2. SQL injection is not a defect of Microsoft SQL Server – it is also a problem for every other database vendor as well. Perhaps the biggest issue with Microsoft SQL Server is the flexibility of the system. This flexibility is what allows it to be subverted so far by SQL injection. This paper is meant to show that any time