资安产学个案研讨.ppt

 資安產學個案研討 許 富 皓 資 訊 工 程 學 系 國 立 中 央 大 學 SQL Injection [SK] SQL Injection Version of Hello World Let’s surf the Internet for fun. What is SQL Injection? Many web pages take parameters from web users, and make SQL query to the database. Take for instance when a user login a web page, the web page accepts that user name and password and makes SQL query to the database to check if the user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else. SQL Injection Attack Channels SQL injection is one type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS. What You Should Look for? Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for FORM tag in the HTML code. You may find something like this in some HTML codes: FORM action=Search/search.asp method=postinput type=hidden name=A value=C/FORMEverything between the FORM and /FORM have potential parameters that might be useful (exploit wise). What If You Cant Find Any Page That Takes Input? You should look for pages like ASP, JSP, CGI, or PHP web pages. Try to look especially for URL that takes parameters, like:http://duck/index.asp?id=10 How Do You Test If It Is Vulnerable? Start with a single quote trick. Input something like:hi or 1=1-- into login, or password, or even in the URL. Example:? - Login: hi or 1=1-- - Pass: hi or 1=1--?- http://duck/index.asp?id=hi or 1=1— If luck is on your side, you will get login without any login name or pass