SQL Injection.

Presentation on theme: "SQL Injection."— Presentation transcript:

1 SQL Injection

2 网页中随处可见的数据库操作

3 URL中附带的查询参数

4 SELECT * FROM users WHERE name=‘abc123’
这样的一条语句对应的服务器端代码是什么呢

5 Server:. …. $name = _Get(name);. $sql = “SELECT. FROM users WHERE
Server: … $name = _Get(name); $sql = “SELECT * FROM users WHERE name=‘” + $name + “’”; mysql_do_query($sql); … 拼接，引号

6 SELECT * FROM users WHERE name=‘abc123’ and passwd=‘123456’
登陆所对应的语句

7 SELECT * FROM users WHERE name=‘’ and passwd=‘’
abc’ or ‘1=1 SELECT * FROM users WHERE name=‘’ and passwd=‘’ CONDITION COMPROMISED SELECT * FROM users WHERE name=‘abc’ or ‘1=1’ and passwd=‘XXXXXX’ 网页中，用户有很多操作实质上是与数据库打交道，用户可以输入任意字符，若未能良好的过滤，那么用户就可以执行网站维护者所不希望的数据库操作

8 SELECT * FROM users WHERE name=‘’ and passwd=‘’
abc’ or ‘1=1’ or ‘1=1 SELECT * FROM users WHERE name=‘’ and passwd=‘’ CONDITION ALWAYS TRUE SELECT * FROM users WHERE name=‘abc’ or ‘1=1’ or ‘1=1’ and passwd=‘XXXXXX’

9 Client Server Filter(request_data) Send(data) data = Receive()
Filter(received_data) do_SQL_query(data) Handle(returned_data) Server

10 Client Server Filter(request_data) Send(data) data = Receive()
Filter(received_data) do_SQL_query(data) Handle(returned_data) Server

11

12 Bypass account authentication. Dump whole database.

13 Client Server Filter(request_data) Send(data) data = Receive()
Filter(received_data) do_SQL_query(data) Handle(returned_data) Server