P.S. The translation will be useful for contemporary and historical purposes.

Original title of the article: Push SQL-in'ektsii in addendums, like a vikorist language SQL.

Abstract

This article examines the hidden ways of “SQL injection” for the popular Microsoft Internet Information Server/Active Server Pages/SQL Server platform. She discusses various options for vicorization SQL injections The appendices explain methods for verifying data, as well as the protection of databases in which there may be incorrect inaccuracies.

Enter

Structured Query Language (SQL) is a structured language that is used to interact with databases. There is a blindness of "dialects" movie SQL Nowadays, basically all notes are based on the SQL-92 standard, one of the earlier ANSI standards. The main operational block of SQL is a query, which is a set of expressions that allows you to rotate a set of results (result set). SQL viruses can change the structure of databases (Vikorist data manipulation viruses - DLL) and replace them (Vikorist data manipulation viruses - DML). Here we will look at transact-SQL, which is developed in Microsoft SQL Server.

SQL injections are possible if the attacker can insert his SQL code into a query to retrieve the data that is sent to the appendix.

The original SQL virus looks like this:

Select ID, forename, surname from authors

This program takes "id", "forename" and "surname" from the columns of the "authors" table and rotates all rows in the table. The vibe may be surrounded by a song “author”, for example:

Select ID, forename, surname from Vlasniki, where forename = "john" and surname = "smith"

The trace indicates that the row letters of the letter are separated. single foot. It is important to remember that “forename” and “surrname” are the data that must be entered by the customer. In this vipadka zlovmisnik will be able to enter the authoritative SQL-washed down with the way of adding the authoritative values ​​to the program. For example:

Forename: jo"hn Surname: smith

Todi Viraz in the near future I see:

Select ID, forename, surname from authors, where forename = "jo"hn" and surname = "smith"

When the database tries to process a query like this, it will return something like this:

Server: Msg 170, Level 15, State 1, Line 1 Line 1: Incorrect syntax near "hn".

The reason for the grinding lies in the fact that a single paw has been introduced, sealing the structure of the separators at the joint. Thus, the database is unsuccessfully called upon to contact the “hn” command, which will lead to execution. As a result, the attacker enters the following information into the form:

Forename: jo"; drop table authors-- Surname:

The "authors" table will be visible, we'll look at why later.

You may wonder if we remove single legs from the insertion form, and also “replace” them, which may solve our problem. And you will be right, however, there are certain problems with this method, as the highest order. First of all, not all the information that is entered by the client is “strings”. The form of the koristuvach will be the same as the “id” of the author, which is called a number. For example, our query can look like this:

Select id, forename, surname з authors where id=1234

In this case, the attacker can easily add any SQL virus after numerical data. In other types of SQL queries, there are different differences. For example, in Microsoft Jet DBMS the delimiter will be the "#" symbol. In other words, “escaping” single legs is not at all the simplest way to kill, as you can give up. We'll talk about this report later.

Let's look at the login page based on Active Server Pages (ASP), which uses additional SQL to deny access to the database in order to authorize the user in any program.

We will enter the code for the page to enter the login form, where you will enter your account name and password.