Learn what SQLi attacks are, who they target, how they differ from other types of cyberattacks.
2023年中威胁报告Structured Query Language (SQL) is a language designed to manipulate 和 manage data in a database. Since its inception, SQL has steadily found its way into many commercial 和 open source databases. SQL注入(SQLi)是一种 网络安全攻击类型 that targets these databases using specific所有y crafted SQL statements to trick the systems into doing unexpected 和 undesired things.
If you have less than five minutes, learn about SQL Injection Attacks in this video:
成功的攻击者可能对受攻击的目标采取的行动包括:
如果完成成功, SQL injections have the potential to be incredibly detrimental to any business or individual. Once sensitive data is compromised in an attack, it can be difficult to ever fully recover.
Databases are commonly targeted for injection through an application (such as a website, which requests user input 和 then does a lookup in a database based on that input), 但他们也可以直接成为目标. SQL注入攻击列在 OWASP 公司需要应对的十大应用程序安全风险.
SQL注入攻击可以通过多种方式实现. Attackers may observe a system’s behavior before selecting a particular attack vector/method.
Unsanitized input is a common type of SQLi attack in which the attacker provides user input that isn’t properly sanitized for characters that should be escaped, 并且/或者输入没有被验证为正确/期望的类型.
例如, a website used to pay bills online might request the user’s account number in a web form 和 then send that to the database to pull up the associated account information. If the web application is building a SQL query string dynamic所有y with the account number the user provided, 它可能看起来像这样:
“SELECT * FROM customers WHERE account = ‘“ + userProvidedAccountNumber +”’;”
While this works for users who are properly entering their account number, 这为攻击者敞开了大门. 例如, 如果有人决定提供一个账号“'或' 1 ' = ' 1”, 这将导致查询字符串为:
“SELECT * FROM customers WHERE account = " or ' 1 ' = ' 1 '; "
由于' 1 ' = ' 1 '总是求值为TRUE, 将此语句发送到数据库将导致数据为 所有 顾客被退回,而不是单个顾客.
也称为推理SQL注入, a Blind SQL injection attack doesn’t reveal data directly from the database being targeted. 相反,攻击者会仔细检查行为中的间接线索. HTTP响应中的详细信息, 某些用户输入的空白网页, 和 how long it takes the database to respond to certain user input are 所有 things that can be clues depending on the goal of the attacker. They could also point to another SQLi attack avenue for the attacker to try.
This attack is a bit more complex 和 may be used by an attacker when they cannot achieve their goal in a single, 直接查询-响应攻击. 通常, 攻击者将编写SQL语句, 当呈现给数据库时, will trigger the database system to create a connection to an external server the attacker controls. In this fashion, the attacker can harvest data or potenti所有y control behavior of the database.
二阶注入是一种带外注入攻击. 在这种情况下, the attacker will provide an SQL injection that will get stored 和 executed by a separate behavior of the database system. When the secondary system behavior occurs (it could be something like a time-based job or something triggered by other typical admin or user use of 数据库) 和 the attacker’s SQL injection is executed, 这就是攻击者“伸出”控制系统的时候.
For this SQL injection example, let’s use two database tables, 使用rs 和 联系s. The 使用rs table may be as simple as having just three fields: ID, username, 和 password. 联系s表中有关于用户的更多信息, 例如使用rID, FirstName, 姓, Address1, 电子邮件, 信用卡号, 还有安全码.
使用rs表包含如下登录信息:
Note: Passwords should always be hashed 和 salted when stored in a database 和 never in cleartext.
When someone wants to log in, they’ll go to the login page 和 enter their username 和 password. 然后将此信息发送到web服务器, which will construct a SQL query 和 send that query to the database server. 这个查询的一个例子可能是:
从用户名= ' jsmith '和密码= ' P@$$w0rd '的用户中选择ID
The way SQL works is that it will then perform a true or false comparison for each row that the query requests. 在我们的例子中, the query says to check the 使用rs table 和 give back the ID value for every row where the username is jsmith 和 the password is P@$$w0rd. Often, the webserver will then see what is returned by the database server 和 if it is a number. In our case, the webserver would receive back a 1 和 let the user past the login page.
但是,如果我们想恶意地使用它呢? 因为数据库服务器执行真假检查, 我们可以欺骗它,让它相信我们已经成功认证了. 我们可以通过在密码中添加OR来实现这一点. If we log in with x’ or 1=1 as our password, that will create a new SQL query that looks like:
从用户名= ' jsmith ',密码= ' x '或1=1的用户中选择ID
这对我们有用, 因为x不是jsmith的密码, 然后,数据库服务器将检查第二个条件. 如果x不是jsmith的密码,那么1是否等于1? 它! The ID will be sent back to the application 和 the user will be successfully authenticated.
这并不一定是1=1的条件. 任意两个相等的值都可以,2=2,4726=4726,甚至a=a.
如果一个网页能够显示数据, 也可以在屏幕上打印额外的数据. 为了访问数据,我们可以尝试将两个SQL请求链接在一起. 除了'或1=1, 我们可以在此基础上添加第二个语句,如UNION SELECT 姓, 信用卡号, 来自联系人的安全码. 像这样的附加条款可能需要额外的工作, but getting access to data is the ultimate goal of a SQL injection attack.
另一种可以用于SQL盲注入的技术, the one where no data is sent back to the screen is to inject other hints. 与' or 1=1条件类似,我们可以告诉服务器休眠. 我们可以加上:“' or sleep(10)”,这看起来就像这样. It will tell the database server to take a 10-second nap 和 所有 responses will be delayed.
The following suggestions can help prevent an SQL injection attack from succeeding:
不要使用动态SQL
对用户提供的输入进行消毒
不要以明文形式留下敏感数据
限制数据库权限和特权
避免直接向用户显示数据库错误. Attackers can use these error messages to gain information about the database.
使用一个 Web应用防火墙(WAF) 用于访问数据库的web应用程序
使用 Web应用程序安全测试 常规测试与数据库交互的web应用程序. Doing so can help catch new bugs or regressions that could 所有ow SQL injection.
保持数据库更新到最新的可用补丁. This prevents attackers from exploiting known weaknesses/bugs present in older versions.
SQL注入是攻击者常用的攻击方法, 但是通过采取适当的预防措施,比如确保 数据是加密的, 保护和测试您的web应用程序, 并且你的补丁是最新的, 您可以采取有意义的步骤来保证数据安全.