Kuyesera SQL Kupweteka Kwavuto

Masewera a SQL Kujambulidwa amachititsa ngozi zambiri ku mapulogalamu a webusaiti omwe amadalira pa database backend kuti apange zinthu zokhutiritsa. Mwa kuukiridwa kotereku, osokoneza amayesa kugwiritsa ntchito intaneti pofuna kuyesa maulamuliro awo a SQL m'zinthu zotulutsidwa ndi deta. Mwachitsanzo, onani nkhani ya SQL Injection Attacks pa Databases. M'nkhaniyi, tikuyang'ana njira zingapo zomwe mungayesere machitidwe anu a intaneti kuti mudziwe ngati iwo ali pachiopsezo cha masewera a SQL.

Zowonongeka SQL Injection Kusanthula

Chinthu chimodzi chotheka ndi kugwiritsa ntchito njira yowonongeka yogwiritsira ntchito webusaiti, monga HP's WebInspect, IBM's AppScan kapena Cilcorm Hailstorm. Zida zonsezi zimapereka njira zosavuta, zowonongeka kuti zongogwiritse ntchito webusaiti yanu yowonongeka ya SQL Injection. Komabe, iwo ndi okwera mtengo kwambiri, akuthamanga mpaka $ 25,000 pa mpando.

Mayesero a SQL Oopsya

Kodi wogwira ntchito yosavuta ndi chiyani? Mukhoza kuyesa mayesero ena kuti muone ngati mukugwiritsa ntchito webusaiti ya SQL Injecting vulnerability ndikugwiritsa ntchito osatsegula. Choyamba, chenjezo: mayesero omwe ndimayankhula ndikungoyang'ana zolakwika zofunikira za SQL Injection. Sadzazindikira njira zamakono ndipo zimakhala zovuta kuzigwiritsa ntchito. Ngati mungakwanitse, pitani ndizomwe mukuzifufuza. Komabe, ngati simungathe kugwiritsira ntchito ndondomeko ya mtengo, kuyesedwa koyambirira ndi sitepe yoyamba.

Njira yosavuta yowunika ngati ntchitoyo ili pangozi ndiyo kuyesa kusokonezeka kwa jekeseni komwe sikungapweteke malo anuake ngati atapambana koma kukupatsani umboni woti mukufunikira kuthetsa vuto. Mwachitsanzo, tangoganizani kuti muli ndi webusaiti yosavuta yomwe imayang'ana munthu m'mabuku ndipo imapereka mauthenga othandizira. Tsambali lingagwiritse ntchito maulendo awa:

http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike

Titha kuganiza kuti tsamba ili likuyang'ana ndondomeko, pogwiritsa ntchito funso lofanana ndi lotsatira:

SANKANI foni FROM directory WHERE lastname = 'chapple' ndi firstname = 'mike'

Tiyeni tiyese izi pang'ono. Ndi malingaliro athu pamwambapa, tikhoza kusintha kusintha kwa URL yomwe imayesa kusokoneza jekeseni la SQL:

http://myfakewebsite.com/directory.asp?lastname=chapple&firstname=mike'+AND+Kusankha+Count())kuchokera kwafake)+%3e0+OR+'1'%3d'1

Ngati webusaitiyi siitetezedwe bwino ndi jekeseni la SQL, imangotulutsa dzina loyipa muzoti SQL yomwe ikuchita motsutsana ndi deta, zomwe zimapangitsa kuti:

SANKANI foni FROM directory WHERE lastname = 'chapple' ndi firstname = 'mike' NDI (sankhani count (*) kuchokera zabodza)> 0 OR '1' = '1'

Mudzazindikira kuti mawu ofunikira pamwambawa ndi osiyana kwambiri ndi omwe ali pachiyambi cha URL. Ndinatenga ufulu wosinthira ma ASCII awo kuti awoneke mosavuta. Mwachitsanzo,% 3d ndi URL-encoding kwa '='. Ndinaonjezeranso mndandanda wa zifukwa zofanana.

Kufufuza zotsatira

Mayesero amabwera pamene muyesa kutsegula tsamba lamasamba ndi URL yomwe ili pamwambapa. Ngati webusaitiyi ikuyendetsa bwino, idzachotsa ndemanga imodzi kuchokera kuzolowera musanayambe funsolo ku deta. Izi zidzangobweretsa zovuta zodziwika kwa wina yemwe ali ndi dzina loyamba lomwe limaphatikizapo gulu la SQL! Mudzawona uthenga wolakwika kuchokera ku ntchito yofanana ndi yomwe ili pansipa:

Cholakwika: Palibe wogwiritsa ntchito dzina lake mike + AND + (kusankha + chiwerengero (*) + kuchoka) +% 3e0 + OR + 1% 3d1 Chapple!

Komabe, ngati ntchitoyo ili pachiopsezo ku jekeseni la SQL, idzadutsa mawuwo molunjika ku databata, zomwe zimapangitsa chimodzi mwa zifukwa ziwiri. Choyamba, ngati seva yanu ili ndi mauthenga olakwika olakwika (omwe simukuyenera!), Muwona zinthu monga izi:

Wopereka wa Microsoft OLE DB kwa ODBC Drivers error '80040e37' [Microsoft] [ODBC SQL Server Driver] [SQL Server] Dzina losavomerezeka lachinyengo 'fake'. /directory.asp, mzere 13

Kumbali ina, ngati seva yanu ya intaneti sichiwonetsero mauthenga olakwika, mumalandira zolakwa zambiri, monga:

Isolo la Pulogalamu ya mkati Seva anakumana ndi cholakwika cha mkati kapena kusasinthika kolakwika ndipo sanathe kukwaniritsa pempho lanu. Chonde tumizani seva administrator kuti mudziwe nthawi yomwe zolakwikazo zachitika ndi chirichonse chimene mungachite chomwe chingachititse cholakwikacho. Zambiri zokhudzana ndi vuto ili zingakhalepo mulowelo lachinsinsi la seva.

Ngati mulandira imodzi mwa zolakwa ziwiri pamwambapa, ntchito yanu ili pachiopsezo ku SQL injection attack! Zitsulo zina zomwe mungatenge kuti muteteze mapulogalamu anu motsutsana ndi masewera a SQL Kukumana ndi awa:

Alike posts

Ubale Wochuluka Kwambiri Mu Database

Software

Kodi Zida Zomwe Zimakhala Zotani?

Software

Microsoft SQL Azure

Software

Kufananitsa Zitsanzo ndi SQL Mafunso

Software

Mafungulo Omwe Amapanga Maofesi Atsopano Osavuta

Software

Microsoft Access 2007 Mabuku a Oyamba

Software

Chithunzi Chachiyanjano

Software

Kupanga SQL Server 2008 Account Database

Software

Chilankhulo Chogwiritsa Ntchito Deta (DCL)

Software

See Newest

Dera lapamwamba lamasamba (TLD)

Internet & Network

Corel Corporation

Software

Kuyesedwa kwachizindikiro: Choyamba

Mapulogalamu & Mapulogalamu

Momwe Mungakonzekere D3dx10_41.dll Sapezeka kapena Simukusowa Zolakwika

Mawindo

Kodi Fayilo Ili ndi Chiyani?

Mawindo

Mmene Mungatumizire Mawebusaiti a Pa Intaneti pa iPhone, iPod touch, ndi iPad

Ofufuza

Sapid posts

Kodi Mukukhala ndi iPod, iPhone, kapena iPad Kuyanjanitsa Mavuto Ndi iTunes?

IPad

Kodi POTX Fayilo N'chiyani?

Mawindo

Mmene Mungakonzekere Phokoso la Galimoto Lomwe Sitidzasiya Kulemekeza

Car Tech

Kodi The Original Xbox ndi chiyani?

Masewera a Masewera

Mmene Mungapangire Google Plus (Google+) Mbiri

Social Media

Makina a Ethernet akuthamanga kunja

Internet & Network

Kupeza Mbali Yopambana Yambiri ya Makamera a Kamera

Makamera a Digital

Mmene Mungakonzere iPad Wowonjezedwa pa "Moni" kapena "Sinthani Kuti Musinthe"

IPad

JDiskReport v1.4.1

Mapulogalamu & Mapulogalamu

Mmene Mungapangire ndi Kuchotsa Mauthenga Ogwiritsa Ntchito pa Windows 10

Mawindo

Mmene Mungakonzekere X3daudio.dll Simunapezeke Kapena Mulibe Zolakwika

Mawindo

Mmene Mungatsimikizire Zojambula Zojambula Zojambula Zojambulajambula

Software

Toshiba Satellite P55t-A5202 PC 15.6-inch Lapulogalamu ya PC

Zotsatira Zamalonda

Chotsani Zomwe Zili M'kati Pogwiritsa Ntchito Chimake Chokongola Mask ku CorelDRAW

Software

InuTububers Zimakhudza Minecraft

Masewera

Mabungwe asanu apamwamba otetezeka a mauthenga a 2018

Imelo & Mauthenga