unixwiz.net— Check out this article if you've ever wondered how SQL injection attacks can make your site vulnerable, or if you're just curious.
Jun 6, 2006View in Crawl 4
how is this news? if you do not validate user input bad things will happen. the example in this article covers the most basic form of sql injection there is. it is often the example people use just so people will understand the concept. quite frankly any dynamic sql that does not check for single quotes is amateur hour crap. there is nothing discussed here that has not been known and covered for years.
Developers: Parameters, Parameters, Parameters!ILOVETHIS DB ENGINE! Whoooo!Honestly, if your DBA allows you to execute pass-thru SQL statements, they need to find a new *hobby*. All Stored Procs, All The Time.
The process of detect and revert SQL Injection Attacks with Sax2Some IDS software will execute effective detection for SQL Injection Attacks, though, firewall can not. Now, we go to the process of detect and revert SQL Injection Attacks with IDS software Sax2.The steps of SQL Injection Attacks are:a) Determine environment to find the injection point.b) Determine the type of database.c) Guess datasheet.d) Guess the field.e) Guess the content.The steps “Guess datasheet”, “Guess the field” and “Guess the content” are very important fro SQL Injection Attacks during the full process. Let’s analyze these there steps.Sax2 will detect and alarm the attacks in network real-time. It will show the in the table Event when there is SQL Injection Attacks, see the figure 1.Sax2 alarm the MS_SQL Injection Attacks real-timeFigure 1 Sax2 alarm the MS_SQL Injection Attacks real-timeThe selected event in the Figure 1 shows the attacker’s IP 192.168.21.103, the victim’s IP 125.65.112.10. And the original message is “select * from [dirs]”, means enquire whether there is a datasheet named “dirs” in current database, in the Original Communication view.The attacker will repeat the operation to gain the expected datasheet. He will try to guess the filed in the datasheet if found the corresponding datasheet in the database.Sax2 analysis the attacker is guessing the filed in the admin databaseFigure 2 Sax2 analysis the attacker is guessing the filed in the admin databaseThe code in the red circle in the Figure 2 show the attacker is guessing the “paths” filed in the admin database. Also, the attacker will repeat the operation till find the corresponding filed.The attacker will determine the length of the filed and guess the content after found the corresponding filed. It will be a SQL Injection Attacks after the attacker guess the content in the filed successfully. Sometimes, the attacker has to decryption the content if it in MD5 encryption.Above is the whole process of SQL Injection Attacks and we detect it with Sax2. As we know, Sax2 can effectively detect and alarm the SQL Injection Attacks when it occurs. IDS software Sax2 is a useful tool for SQL Injection Attacks and make your network security combine with firewall software.
mailbox125Jun 7, 2006
how is this news? if you do not validate user input bad things will happen. the example in this article covers the most basic form of sql injection there is. it is often the example people use just so people will understand the concept. quite frankly any dynamic sql that does not check for single quotes is amateur hour crap. there is nothing discussed here that has not been known and covered for years.
Closed AccountJun 7, 2006
If you want to see one in action, just install PHPNuke and wait...
philoushkaJun 7, 2006
Developers: Parameters, Parameters, Parameters!ILOVETHIS DB ENGINE! Whoooo!Honestly, if your DBA allows you to execute pass-thru SQL statements, they need to find a new *hobby*. All Stored Procs, All The Time.
xoligyJun 7, 2006
It happens because you choose to trust a 12 year old developer because they charge peanuts. Do research before buying services. Cheaper isn't better.
xoligyJun 7, 2006
Why are you digging him down? He asked a valid question.
andynetFeb 21, 2010
The process of detect and revert SQL Injection Attacks with Sax2Some IDS software will execute effective detection for SQL Injection Attacks, though, firewall can not. Now, we go to the process of detect and revert SQL Injection Attacks with IDS software Sax2.The steps of SQL Injection Attacks are:a) Determine environment to find the injection point.b) Determine the type of database.c) Guess datasheet.d) Guess the field.e) Guess the content.The steps “Guess datasheet”, “Guess the field” and “Guess the content” are very important fro SQL Injection Attacks during the full process. Let’s analyze these there steps.Sax2 will detect and alarm the attacks in network real-time. It will show the in the table Event when there is SQL Injection Attacks, see the figure 1.Sax2 alarm the MS_SQL Injection Attacks real-timeFigure 1 Sax2 alarm the MS_SQL Injection Attacks real-timeThe selected event in the Figure 1 shows the attacker’s IP 192.168.21.103, the victim’s IP 125.65.112.10. And the original message is “select * from [dirs]”, means enquire whether there is a datasheet named “dirs” in current database, in the Original Communication view.The attacker will repeat the operation to gain the expected datasheet. He will try to guess the filed in the datasheet if found the corresponding datasheet in the database.Sax2 analysis the attacker is guessing the filed in the admin databaseFigure 2 Sax2 analysis the attacker is guessing the filed in the admin databaseThe code in the red circle in the Figure 2 show the attacker is guessing the “paths” filed in the admin database. Also, the attacker will repeat the operation till find the corresponding filed.The attacker will determine the length of the filed and guess the content after found the corresponding filed. It will be a SQL Injection Attacks after the attacker guess the content in the filed successfully. Sometimes, the attacker has to decryption the content if it in MD5 encryption.Above is the whole process of SQL Injection Attacks and we detect it with Sax2. As we know, Sax2 can effectively detect and alarm the SQL Injection Attacks when it occurs. IDS software Sax2 is a useful tool for SQL Injection Attacks and make your network security combine with firewall software.