1. TN CNG KIU SQL INJECTION -TC HI V PHNG TRNH L nh Duy Khoa Cng Ngh Thng Tin, Trng H Khoa Hc T Nhin Tp. HCM. Email: ldduy@fit.hcmuns.edu.vn1. SQL Injection l g?Khi trin khai cc ng dng web trn Internet, nhiu ngi vn ngh rng vic m bo an ton, bomt nhm gim thiu ti a kh nng b tn cng t cc tin tc ch n thun tp trung vo cc vn nh chn h iu hnh, h qun tr c s d liu, webserver s chy ng dng, ... m qun mtrng ngay c bn thn ng dng chy trn cng tim n mt l hng bo mt rt ln. Mt trongs cc l hng ny l SQL injection. Ti Vit Nam, qua thi k cc qun tr website l l vicqut virus, cp nht cc bn v li t cc phn mm h thng, nhng vic chm sc cc li ca ccng dng li rt t c quan tm. l l do ti sao trong thi gian va qua, khng t website tiVit Nam b tn cng v a s u l li SQL injection [1]. Vy SQL injection l g ?SQL injection l mt k thut cho php nhng k tn cng li dng l hng trong vic kim tra dliu nhp trong cc ng dng web v cc thng bo li ca h qun tr c s d liu "tim vo"(inject) v thi hnh cc cu lnh SQL bt hp php (khng c ngi pht trin ng dng lngtrc). Hu qu ca n rt tai hi v n cho php nhng k tn cng c th thc hin cc thao tcxa, hiu chnh, do c ton quyn trn c s d liu ca ng dng, thm ch l server m ngdng ang chy. Li ny thng xy ra trn cc ng dng web c d liu c qun l bng cch qun tr c s d liu nh SQL Server, MySQL, Oracle, DB2, Sysbase.2. Cc dng tn cng bng SQL InjectionC bn dng thng thng bao gm: vt qua kim tra lc ng nhp (authorization bypass), sdng cu ln SELECT, s dng cu lnh INSERT, s dng cc stored-procedures [2], [3].2.1. Dng tn cng vt qua kim tra ng nhpVi dng tn cng ny, tin tc c th d dng vt qua cc trang ng nhp nh vo li khi dngcc cu lnh SQL thao tc trn c s d liu ca ng dng web.Xt mt v d in hnh, thng thng cho php ngi dng truy cp vo cc trang web cbo mt, h thng thng xy dng trang ng nhp yu cu ngi dng nhp thng tin v tnng nhp v mt khu. Sau khi ngi dng nhp thng tin vo, h thng s kim tra tn ng nhpv mt khu c hp l hay khng quyt nh cho php hay t chi thc hin tip.Trong trng hp ny, ngi ta c th dng hai trang, mt trang HTML hin th form nhp liuv mt trang ASP dng x l thng tin nhp t pha ngi dng. V d: login.htm Username:
Password:
1

2. execlogin.asp Thot nhn, on m trong trang execlogin.asp dng nh khng cha bt c mt l hng v an tonno. Ngi dng khng th ng nhp m khng c tn ng nhp v mt khu hp l. Tuy nhin,on m ny thc s khng an ton v l tin cho mt li SQL injection. c bit, ch s hnm ch d liu nhp vo t ngi dng c dng xy dng trc tip cu lnh SQL. Chnhiu ny cho php nhng k tn cng c th iu khin cu truy vn s c thc hin. V d, nungi dng nhp chui sau vo trong c 2 nhp liu username/password ca trang login.htm l: OR =. Lc ny, cu truy vn s c gi thc hin l:SELECT * FROM T_USERS WHERE USR_NAME = OR = and USR_PASSWORD=OR =Cu truy vn ny l hp l v s tr v tt c cc bn ghi ca T_USERS v on m tip theo x lngi dng ng nhp bt hp php ny nh l ngi dng ng nhp hp l.2.2. Dng tn cng s dng cu lnh SELECTDng tn cng ny phc tp hn. thc hin c kiu tn cng ny, k tn cng phi c khnng hiu v li dng cc s h trong cc thng bo li t h thng d tm cc im yu khiu cho vic tn cng.Xt mt v d rt thng gp trong cc website v tin tc. Thng thng, s c mt trang nhn IDca tin cn hin th ri sau truy vn ni dung ca tin c ID ny. V d:http://www.myhost.com/shownews.asp?ID=123. M ngun cho chc nng ny thng c vit khn gin theo dng Trong cc tnh hung thng thng, on m ny hin th ni dung ca tin c ID trng vi ID ch nh v hu nh khng thy c li. Tuy nhin, ging nh v d ng nhp trc, on m ny l s h cho mt li SQL injection khc. K tn cng c th thay th mt ID hp l bng cchgn ID cho mt gi tr khc, v t , khi u cho mt cuc tn cng bt hp php, v d nh: 0OR 1=1 (ngha l, http://www.myhost.com/shownews.asp?ID=0 or 1=1).Cu truy vn SQL lc ny s tr v tt c cc article t bng d liu v n s thc hin cu lnh: SELECT * FROM T_NEWS WHERE NEWS_ID=0 or 1=1Mt trng hp khc, v d nh trang tm kim. Trang ny cho php ngi dng nhp vo ccthng tin tm kim nh H, Tn, on m thng gp l:Tng t nh trn, tin tc c th li dng s h trong cu truy vn SQL nhp vo trng tn tcgi bng chui gi tr: UNION SELECT ALL SELECT OtherField FROM OtherTable WHERE= (*)Lc ny, ngoi cu truy vn u khng thnh cng, chng trnh s thc hin thm lnh tip theosau t kha UNION na.Tt nhin cc v d ni trn, dng nh khng c g nguy him, nhng hy th tng tng k tncng c th xa ton b c s d liu bng cch chn vo cc on lnh nguy him nh lnh DROPTABLE. V d nh:DROP TABLE T_AUTHORS --Chc cc bn s thc mc l lm sao bit c ng dng web b li dng ny c. Rt n gin,hy nhp vo chui (*) nh trn, nu h thng bo li v c php dng: Invalid object nameOtherTable; ta c th bit chc l h thng thc hin cu SELECT sau t kha UNION, v nhvy mi c th tr v li m ta c tnh to ra trong cu lnh SELECT.Cng s c thc mc l lm th no c th bit c tn ca cc bng d liu m thc hin cc thaotc ph hoi khi ng dng web b li SQL injection. Cng rt n gin, bi v trong SQL Server, chai i tng l sysobjects v syscolumns cho php lit k tt c cc tn bng v ct c trong hthng. Ta ch cn chnh li cu lnh SELECT, v d nh: UNION SELECT name FROM sysobjects WHERE xtype = U l c th lit k c tn tt c ccbng d liu.3 4. 2.3. Dng tn cng s dng cu lnh INSERTThng thng cc ng dng web cho php ngi dng ng k mt ti khon tham gia. Chcnng khng th thiu l sau khi ng k thnh cng, ngi dng c th xem v hiu chnh thng tinca mnh. SQL injection c th c dng khi h thng khng kim tra tnh hp l ca thng tinnhp vo.V d, mt cu lnh INSERT c th c c php dng: INSERT INTO TableName VALUES(Value One,Value Two, Value Three). Nu on m xy dng cu lnh SQL c dng :Th chc chn s b li SQL injection, bi v nu ta nhp vo trng th nht v d nh:+ (SELECTTOP 1 FieldName FROM TableName) + . Lc ny cu truy vn s l: INSERT INTO TableNameVALUES(+ (SELECT TOP 1 FieldName FROM TableName) +, abc, def). Khi , lc thc hinlnh xem thng tin, xem nh bn yu cu thc hin thm mt lnh na l: SELECT TOP 1FieldName FROM TableName2.4. Dng tn cng s dng stored-proceduresVic tn cng bng stored-procedures s gy tc hi rt ln nu ng dng c thc thi vi quynqun tr h thng sa. V d, nu ta thay on m tim vo dng:; EXEC xp_cmdshell cmd.exedir C: . Lc ny h thng s thc hin lnh lit k th mc trn a C: ci t server. Vic phhoi kiu no tu thuc vo cu lnh ng sau cmd.exe.3. Cch phng trnhNh vy, c th thy li SQL injection khai thc nhng bt cn ca cc lp trnh vin pht trin ngdng web khi x l cc d liu nhp vo xy dng cu lnh SQL. Tc hi t li SQL injectionty thuc vo mi trng v cch cu hnh h thng. Nu ng dng s dng quyn dbo (quyn cangi s hu c s d liu - owner) khi thao tc d liu, n c th xa ton b cc bng d liu, tocc bng d liu mi, Nu ng dng s dng quyn sa (quyn qun tr h thng), n c th iukhin ton b h qun tr c s d liu v vi quyn hn rng ln nh vy n c th to ra cc tikhon ngi dng bt hp php iu khin h thng ca bn. phng trnh, ta c th thc hin hai mc:3.1. Kim sot cht ch d liu nhp vo phng trnh cc nguy c c th xy ra, hy bo v cc cu lnh SQL l bng cch kim sot chtch tt c cc d liu nhp nhn c t i tng Request (Request, Request.QueryString,Request.Form, Request.Cookies, and Request.ServerVariables). V d, c th gii hn chiu di cachui nhp liu, hoc xy dng hm EscapeQuotes thay th cc du nhy n bng 2 du nhyn nh:Trong trng hp d liu nhp vo l s, li xut pht t vic thay th mt gi tr c tin on ld liu s bng chui cha cu lnh SQL bt hp php. trnh iu ny, n gin hy kim trad liu c ng kiu hay khng bng hm IsNumeric().Ngoi ra c th xy dng hm loi b mt s k t v t kha nguy him nh: ;, --, select, insert,xp_, ra khi chui d liu nhp t pha ngi dng hn ch cc tn cng dng ny: 3.2. Thit lp cu hnh an ton cho h qun tr c s d liuCn c c ch kim sot cht ch v gii hn quyn x l d liu n ti khon ngi dng m ngdng web ang s dng. Cc ng dng thng thng nn trnh dng n cc quyn nh dbo hay sa.Quyn cng b hn ch, thit hi cng t.Ngoi ra trnh cc nguy c t SQL Injection attack, nn ch loi b bt k thng tin k thutno cha trong thng ip chuyn xung cho ngi dng khi ng dng c li. Cc thng bo lithng thng tit l cc chi tit k thut c th cho php k tn cng bit c im yu ca hthng.Tham chiu[1]. Danh sch cc website b li SQL injection: http://www.security.com.vn/[2]. SQL Injection FAQ: http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3[3]. Advanced SQL Injection : http://www.nextgenss.com/papers/advanced_sql_injection.pdf[4]. Preventing SQL Injection: http://www.owasp.org/asac/input_validation/sql.shtml[5]. SQL Injection Attacks - Are You Safe? http://www.sitepoint.com/article/794 5