我是否在 SQL Server 中发现了 SQL 注入错误?
因此,我正在使用我的 MS SQL Server 2008 应用程序,看看它在防止 SQL 注入方面的防护效果如何。该应用程序允许用户在数据库中创建视图。
现在考虑以下情况:
create view dbo.[]]; drop database foo--] as select 1 as [hi!]
这将创建一个名为 ] 的视图;删除数据库 foo--。它是有效的,您可以从中进行选择(显然,返回数字 1)。
奇怪的事情#1:
在 SQL Management Studio 中,查询SELECT [hi!] FROM [dbo].[]]; drop database foo--] 带有红色下划线,表示不正确,声称对象名称无效。尽管如此,它执行并返回 1.
奇怪的事情#2:
调用OBJECT_ID(']; drop database foo--') 产生 NULL(这意味着该对象不不存在),但以下查询正确返回有关视图的信息:
select * from sys.objects where name = ']; drop database foo--';
是这些错误还是我遗漏了一点?
So I was playing with my MS SQL Server 2008 app to see how good it is protected against SQL injections. The app lets users to create views in the database.
Now consider the following:
create view dbo.[]]; drop database foo--] as select 1 as [hi!]
This creates a view with a name of ]; drop database foo--. It is valid and you can select from it (returns the number 1, obviously).
Strange thing #1:
In SQL Management Studio, the query SELECT [hi!] FROM [dbo].[]]; drop database foo--] is red-underlined as incorrect, claiming that the object name is not valid. Nevertheless, it executes and returns the 1.
Strange thing #2:
Call to OBJECT_ID(']; drop database foo--') yields NULL (which means the object does not exist), but the following query returns information about the view properly:
select * from sys.objects where name = ']; drop database foo--';
Are those bugs or am I missing a point?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
你没有抓住要点。 SQL Server 无法保护自己免受 SQL 注入 - 如果有人可以直接访问您的数据库,那么您就已经被攻击了。您的应用程序需要通过参数化查询来防止 SQL 注入,并防止此类语句进入数据库。
You're missing the point. SQL Server can't protect itself against SQL injection - if somebody has direct access to your database then you've already been pwned. It's your application that needs to protect against SQL injection by parameterizing queries, and preventing these kinds of statements from ever making it to the database.
1:这仅意味着智能感知解析器无法满足 SQL 语法的更详细细节。虽然它可能是一个智能感知错误,但它不是一个注入向量。
2:object_id() 接受多部分名称,因此如果名称不明确,则需要将名称放在引号中:
select object_id('[]]; drop database foo--]')1: that only means the intellisense parser is not up to par witht the finer details of SQL syntax. While it may be an intellisense bug, it is not an injection vector.
2: object_id() accepts multipart names, so it needs the name in quotes if ambiguous:
select object_id('[]]; drop database foo--]')这就像使用钥匙进入汽车然后说“嘿,有一个安全漏洞,我可以偷收音机”
That's like using your key to get into your car and then saying "hey there's a security hole, I'm allowed to steal the radio"
问题似乎在于您自己通过接受用户输入并将其用作 SQL 语句文本来导致 SQL 注入。
事实上,您“正确转义”了 ](通过替换为 ]])实际上并不重要 - 您允许用户输入用作其他任何内容,但定义的值意味着您允许 SQL 注入。
It seems the problem is that you are yourself causing SQL injection by accepting user input and using it as SQL statement text.
The fact that you "properly escaped" the ] (by substituting with ]]) really doesn't matter - it's you allowing the user input to be used as anything else but a value by definition means you allow SQL injection.