18-5 資??碼(SQL Injection?

AǷ|FƮwP ASP XA@wܰAӥBۧҦƳƮwAHKinƺ޲zCbUoӽdҤAڭ̱NϥΪ̪KXsbƮwAHϥΪ̪bMKXi榳Ī޲zAƮwepU]password.mdb^G
userid passwd
CS3431 CS3431 
LF gavins 
 jtchen 
μz beball 

ھڦƮwAڭ̴NiHg@ ASP ӶibMKX{ҡG

Example]database/password01.asp^G

lXCXpUAHṲ̄G

lɡ]database/password01.asp^G]ǦϰUYi^
<%@ language="jscript" %>
<% title="HƮwƶiKX{ҡG򥻽g" %>
<!--#include file="../head.inc"-->
<hr>

<% //QASPتRequesto쪺ubvΡuKXvA'çP_O_ťաC
x=Request("user")+"";
y=Request("passwd")+"";
if ((x=="undefined") && (y=="undefined")){ %>
	<% //ܭ즳 %>
	<form method="post">
	пJbαKXG
	<ul>
	<li>bG<Input name="user" value="CS3431"><br>
	<li>KXG<Input type="password" name="passwd"><font color=white>KXOGCS3431</font>
		<p><input type=submit><input type=reset>
	</ul>
	</form>
	]ܡG ctrl-a iHݨKXI^
	<hr>
	<!--#include file="../foot.inc"-->
	<% Response.End();	 //  %>
<%}%>

<% //ܬd߸ƮwG
//======إADO ConnectionAM}AccessƮw
Conn = Server.CreateObject("ADODB.Connection");
database = "password.mdb";
Conn.ConnectionString = "DBQ=" + Server.MapPath(database) + ";Driver={Microsoft Access Driver (*.mdb)};Driverld=25;FIL=MS Access;";
Conn.Open();
//======qƪuseridPpasswdAݬݬO_MuserpasswdۦPC
SQL = "select * from password where userid='" + Request("user") + "' and passwd='" + Request("passwd") + "'";
//======SQLOAñNGxsRecordset
RS=Conn.Execute(SQL);
//======zLRecordSetXo쪺e
if (RS.EOF) {%>
	<p align=center>bαKX~I<br>SQLO = <u><font color=green><%=SQL%></font></u>
<%} else {%>
	<p align=center>bαKXTI<br>SQLO = <u><font color=green><%=SQL%></font></u>
<%}
//======Ʈw
RS.Close();
Conn.Close();
%>

<hr>
<!--#include file="../foot.inc"-->

ݰ_Ӥ@SDAOpGAQubv]Hack!^ oӺAƹWunJUCƴNiHFG

]лָոլݡI^oOOHƹWoNOcWLuXv]SQL Injection^A²aANONubvMuKXvJ㦳޸SrAyAݦbXoƮɡA|N~aͦX檺 SQL OAyKX{Ҫ\CnSO`NOASQL Injection DuoͦbدSwxλyAunOϥ SQL OsƮwơAiಣͳoӰDC

ڭ̦AӥJӬݬݤWoӽdҡA䤤 SQL OԭzpUG

SQL = "select * from password where userid='" + Request("user") + "' and passwd='" + Request("passwd") + "'"; ݰ_޿觹TAҦpJbMKXOOuLFvMugavinsvɡAұo쪺 SQL OOG
SQL = "select * from password where userid='LF' and passwd='gavins'";
ҥHiHqƮwd@ơANbMKXTCOڭ̱bMKXOOuxyzvMu' or 'a'='avɡAұo쪺 SQL OO
SQL = "select * from password where userid='xyz' and passwd='' or 'a'='a'";
ܤAҲͪ SQL O]|榨\]] 'a'='a' O@wߪ^A]ӱqƮwXhơAoذűkϩOb SQL Ou`v@ǴcNrAҥH٬uSQL InjectionvC

Hint
b SQL yk󦡤A| andAA orC

pקK SQL Injection OH²檺@kANObΫȤݰeiӪƫeARҦiyDSrAoǦr]A޸]'^B޸]"^Bݸ]?^BP]*^Bu]_^Bʤ]%^BAmpersand]&^AoǯSrӥX{bϥΪ̿JƤCt~ARSrʧ@ȥnbAݶiA]Τݪ JavaScript ҪˬdOuਾglAਾpHAOHun@ӦۦP쪺AN@˥iHIsA ASP {XӨθƮwAi׶}ҥ\C

YnRoǦMIrAiHϥ JavaScript rꪺ replace() kAάOϥ VBScript Replace ơAҦpG

Example]database/sqlInjection01.asp^G

lXCXpUG

lɡ]database/sqlInjection01.asp^G]ǦϰUYi^
<%@ language="jscript" %>
<% title="HƮwƶiKX{ҡGpקK SQL Injection" %>
<!--#include file="../head.inc"-->
<hr>

<% //QASPتRequesto쪺ubvΡuKXvA'çP_O_ťաC
x=Request("user")+"";
y=Request("passwd")+"";
if ((x=="undefined") && (y=="undefined")){ %>
	<% //ܭ즳 %>
	<form method="post">
	пJbαKXG
	<ul>
	<li>bG<Input name="user" value="LF"><br>
	<li>KXG<Input type="password" name="passwd" value="gavins">
		<p><input type=submit><input type=reset>
	</ul>
	</form>
	]ܡG F7 iHJ SQL Injection ҥΤbMKXI^
	<script>
	function fillForm() {
		if (event.keyCode==118) {
			document.forms[0].user.value="oONr"
			document.forms[0].passwd.value="' or 'a'='a"
		}
	}
	</script>
	<script>document.onkeydown=fillForm;</script>
	<hr>
	<!--#include file="../foot.inc"-->
	<% Response.End();	 //  %>
<%}%>

<% //ܬd߸ƮwG
//=======o줺e
user = Request("user")+"";
passwd = Request("passwd")+"";
user = user.replace(/'/g, "");		//R޸HקK SQL Injection
passwd = passwd.replace(/'/g, "");	//R޸HקK SQL Injection
//=======إADO ConnectionAM}AccessƮw
Conn = Server.CreateObject("ADODB.Connection");
database = "password.mdb";
Conn.ConnectionString = "DBQ=" + Server.MapPath(database) + ";Driver={Microsoft Access Driver (*.mdb)};Driverld=25;FIL=MS Access;";
Conn.Open();
//=======qƪuseridPpasswdAݬݬO_MuserpasswdۦPC
SQL = "select * from password where userid='" + user + "' and passwd='" + passwd + "'";
RS=Conn.Execute(SQL);
if (RS.EOF) {%>
	<p align=center>bαKX~I<br>SQLO = "<u><font color=green><%=SQL%></font></u>"
<%} else {%>
	<p align=center>bαKXTI<br>SQLO = "<u><font color=green><%=SQL%></font></u>"
<%}
//======Ʈw
RS.Close();
Conn.Close();
%>

<hr>
<!--#include file="../foot.inc"-->

bWzlXA] Request("userid") M Request("passwd") ƬOLkק諸AҥHbNenst@ӭܼơCѦdҥiHDAunRϥΪ̿JrꤤҦ޸ANiHקK SQL Injection DC

ƹWAiHΦ SQL Injection cNr٤֡AjOwLn SQL Server ƮwӶi}aCYAŪ̥iۦѦҤUCѦҸơG

pGA Google JunJvAAݭnnJi SQL Injection աANӥiH@Ǥ]CФdUn@cAYoǤ]ANUCrH@̡]]iNƥHڡ^G

qҪ̡G

ڭ̬߱iPѮvuJavaScript{]pPΡvAWi SQL Injection աAoıznJ]}O http://xxx.xxx.xxx^õLk SQL Injection JIAunbN]wBKX]wu' or 'a'='avAYinJC

oO@ʵNHAڭ̶ȴլO_iHnJAåƶiקAЬdӡA¡C

]мgXAW^

±zVOAoǺ޲z̷|P§A̪ߡI
JScript {]pPΡGΩAݪ ASP