TN CNG KIU SQL INJECTION TC HI V PHNG TRNH

L nh Duy Khoa Cng Ngh Thng Tin, Trng H Khoa Hc T Nhin Tp. HCM. Email: ldduy@fit.hcmuns.edu.vn

1. SQL Injection l g?

Khi trin khai cc ng dng web trn Internet, nhiu ngi vn ngh rng vic m bo an ton, bo mt nhm gim thiu ti a kh nng b tn cng t cc tin tc ch n thun tp trung vo cc vn nh chn h iu hnh, h qun tr c s d liu, webserver s chy ng dng, ... m qun mt rng ngay c bn thn ng dng chy trn cng tim n mt l hng bo mt rt ln. Mt trong s cc l hng ny l SQL injection. Ti Vit Nam, qua thi k cc qun tr website l l vic qut virus, cp nht cc bn v li t cc phn mm h thng, nhng vic chm sc cc li ca cc ng dng li rt t c quan tm. l l do ti sao trong thi gian va qua, khng t website ti Vit Nam b tn cng v a s u l li SQL injection [1]. Vy SQL injection l g ? SQL injection l mt k thut cho php nhng k tn cng li dng l hng trong vic kim tra d liu nhp trong cc ng dng web v cc thng bo li ca h qun tr c s d liu "tim vo" (inject) v thi hnh cc cu lnh SQL bt hp php (khng c ngi pht trin ng dng lng trc). Hu qu ca n rt tai hi v n cho php nhng k tn cng c th thc hin cc thao tc xa, hiu chnh, do c ton quyn trn c s d liu ca ng dng, thm ch l server m ng dng ang chy. Li ny thng xy ra trn cc ng dng web c d liu c qun l bng cc h qun tr c s d liu nh SQL Server, MySQL, Oracle, DB2, Sysbase.
2. Cc dng tn cng bng SQL Injection

C bn dng thng thng bao gm: vt qua kim tra lc ng nhp (authorization bypass), s dng cu ln SELECT, s dng cu lnh INSERT, s dng cc stored-procedures [2], [3].
2.1. Dng tn cng vt qua kim tra ng nhp

Vi dng tn cng ny, tin tc c th d dng vt qua cc trang ng nhp nh vo li khi dng cc cu lnh SQL thao tc trn c s d liu ca ng dng web. Xt mt v d in hnh, thng thng cho php ngi dng truy cp vo cc trang web c bo mt, h thng thng xy dng trang ng nhp yu cu ngi dng nhp thng tin v tn ng nhp v mt khu. Sau khi ngi dng nhp thng tin vo, h thng s kim tra tn ng nhp v mt khu c hp l hay khng quyt nh cho php hay t chi thc hin tip. Trong trng hp ny, ngi ta c th dng hai trang, mt trang HTML hin th form nhp liu v mt trang ASP dng x l thng tin nhp t pha ngi dng. V d:
login.htm <form action="ExecLogin.asp" method="post"> Username: <input type="text" name="fUSRNAME"><br> Password: <input type="password" name="fPASSWORD"><br> <input type="submit"> </form>

execlogin.asp <% Dim vUsrName, vPassword, objRS, strSQL vUsrName = Request.Form("fUSRNAME") vPassword = Request.Form("fPASSWORD") strSQL = "SELECT * FROM T_USERS " & _ "WHERE USR_NAME=' " & vUsrName & _ " ' and USR_PASSWORD=' " & vPassword & " ' " Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." If (objRS.EOF) Then Response.Write "Invalid login." Else Response.Write "You are logged in as " & objRS("USR_NAME") End If Set objRS = Nothing %>

Thot nhn, on m trong trang execlogin.asp dng nh khng cha bt c mt l hng v an ton no. Ngi dng khng th ng nhp m khng c tn ng nhp v mt khu hp l. Tuy nhin, on m ny thc s khng an ton v l tin cho mt li SQL injection. c bit, ch s h nm ch d liu nhp vo t ngi dng c dng xy dng trc tip cu lnh SQL. Chnh iu ny cho php nhng k tn cng c th iu khin cu truy vn s c thc hin. V d, nu ngi dng nhp chui sau vo trong c 2 nhp liu username/password ca trang login.htm l: ' OR ' ' = ' '. Lc ny, cu truy vn s c gi thc hin l:
SELECT * FROM T_USERS WHERE USR_NAME ='' OR ''='' and USR_PASSWORD= '' OR ''=''

Cu truy vn ny l hp l v s tr v tt c cc bn ghi ca T_USERS v on m tip theo x l ngi dng ng nhp bt hp php ny nh l ngi dng ng nhp hp l.
2.2. Dng tn cng s dng cu lnh SELECT

Dng tn cng ny phc tp hn. thc hin c kiu tn cng ny, k tn cng phi c kh nng hiu v li dng cc s h trong cc thng bo li t h thng d tm cc im yu khi u cho vic tn cng. Xt mt v d rt thng gp trong cc website v tin tc. Thng thng, s c mt trang nhn ID ca tin cn hin th ri sau truy vn ni dung ca tin c ID ny. V d: http://www.myhost.com/shownews.asp?ID=123. M ngun cho chc nng ny thng c vit kh n gin theo dng

<% Dim vNewsID, objRS, strSQL vNewsID = Request("ID") strSQL = "SELECT * FROM T_NEWS WHERE NEWS_ID =" & vNewsID

Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." Set objRS = Nothing %>

Trong cc tnh hung thng thng, on m ny hin th ni dung ca tin c ID trng vi ID ch nh v hu nh khng thy c li. Tuy nhin, ging nh v d ng nhp trc, on m ny l s h cho mt li SQL injection khc. K tn cng c th thay th mt ID hp l bng cch gn ID cho mt gi tr khc, v t , khi u cho mt cuc tn cng bt hp php, v d nh: 0 OR 1=1 (ngha l, http://www.myhost.com/shownews.asp?ID=0 or 1=1). Cu truy vn SQL lc ny s tr v tt c cc article t bng d liu v n s thc hin cu lnh:
SELECT * FROM T_NEWS WHERE NEWS_ID=0 or 1=1

Mt trng hp khc, v d nh trang tm kim. Trang ny cho php ngi dng nhp vo cc thng tin tm kim nh H, Tn, on m thng gp l:
<% Dim vAuthorName, objRS, strSQL vAuthorName = Request("fAUTHOR_NAME") strSQL = "SELECT * FROM T_AUTHORS WHERE AUTHOR_NAME =' " & _ vAuthorName & " ' " Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." Set objRS = Nothing %>

Tng t nh trn, tin tc c th li dng s h trong cu truy vn SQL nhp vo trng tn tc gi bng chui gi tr:
' UNION SELECT ALL SELECT OtherField FROM OtherTable WHERE ' '=' (*)

Lc ny, ngoi cu truy vn u khng thnh cng, chng trnh s thc hin thm lnh tip theo sau t kha UNION na. Tt nhin cc v d ni trn, dng nh khng c g nguy him, nhng hy th tng tng k tn cng c th xa ton b c s d liu bng cch chn vo cc on lnh nguy him nh lnh DROP TABLE. V d nh: ' DROP TABLE T_AUTHORS -Chc cc bn s thc mc l lm sao bit c ng dng web b li dng ny c. Rt n gin, hy nhp vo chui (*) nh trn, nu h thng bo li v c php dng: Invalid object name OtherTable; ta c th bit chc l h thng thc hin cu SELECT sau t kha UNION, v nh vy mi c th tr v li m ta c tnh to ra trong cu lnh SELECT. Cng s c thc mc l lm th no c th bit c tn ca cc bng d liu m thc hin cc thao tc ph hoi khi ng dng web b li SQL injection. Cng rt n gin, bi v trong SQL Server, c hai i tng l sysobjects v syscolumns cho php lit k tt c cc tn bng v ct c trong h thng. Ta ch cn chnh li cu lnh SELECT, v d nh:
' UNION SELECT name FROM sysobjects WHERE xtype = 'U' l c th lit k c tn tt c cc

bng d liu.
3

2.3. Dng tn cng s dng cu lnh INSERT

Thng thng cc ng dng web cho php ngi dng ng k mt ti khon tham gia. Chc nng khng th thiu l sau khi ng k thnh cng, ngi dng c th xem v hiu chnh thng tin ca mnh. SQL injection c th c dng khi h thng khng kim tra tnh hp l ca thng tin nhp vo. V d, mt cu lnh INSERT c th c c php dng: INSERT INTO TableName VALUES('Value One', 'Value Two', 'Value Three'). Nu on m xy dng cu lnh SQL c dng :
<% strSQL = "INSERT INTO TableName VALUES(' " & strValueOne & " ', ' " _ & strValueTwo & " ', ' " & strValueThree & " ') " Set objRS = Server.CreateObject("ADODB.Recordset") objRS.Open strSQL, "DSN=..." Set objRS = Nothing %>

Th chc chn s b li SQL injection, bi v nu ta nhp vo trng th nht v d nh: ' + (SELECT TOP 1 FieldName FROM TableName) + '. Lc ny cu truy vn s l: INSERT INTO TableName VALUES(' ' + (SELECT TOP 1 FieldName FROM TableName) + ' ', 'abc', 'def'). Khi , lc thc hin lnh xem thng tin, xem nh bn yu cu thc hin thm mt lnh na l: SELECT TOP 1
FieldName FROM TableName

2.4. Dng tn cng s dng stored-procedures

Vic tn cng bng stored-procedures s gy tc hi rt ln nu ng dng c thc thi vi quyn qun tr h thng 'sa'. V d, nu ta thay on m tim vo dng: ' ; EXEC xp_cmdshell cmd.exe dir C: '. Lc ny h thng s thc hin lnh lit k th mc trn a C:\ ci t server. Vic ph hoi kiu no tu thuc vo cu lnh ng sau cmd.exe.
3. Cch phng trnh

Nh vy, c th thy li SQL injection khai thc nhng bt cn ca cc lp trnh vin pht trin ng dng web khi x l cc d liu nhp vo xy dng cu lnh SQL. Tc hi t li SQL injection ty thuc vo mi trng v cch cu hnh h thng. Nu ng dng s dng quyn dbo (quyn ca ngi s hu c s d liu - owner) khi thao tc d liu, n c th xa ton b cc bng d liu, to cc bng d liu mi, Nu ng dng s dng quyn sa (quyn qun tr h thng), n c th iu khin ton b h qun tr c s d liu v vi quyn hn rng ln nh vy n c th to ra cc ti khon ngi dng bt hp php iu khin h thng ca bn. phng trnh, ta c th thc hin hai mc:
3.1. Kim sot cht ch d liu nhp vo

phng trnh cc nguy c c th xy ra, hy bo v cc cu lnh SQL l bng cch kim sot cht ch tt c cc d liu nhp nhn c t i tng Request (Request, Request.QueryString, Request.Form, Request.Cookies, and Request.ServerVariables). V d, c th gii hn chiu di ca chui nhp liu, hoc xy dng hm EscapeQuotes thay th cc du nhy n bng 2 du nhy n nh:
<% Function EscapeQuotes(sInput) sInput = replace(sInput, " ' ", " ' ' ") EscapeQuotes = sInput 4

End Function %>

Trong trng hp d liu nhp vo l s, li xut pht t vic thay th mt gi tr c tin on l d liu s bng chui cha cu lnh SQL bt hp php. trnh iu ny, n gin hy kim tra d liu c ng kiu hay khng bng hm IsNumeric(). Ngoi ra c th xy dng hm loi b mt s k t v t kha nguy him nh: ;, --, select, insert, xp_, ra khi chui d liu nhp t pha ngi dng hn ch cc tn cng dng ny:
<% Function KillChars(sInput) dim badChars dim newChars badChars = array("select", "drop", ";", "--", "insert", "delete", "xp_") newChars = strInput for i = 0 to uBound(badChars) newChars = replace(newChars, badChars(i), "") next KillChars = newChars End Function %>

3.2. Thit lp cu hnh an ton cho h qun tr c s d liu

Cn c c ch kim sot cht ch v gii hn quyn x l d liu n ti khon ngi dng m ng dng web ang s dng. Cc ng dng thng thng nn trnh dng n cc quyn nh dbo hay sa. Quyn cng b hn ch, thit hi cng t. Ngoi ra trnh cc nguy c t SQL Injection attack, nn ch loi b bt k thng tin k thut no cha trong thng ip chuyn xung cho ngi dng khi ng dng c li. Cc thng bo li thng thng tit l cc chi tit k thut c th cho php k tn cng bit c im yu ca h thng.
Tham chiu [1]. Danh sch cc website b li SQL injection: http://www.security.com.vn/ [2]. SQL Injection FAQ: http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3 [3]. Advanced SQL Injection : http://www.nextgenss.com/papers/advanced_sql_injection.pdf [4]. Preventing SQL Injection: http://www.owasp.org/asac/input_validation/sql.shtml [5]. SQL Injection Attacks - Are You Safe? http://www.sitepoint.com/article/794