原文出自:http://webdeveloper.com/

這篇文章是介紹SQL INJECTION攻擊方式。並以PHP開發網站時,要如何預防的文章。我將它翻成中文,若翻的不好請見諒囉。

PHP Programs to Prevent MySQL Injection or HTML Form Abuse

It has been known for a while that if a form is unsecured, malicious code in the form of a MySQL injection will be initiated to attack the site. HTML forms such as drop down menus, search boxes and check boxes are all susceptible entry points for this type of abuse. This article will explain what happens in this kind of attack, and how to prevent it.

大部份的人都知道網頁表單是不安全的,MySQL Injection這種惡意的程式常常被使用在這方面進行攻擊網站。例如像下拉式選單、搜索方塊、確認方塊都是易被當做攻擊的目標。這文章將討論這種攻擊類型是如何發生,且如何去防範它。


Known Security Issues and Background
The intent of MySQL injection is to take over the website database and administration to steal information. A common open source database like MySQL has been used by many website developers to store important information such as passwords, credit cards, usernames, personal information and administrative information.

MySQL Injection 這種攻擊的目的是為了奪取網站資料庫和管理者的權限及偷取資料。像MySQL這類型的開放資料庫系統常被使用在網站開發當做儲存重要資訊的工具,例如,密碼、身份証字號、姓名、個人資料和行政資料

This is a serious form of hacking that affects a lot of websites nowadays. You can easily spot it in Google search results with a warning sign: “This site may harm your computer” or when you are visiting the site “Malware detected” in browsers such as Google Chrome or Mozilla Firefox.

在現今,很多網站被利用表單攻擊方式遭駭入侵,你可以很輕易的在Google搜索結果頁看到上面被註記” This site may harm your computer”,或當你瀏覽這網站時,你的瀏覽器例如像Google ChromeMozilla Firefox碰到間碟攻擊。


MySQL is popular because it is used in conjunction with PHP , the most popular server side scripting language. We also know that PHP is the primary language of Linux-Apache based servers that dominate the Internet. So this means that PHP can be easily exploited by hackers just as spyware is in Windows.

MySQL因為常被與PHP(許多熱門伺服器站的程式語言)結合使用而很受歡迎。我們都知道,PHP這種Linux-Apache的主要語言,在網路世界中是佔很大的地位。這代表PHP可以很輕易的被駭客侵入。就是間碟軟體在Windows一樣。


The hacking starts with inputting malicious code into an unsecured website form (via drop menu forms, search boxes, contact forms, inquiry forms and check boxes). Other advanced forms can be injected via session–related URLs, but this topic is beyond the scope of this article. (For details of this process, please refer to the flowchart on the next page).

駭客利用在不安全的網站表單中輸入惡意的程式碼(經由下拉式選單,搜索方塊、聯絡表單、問題提問表單、確認方塊)。其他較進階的表單可以經由session–related URLs進行攻擊,但這個議題已經超出本文章的範圍(不做討論,請尋找下一篇)


The malicious code will then be transported to the MySQL database and hence “injected.” To see how this works, first consider the following basic and normal MySQL SELECT statement query:

這種惡意程式當被送到
MySQL
資料庫且
從此處開始攻擊。看下面的例子,首先想想這基本且正規的MySQL SELECT程序語言:

SELECT * FROM xmen WHERE username = 'wolverine'

This query will ask the database with the "xmen" table to return a certain piece of data in the MySQL for the username "wolverine."

這程序語言將讓要求資料庫的"xmen"資料表回傳某些在MySQL裡的有關叫"wolverine."資料出來。


In the web forms, a user will enter wolverine  , and then this data will be passed to the MySQL query, resulting in the above statement.

在網站表單中,使用者若輸入
wolverine
,而這時這筆資料將通過

MySQL
程序語言,導致在這個區塊之上。


If the input is not validated, a hacker can craft the input in such a way as to gain control of the database, for example setting the username to:

假如這輸入字串是無效的,駭客可以製作像取得資料庫控制權的方法,以下是設定使用者姓名的方法


' OR ''=''
You may think having the normal PHP and MySQL syntax to process inputs is safe because every time they may enter malicious codes they will get an “Invalid query” message, but it is not.

也許你會想說有正規PHPMySQL語法可以處理確保輸入值是安全的,因為當他們可能輸入惡意的程式時,系統會給他們一個” Invalid query”訊息,但是,事實並不如此..

In reality there are a lot of smart hackers, and they can easily work on this. Once there is a security breach, correcting this will become difficult. It involves cleaning the database and revamping the administrative access.

事實上,有很多聰明的駭客,他們可以輕易的做到這些。自從有一個安全漏洞修正,這將變的困難。它專門改善資料庫和修補管理者存取。


PHP Programs to Prevent MySQL Injection or HTML Form Abuse - The Flow of User Input (Without Validation)




If you are a beginner in MySQL and PHP, it would be useful to illustrate the flow of user information. Please check the screen shot of what will happen if the user input is not validated:

假如你是個在
MySQL
PHP領域上是個初學者,可以利用使用者資訊流程圖來說明。請看這圖,若使用者輸入的值不是有效的:









You can observe that even after the database or malware clean up, as long as the website form input is not validated, we will see re-infection of the website. Two common misconceptions of MySQL injection attacks are as follows:

你可以觀察到只要網站表單是不正當的,在這個事件產生清除資料庫或惡意程式後,我們將發現網站一直會被侵略。以下例出兩個MySQL injection 攻擊常常被誤導的關念:

1.
The webmaster thinks that malware injection can be cleaned up using anti-virus or anti-spyware software. It cannot be cleaned up in this way because this type of infection exploits the weaknesses of MySQL databases. It cannot simply be removed by any spyware or anti-virus program.

網站管理者常想說惡意的程式攻擊可以使用防毒、防間諜軟體所清除。因為這種類型的攻擊點是針對MySQL資料庫的弱點,所以它是不理被防毒軟體所清除的。它不會被認識的防毒程式所輕易移除。


2.
MySQL injection is a virus infection as a result of having copied infected files from another server or outside sources. It is not. This type of infection is a result of having someone type malicious codes into any unprotected forms in the website, and then gaining access to the database. Virus infection as a result of a MySQL injection can be cleaned by removing the malicious scripts and not by using anti-virus programs.

由於能夠從其他的伺服器或外部程式造成攻擊危害,所以MySQL injection算是一種病毒攻擊。可是這關念是錯的。這種攻擊類型是由於使用者輸入惡意程式進入未保護的網站,且進一步獲取讀取資料庫的存取權限。MySQL injection攻擊是可以以移除惡意的程式清除,可是不是用病毒程式進行處理。


Flow of User Input (With Validation)


It is highly important to back up a clean database and put it outside the server. It is very easy to export a set of MySQL tables and save it to your desktop, for example. Double check to make sure the database contains the exact and clean entries that you expect.

備份一個乾淨的資料庫且把它放在伺服器以外的地方是很重要的。它可以很容易的將MySQL資料表的設定匯出,且儲存它放在你的桌面。例如,仔細檢查確定資料庫包含你認為無誤且乾淨的輸入值。


Then go to your server and temporarily shut the forms input first. This means the form cannot accept data to be processed; this will also mean that your website will be shut down, too.

然後將你的伺服器暫時關掉表單輸入的功能。這意思是說表單無法對資料進行存取處理;這也是說,你的網站也將必須關閉。


Then start the clean up process. First, on your server, clean up any mess left by the MySQL injection. Change all database, FTP and website passwords.

然後開始清理檢查相關處理程序。首先在你的伺服器上,清理掉所有被MySQL injection所造成的攻擊傷害。改變所有資料庫、ftp、網站的密碼。


In t
創作者介紹

佳佳的窩

天秤女~佳佳 發表在 痞客邦 PIXNET 留言(0) 人氣()