"SQL Injection Attacks and Defense, First Edition"Book Bejtlich Read Award. "SQL injection is probably the number one problem for any server-side application, and this book unequaled in its coverage". (Richard Bejtlich, Tao Security blog). SQL injection represents one of the most dangerous and well-known, yet misunderstood, security vulnerabilities on the Internet, largely because there is no central repository of information available for penetration testers, IT security consultants and practitioners, and web/software developers to turn to for help. "SQL Injection Attacks and Defense, Second Edition" is the only book devoted exclusively to this long-established but recently growing threat. This is the definitive resource for understanding, finding, exploiting, and defending against this increasingly popular and particularly destructive type of Internet-based attack."SQL Injection Attacks and Defense, Second Edition" includes all the currently known information about these attacks and significant insight from its team of SQL injection experts, who tell you about: understanding SQL Injection - understand what it is and how it works; find, confirm and automate SQL injection discovery; tips and tricks for finding SQL injection within code; create exploits for using SQL injection; design apps to avoid the dangers these attacks; SQL injection on different databases; SQL injection on different technologies; SQL injection testing techniques, and Case Studies. "Securing SQL Server, Second Edition" is the only book to provide a complete understanding of SQL injection, from the basics of vulnerability to discovery, exploitation, prevention, and mitigation measures. It covers unique, publicly unavailable information, by technical experts in such areas as Oracle, Microsoft SQL Server, and MySQL - including new developments for Microsoft SQL Server 2012 (Denali).It is written by an established expert, author, and speaker in the field, with contributions from a team of equally renowned creators of SQL injection tools, applications, and educational materials.
Acknowledgements v
Dedication vii
Contributing Authors ix
Lead Author and Technical Editor xiii
Introduction xxvii
Chapter 1 What Is SQL Injection? 1 (26)
Introduction 1 (1)
Understanding How Web Applications Work 2 (4)
A Simple Application Architecture 3 (1)
A More Complex Architecture 4 (2)
Understanding SQL Injection 6 (7)
High-Profile Examples 9 (4)
Understanding How It Happens 13 (8)
Dynamic String Building 13 (1)
Incorrectly Handled Escape Characters 14 (1)
Incorrectly Handled Types 15 (2)
Incorrectly Handled Query Assembly 17 (1)
Incorrectly Handled Errors 18 (1)
Incorrectly Handled Multiple Submissions 19 (2)
Insecure Database Configuration 21 (2)
Summary 23 (1)
Solutions Fast Track 24 (1)
Frequently Asked Questions 25 (2)
Chapter 2 Testing for SQL Injection 27 (62)
Introduction 27 (1)
Finding SQL Injection 27 (31)
Testing by Inference 28 (1)
Identifying Data Entry 28 (4)
Manipulating Parameters 32 (3)
Information Workflow 35 (1)
Database Errors 36 (1)
Commonly Displayed SQL Errors 37 (12)
Application Response 49 (1)
Generic Errors 49 (3)
HTTP Code Errors 52 (1)
Different Response Sizes 53 (1)
Blind Injection Detection 54 (4)
Confirming SQL Injection 58 (18)
Differentiating Numbers and Strings 58 (1)
Inline SQL Injection 59 (1)
Injecting Strings Inline 59 (4)
Injecting Numeric Values Inline 63 (2)
Terminating SQL Injection 65 (1)
Database Comment Syntax 65 (2)
Using Comments 67 (3)
Executing Multiple Statements 70 (4)
Time Delays 74 (2)
Automating SQL Injection Discovery 76 (9)
Tools for Automatically Finding SQL 77 (1)
Injection
HP WebInspect 77 (2)
IBM Rational AppScan 79 (1)
HP Scrawlr 80 (2)
SQLiX 82 (1)
Paros Proxy/Zed Attack Proxy 83 (2)
Summary 85 (1)
Solutions Fast Track 85 (2)
Frequently Asked Questions 87 (2)
Chapter 3 Reviewing Code for SQL Injection 89 (50)
Introduction 89 (1)
Reviewing Source Code for SQL Injection 89 (37)
Dangerous Coding Behaviors 92 (7)
Dangerous Functions 99 (5)
Following the Data 104 (1)
Following Data in PHP 104 (5)
Following Data in Java 109 (1)
Following Data in C# 110 (1)
Reviewing Android Application Code 111 (7)
Reviewing PL/SQL and T-SQL Code 118 (8)
Automated Source Code Review 126 (10)
Graudit 128 (1)
Yet Another Source Code Analyzer (YASCA) 129 (1)
Pixy 129 (1)
AppCodeScan 130 (1)
OWASP LAPSE+ Project 130 (1)
Microsoft Source Code Analyzer for SQL 131 (1)
Injection
Microsoft Code Analysis Tool NET 131 (1)
(CAT.NET)
RIPS---A Static Source Code Analyzer 132 (1)
for Vulnerabilities in PHP Scripts
CodePro AnalytiX 132 (1)
Teachable Static Analysis Workbench 132 (1)
Commercial Source Code Review Tools 133 (1)
Fortify Source Code Analyzer 134 (1)
Rational AppScan Source Edition 135 (1)
CodeSecure 135 (1)
Klocwork Solo 135 (1)
Summary 136 (1)
Solutions Fast Track 136 (1)
Frequently Asked Questions 137 (2)
Chapter 4 Exploiting SQL Injection 139 (94)
Introduction 139 (1)
Understanding Common Exploit Techniques 140 (3)
Using Stacked Queries 142 (1)
Exploiting Oracle from Web Applications 142 (1)
Identifying the Database 143 (7)
Non-Blind Fingerprint 144 (2)
Banner Grabbing 146 (3)
Blind Fingerprint 149 (1)
Extracting Data Through UNION Statements 150 (8)
Matching Columns 151 (2)
Matching Data Types 153 (5)
Using Conditional Statements 158 (16)
Approach 1 Time-Based 159 (4)
Approach 2 Error-Based 163 (2)
Approach 3 Content-Based 165 (1)
Working with Strings 165 (2)
Extending the Attack 167 (1)
Using Errors for SQL Injection 168 (2)
Error Messages in Oracle 170 (4)
Enumerating the Database Schema 174 (14)
SQL Server 175 (3)
MySQL 178 (5)
PostgreSQL 183 (1)
Oracle 184 (4)
Injecting into "INSERT" Queries 188 (6)
First Scenario: Inserting User 188 (3)
Determined Data
Second Scenario: Generating INSERT 191 (2)
Errors
Other Scenarios 193 (1)
Escalating Privileges 194 (10)
SQL Server 194 (5)
Privilege Escalation on Unpatched 199 (1)
Servers
Oracle 200 (1)
SYS.LT 201 (1)
SYS.DBMS_CDC_PUBLISH 202 (1)
Getting Past the Create Procedure 202 (1)
Privilege
Cursor Injection 202 (1)
SYS.KUPP$PROC 203 (1)
Weak Permissions 203 (1)
Stealing the Password Hashes 204 (7)
SQL Server 204 (2)
MySQL 206 (1)
PostgreSQL 206 (1)
Oracle 207 (2)
Oracle Components 209 (2)
Out-of-Band Communication 211 (8)
E-mail 211 (1)
Microsoft SQL Server 211 (3)
Oracle 214 (1)
HTTP/DNS 215 (1)
File System 215 (1)
SQL Server 216 (2)
MySQL 218 (1)
Oracle 219 (1)
SQL Injection on Mobile Devices 219 (4)
Automating SQL Injection Exploitation 223 (5)
sqlmap 224 (1)
Bobcat 225 (1)
BSQL 226 (1)
Other Tools 227 (1)
Summary 228 (1)
Solutions Fast Track 229 (2)
Frequently Asked Questions 231 (2)
Chapter 5 Blind SQL Injection Exploitation 233 (56)
Introduction 233 (1)
Finding and Confirming Blind SQL Injection 234 (15)
Forcing Generic Errors 235 (1)
Injecting Queries with Side Effects 235 (1)
Splitting and Balancing 235 (2)
Common Blind SQL Injection Scenarios 237 (2)
Blind SQL Injection Techniques 239 (1)
Inference Techniques 239 (4)
Increasing the Complexity of Inference 243 (6)
Techniques
Alternative Channel Techniques 249 (1)
Using Time-Based Techniques 249 (9)
Delaying Database Queries 249 (1)
MySQL Delays 250 (2)
PostgreSQL Delays 252 (2)
SQL Server Delays 254 (3)
Oracle Delays 257 (1)
Time-Based Inference Considerations 257 (1)
Using Response-Based Techniques 258 (9)
MySQL Response Techniques 259 (1)
PostgreSQL Response Techniques 260 (1)
SQL Server Response Techniques 261 (2)
Oracle Response Techniques 263 (1)
Returning More Than 1 bit of Information 264 (3)
Using Alternative Channels 267 (9)
Database Connections 267 (2)
DNS Exfiltration 269 (4)
Email Exfiltration 273 (1)
HTTP Exfiltration 273 (3)
ICMP Exfiltration 276 (1)
Automating Blind SQL Injection 276 (10)
Exploitation
Absinthe 276 (2)
BSQL Hacker 278 (2)
SQLBrute 280 (2)
Sqlmap 282 (1)
Sqlninja 283 (1)
Squeeza 284 (2)
Summary 286 (1)
Solutions Fast Track 286 (2)
Frequently Asked Questions 288 (1)
Chapter 6 Exploiting the Operating System 289 (50)
Introduction 289 (1)
Accessing the File System 290 (16)
Reading Files 290 (1)
MySQL 291 (5)
Microsoft SQL Server 296 (8)
Oracle 304 (2)
PostgreSQL 306 (1)
Writing Files 306 (11)
MySQL 307 (3)
Microsoft SQL Server 310 (5)
Oracle 315 (1)
PostgreSQL 316 (1)
Executing Operating System Commands 317 (16)
MySQL 318 (1)
WAMP Environments 318 (1)
Microsoft SQL Server 318 (4)
Oracle 322 (1)
Privilege Escalation 322 (3)
Code Execution Via Direct Access 325 (5)
Executing Code as SYSDBA 330 (1)
PostgreSQL 330 (3)
Consolidating Access 333 (2)
Summary 335 (1)
Solutions Fast Track 335 (2)
Frequently Asked Questions 337 (2)
Chapter 7 Advanced Topics 339 (26)
Introduction 339 (1)
Evading Input Filters 339 (11)
Using Case Variation 340 (1)
Using SQL Comments 340 (1)
Using URL Encoding 341 (1)
Using Dynamic Query Execution 342 (3)
Using Null Bytes 345 (1)
Nesting Stripped Expressions 345 (1)
Exploiting Truncation 346 (1)
Bypassing Custom Filters 347 (1)
Using Non-Standard Entry Points 348 (2)
Exploiting Second-Order SQL Injection 350 (5)
Finding Second-Order Vulnerabilities 352 (3)
Exploiting Client-Side SQL Injection 355 (3)
Accessing Local Databases 355 (1)
Attacking Client-Side Databases 356 (2)
Using Hybrid Attacks 358 (3)
Leveraging Captured Data 358 (1)
Creating Cross-Site Scripting 358 (1)
Running Operating System Commands on 359 (1)
Oracle
Exploiting Authenticated Vulnerabilities 360 (1)
Summary 361 (1)
Solutions Fast Track 362 (1)
Frequently Asked Questions 363 (2)
Chapter 8 Code-Level Defenses 365 (44)
Introduction 365 (1)
Domain Driven Security 366 (5)
Using Parameterized Statements 371 (8)
Parameterized Statements in Java 372 (1)
Parameterized Statements in .NET (C#) 373 (3)
Parameterized Statements in PHP 376 (1)
Parameterized Statements in PL/SQL 377 (1)
Parameterized Statements in mobile apps 377 (1)
Parameterized Statements in iOS 377 (1)
Applications
Parameterized Statements in Android 378 (1)
Applications
Parameterized Statements in HTML5 378 (1)
Browser Storage
Validating Input 379 (8)
Whitelisting 379 (1)
Known Value Validation 380 (3)
Blacklisting 383 (1)
Validating Input in Java 384 (2)
Validating Input in NET 386 (1)
Validating Input in PHP 386 (1)
Validating Input in Mobile Applications 387 (1)
Validating Input in HTML5 387 (1)
Encoding Output 387 (9)
Encoding to the Database 388 (1)
Encoding for Oracle 388 (2)
Encoding for Microsoft SQL Server 390 (3)
Encoding for MySQL 393 (1)
Encoding for PostgreSQL 394 (1)
Avoiding NoSQL injection 395 (1)
Canonicalization 396 (3)
Canonicalization Approaches 397 (1)
Working with Unicode 397 (2)
Design Techniques to Avoid the Dangers of 399 (6)
SQL Injection
Using Stored Procedures 399 (1)
Using Abstraction Layers 400 (1)
Handling Sensitive Data 401 (2)
Avoiding Obvious Object Names 403 (1)
Setting up Database Honeypots 404 (1)
Additional Secure Development Resources 404 (1)
Summary 405 (1)
Solutions Fast Track 406 (1)
Frequently Asked Questions 407 (2)
Chapter 9 Platform Level Defenses 409 (34)
Introduction 409 (1)
Using Runtime Protection 410 (15)
Web Application Firewalls 411 (1)
Using ModSecurity 411 (6)
Intercepting Filters 417 (1)
Web Server Filters 417 (3)
Application Filters 420 (1)
Implementing the Filter Pattern in 421 (1)
Scripted Languages
Filtering Web Service Messages 422 (1)
Non-Editable Versus Editable Input 422 (1)
Protection
URL/Page-Level Strategies 422 (1)
Page Overriding 423 (1)
URL Rewriting 423 (1)
Resource Proxying/Wrapping 424 (1)
Aspect-Oriented Programing (AOP) 424 (1)
Application Intrusion Detection Systems 424 (1)
(IDSs)
Database Firewall 425 (1)
Securing the Database 425 (6)
Locking Down the Application Data 426 (1)
Use the Least-Privileged Database Login 426 (1)
Segregated Database Logins 426 (1)
Revoke PUBLIC Permissions 427 (1)
Use Stored Procedures 427 (1)
Use Strong Cryptography to Protect 427 (1)
Stored Sensitive Data
Maintaining an Audit Trail 428 (3)
Locking Down the Database Server 431 (1)
Additional Lockdown of System Objects 431 (8)
Restrict Ad Hoc Querying 432 (1)
Strengthen Controls Surrounding 432 (1)
Authentication
Run in the Context of a 433 (1)
Least-Privileged Operating System
Account
Ensure That the Database Server 433 (1)
Software is Patched
Additional Deployment Considerations 434 (1)
Minimize Unnecessary Information Leakage 434 (1)
Suppress Error Messages 434 (2)
Use an Empty Default Web Site 436 (1)
Use Dummy Host Names for Reverse DNS 436 (1)
Lookups
Use Wildcard SSL Certificates 437 (1)
Limit Discovery Via Search Engine 437 (1)
Hacking
Disable Web Services Description 438 (1)
Language (WSDL) Information
Increase the Verbosity of Web Server 438 (1)
Logs
Deploy the Web and Database Servers on 439 (1)
Separate Hosts
Configure Network Access Control 439 (1)
Summary 439 (1)
Solutions Fast Track 440 (1)
Frequently Asked Questions 441 (2)
Chapter 10 Confirming and Recovering from 443 (42)
SQL Injection Attacks
Introduction 443 (1)
Investigating a Suspected SQL Injection 443 (29)
Attack
Following Forensically Sound Practices 444 (2)
Analyzing Digital Artifacts 446 (1)
Web Server Log Files 446 (6)
Database Execution Plans 452 (10)
Transaction Log 462 (6)
Database Object Time Stamps 468 (4)
So, You're a Victim---Now What? 472 (9)
Containing the Incident 472 (1)
Assessing the Data Involved 473 (1)
Notifying the Appropriate Individuals 474 (1)
Determining What Actions the Attacker 474 (1)
Performed on the System
Recovering from a SQL Injection Attack 475 (1)
Determining the Payload of an Attack 476 (1)
Recovering from Attacks Carrying Static 477 (2)
Payloads
Recovering from Attacks Carrying 479 (2)
Dynamic Payloads
Summary 481 (1)
Solutions Fast Track 481 (2)
Frequently Asked Questions 483 (2)
Chapter 11 References 485 (50)
Introduction 485 (1)
Structured Query Language (SQL) Primer 486 (6)
SQL Queries 486 (1)
Select Statement 486 (1)
Union Operator 487 (1)
Insert Statement 487 (1)
Update Statement 488 (1)
Delete Statement 488 (1)
Drop Statement 488 (1)
Create Table Statement 488 (2)
Alter Table Statement 490 (1)
Group By Statement 490 (1)
Order By Clause 490 (1)
Limiting the Result Set 491 (1)
SQL Injection Quick Reference 492 (28)
Identifying SQL Injection 492 (3)
Vulnerabilities
Identifying the Database Platform 495 (1)
Identifying the Database Platform Via 496 (1)
Time Delay Inference
Identifying the Database Platform Via 497 (1)
SQL Dialect Inference
Combining Multiple Rows into a Single 498 (1)
Row
Microsoft SQL Server Cheat Sheet 498 (2)
Enumerating Database Configuration 500 (1)
Information and Schema
Blind SQL Injection Functions: 500 (1)
Microsoft SQL Server
Microsoft SQL Server Privilege 500 (6)
Escalation
Attacking the Database Server: 506 (2)
Microsoft SQL Server
MySQL Cheat Sheet 508 (1)
Enumerating Database Configuration 508 (1)
Information and Schema
Blind SQL Injection Functions: MySQL 509 (1)
Attacking the Database Server: MySQL 509 (2)
Oracle Cheat Sheet 511 (1)
Enumerating Database Configuration 511 (1)
Information and Schema
Blind SQL Injection Functions: Oracle 511 (1)
Attacking the Database Server: Oracle 511 (6)
PostgreSQL Cheat Sheet 517 (1)
Enumerating Database Configuration 517 (1)
Information and Schema
Blind SQL Injection Functions: 518 (1)
PostgreSQL
Attacking the Database Server: 518 (2)
PostgreSQL
Bypassing Input Validation Filters 520 (1)
Quote Filters 520 (1)
HTTP Encoding 521 (1)
Troubleshooting SQL Injection Attacks 521 (4)
SQL Injection on Other Platforms 525 (6)
DB2 Cheat Sheet 526 (1)
Enumerating Database Configuration 526 (1)
Information and Schema
Blind SQL Injection Functions: DB2 526 (1)
Informix Cheat Sheet 526 (1)
Enumerating Database Configuration 527 (1)
Information and Schema
Blind SQL Injection Functions: Informix 527 (1)
Ingres Cheat Sheet 528 (1)
Enumerating Database Configuration 528 (1)
Information and Schema
Blind SQL Injection Functions: Ingres 528 (1)
Sybase Cheat Sheet 529 (1)
Enumerating Database Configuration 529 (1)
Information and Schema
Blind SQL Injection Functions: Sybase 530 (1)
Microsoft Access 530 (1)
Resources 531 (1)
SQL Injection White Papers 531 (1)
SQL Injection Cheat Sheets 531 (1)
SQL Injection Exploit Tools 531 (1)
Password Cracking Tools 532 (1)
Solutions Fast Track 532 (3)
Index 535
新书报道