用户工具

站点工具


cwe:cn:definition:89

差别

这里会显示出您选择的修订版和当前版本之间的差别。

到此差别页面的链接

cwe:cn:definition:89 [2013/06/03 15:05]
evan [示例 - 2]
cwe:cn:definition:89 [2014/09/04 15:00] (当前版本)
行 1: 行 1:
 ====== CWE-89:​SQL命令中使用的特殊元素转义处理不恰当(SQL注入) ====== ====== CWE-89:​SQL命令中使用的特殊元素转义处理不恰当(SQL注入) ======
 ^ID|89| ^ID|89|
-^类型|弱点|+^Type|Weakness|
 ^Abstraction|Base| ^Abstraction|Base|
-^状态|草稿|+^Status|Draft|
 ^MITRE|http://​cwe.mitre.org/​data/​definitions/​89.html| ^MITRE|http://​cwe.mitre.org/​data/​definitions/​89.html|
-^英文|http://​wiki.scap.org.cn/​cwe/​en/​definition/​89| +^English|http://​wiki.scap.org.cn/​cwe/​en/​definition/​89| 
-^中文|http://​wiki.scap.org.cn/​cwe/​cn/​definition/​89|+^Chinese|http://​wiki.scap.org.cn/​cwe/​cn/​definition/​89|
  
-===== 概要描述 ​=====+===== Description Summary ​===== 
 +The software constructs all or part of an SQL command using 
 +externally-influenced input from an upstream component, but it does not 
 +neutralize or incorrectly neutralizes special elements that could modify the 
 +intended SQL command when it is sent to a downstream 
 +component.
  
-软件使用来自一个上游组件的外部输入数据构造全部或部分的SQL命令,但它在将SQL命令发送到下游组件时,没有处理或没有正确地处理输入数据中可能会改变预期的SQL的特殊元素。 +===== Extended Description ​===== 
-===== 扩展描述 ​=====+Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands. ​
  
-在没有充分地去除或引述用户可控的输入中的SQL语法的情况下,生成的SQL查询可能导致这些用户输入被解释为SQL语句而并非普通的用户数据。这能够被用于改变查询逻辑以绕过安全检查或者插入额外的语句修改后台数据库,甚至包括执行系统命令。+SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes. ​
  
-SQL注入已经成为数据驱动网站的一个普遍问题。这种缺陷容易被发现,容易被利用,正因如此,任何网站或软件包——哪怕只有很小的用户群体都有可能成为这种类型攻击的主体。这种缺陷依赖于一个事实,即SQL没有将控制层和数据层真正地区别开。 
-===== 引入方式 ===== 
  
-这种弱点通常出现在使用数据库保存用户输入的富数据(data-rick)应用程序中。 
-===== 利用要点 ===== 
  
-应用程序动态地生成包含用户输入的查询。+===== Modes of Introduction ===== 
 +This weakness typically appears in data-rich applications that save user 
 +inputs in a database.
  
  
-===== 利用可能性 ===== 
  
-非常高+===== Enabling Factors for Exploitation ===== 
 +The application dynamically generates queries that contain user input. ​
  
-===== 常见的影响 ​===== + 
-^范围 ​^技术影响 ​备注 ​+ 
-|机密性|读取应用程序数据|因为SQL数据库通常保存有敏感数据,机密性被破坏是SQL注入漏洞带来的常见问题。+===== Likelihood of Exploit ===== 
-|访问控制|绕过防御机制|如果检查用户名和口令的SQL命令设计失误,可能会导致在不知悉口令的情况下使用另外用户的身份登录到系统。+Very High 
-|访问控制|绕过防御机制|如果身份认证信息保存在SQL数据库中,那么成功利用SQL注入漏洞可能能够更改这些认证信息。+ 
-|完整性|篡改应用程序数据|同读取敏感信息一样,SQL注入攻击还能够篡改甚至删除这些信息。 ​+===== Common Consequences ​===== 
-===== 检测方法 ​===== +^Scope ^Technical Impace ​Note 
-==== 检测方法 ​- 1 ====+|Confidentiality|Read application data|Since SQL databases generally hold sensitive dataloss of confidentiality is a frequent problem with SQL injection vulnerabilities. ​
 +|Access_Control|Bypass protection mechanism|If poor SQL commands are used to check user names and passwords, it may be possible to connect to a system as another user with no previous knowledge of the password. ​
 +|Access_Control|Bypass protection mechanism|If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability. ​
 +|Integrity|Modify application data|Just as it may be possible to read sensitive information,​ it is also possible to make changes or even delete this information with a SQL injection attack. ​
 +===== Detection Methods ​===== 
 +==== Detection Method ​- 1 ====
 {{page>​cwe:​cn:​detection:​1&​noheader}} {{page>​cwe:​cn:​detection:​1&​noheader}}
  
-==== 检测方法 ​- 2 ====+==== Detection Method ​- 2 ====
 {{page>​cwe:​cn:​detection:​2&​noheader}} {{page>​cwe:​cn:​detection:​2&​noheader}}
  
-==== 检测方法 ​- 3 ====+==== Detection Method ​- 3 ====
 {{page>​cwe:​cn:​detection:​9&​noheader}} {{page>​cwe:​cn:​detection:​9&​noheader}}
  
-===== 缓解方案 ​===== +==== Detection Method - 4 ==== 
-==== 缓解方案 ​- 1 ====+=== Automated Static Analysis - Binary / Bytecode === 
 +According to SOAR, the following detection techniques may be 
 +useful:==== Detection Method - 5 ==== 
 +=== Dynamic Analysis with automated results 
 +interpretation === 
 +According to SOAR, the following detection techniques may be 
 +useful:==== Detection Method - 6 ==== 
 +=== Dynamic Analysis with manual results interpretation === 
 +According to SOAR, the following detection techniques may be 
 +useful:==== Detection Method - 7 ==== 
 +=== Manual Static Analysis - Source Code === 
 +According to SOAR, the following detection techniques may be 
 +useful:==== Detection Method - 8 ==== 
 +=== Automated Static Analysis - Source Code === 
 +According to SOAR, the following detection techniques may be 
 +useful:==== Detection Method - 9 ==== 
 +=== Architecture / Design Review === 
 +According to SOAR, the following detection techniques may be 
 +useful:​===== Potential Mitigations ​===== 
 +==== Mitigation ​- 1 ====
 {{page>​cwe:​cn:​mitigation:​4&​noheader}} {{page>​cwe:​cn:​mitigation:​4&​noheader}}
  
-==== 缓解方案 ​- 2 ====+==== Mitigation ​- 2 ====
 {{page>​cwe:​cn:​mitigation:​27&​noheader}} {{page>​cwe:​cn:​mitigation:​27&​noheader}}
  
-==== 缓解方案 ​- 3 ====+==== Mitigation ​- 3 ====
 {{page>​cwe:​cn:​mitigation:​17&​noheader}} {{page>​cwe:​cn:​mitigation:​17&​noheader}}
  
-==== 缓解方案 ​- 4 ====+==== Mitigation ​- 4 ====
 {{page>​cwe:​cn:​mitigation:​15&​noheader}} {{page>​cwe:​cn:​mitigation:​15&​noheader}}
  
-==== 缓解方案 ​- 5 ====+==== Mitigation ​- 5 ====
 {{page>​cwe:​cn:​mitigation:​28&​noheader}} {{page>​cwe:​cn:​mitigation:​28&​noheader}}
  
-==== 缓解方案 ​- 6 ====+==== Mitigation ​- 6 ====
 {{page>​cwe:​cn:​mitigation:​5&​noheader}} {{page>​cwe:​cn:​mitigation:​5&​noheader}}
  
-==== 缓解方案 ​- 7 ====+==== Mitigation ​- 7 ====
 {{page>​cwe:​cn:​mitigation:​21&​noheader}} {{page>​cwe:​cn:​mitigation:​21&​noheader}}
  
-==== 缓解方案 ​- 8 ====+==== Mitigation ​- 8 ====
 {{page>​cwe:​cn:​mitigation:​39&​noheader}} {{page>​cwe:​cn:​mitigation:​39&​noheader}}
  
-==== 缓解方案 ​- 9 ====+==== Mitigation ​- 9 ====
 {{page>​cwe:​cn:​mitigation:​29&​noheader}} {{page>​cwe:​cn:​mitigation:​29&​noheader}}
  
-==== 缓解方案 ​- 10 ====+==== Mitigation ​- 10 ====
 {{page>​cwe:​cn:​mitigation:​16&​noheader}} {{page>​cwe:​cn:​mitigation:​16&​noheader}}
  
-===== 示例 ​===== +===== Demonstrative Examples ​===== 
-==== 示例 ​- 1 ====+==== Example ​- 1 ==== 
 +In 2008, a large number of web servers were compromised using the 
 +same SQL injection attack string. This single string worked against many 
 +different programs. The SQL injection was then used to modify the web sites 
 +to serve malicious code. [1]
  
-在2008年,大量的Web服务器被同一条SQL注入攻击字符串攻陷。这一条字符串能够应用于大量不同的程序。后来这些SQL注入攻击被用于将web网站篡改为恶意代码的载体。[1] + 
-==== 示例 ​- 2 ==== + 
-下面的代码动态地创建并执行一个用来搜索符合某个特定名称条目的SQL查询。查询限定为仅显示当前已登录用户所属的条目。+==== Example ​- 2 ==== 
 +The following code dynamically constructs and executes a SQL query 
 +that searches for items matching a specified name. The query restricts the 
 +items displayed to those where owner matches the user name of the 
 +currently-authenticated user.
  
 <code csharp > <code csharp >
行 92: 行 127:
 </​code>​ </​code>​
  
-这条查询期望执行下面的SQL语句:+The query that this code intends to execute follows: ​
  
-<​code ​sql>+<​code>​
 SELECT * FROM items WHERE owner = <​userName>​ AND itemname = <​itemName>; ​ SELECT * FROM items WHERE owner = <​userName>​ AND itemname = <​itemName>; ​
 </​code>​ </​code>​
  
-但是,由于查询是由一段固化的查询语句和用户的输入组合而成的,所以查询仅在itemName不包含单引号的情况下是正确的。如果一名用户名称为wiley的攻击者输入下面的字符串:+However, because the query is constructed dynamically by concatenating a constant base query string and a user input string, the query only behaves correctly if itemName ​does not contain a single-quote character. If an attacker with the user name wiley enters the string: ​
  
 <​code>​ <​code>​
行 104: 行 139:
 </​code>​ </​code>​
  
-作为itemName,那么查询变成了下面这样:+for itemName, then the query becomes the following: ​
  
-<​code ​sql>+<​code>​
 SELECT * FROM items WHERE owner = '​wiley'​ AND itemname = '​name'​ OR '​a'​='​a'; ​ SELECT * FROM items WHERE owner = '​wiley'​ AND itemname = '​name'​ OR '​a'​='​a'; ​
 </​code>​ </​code>​
  
-添加了下面代码后+The addition of the
  
 <​code>​ <​code>​
行 116: 行 151:
 </​code>​ </​code>​
  
-用户输入的条件导致WHERE语句的计算结果永远为true,这样这条查询逻辑上等于下面这条简单的多的查询:+condition causes the WHERE clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query: ​
  
-<​code ​sql>+<​code>​
 SELECT * FROM items; ​ SELECT * FROM items; ​
 </​code>​ </​code>​
  
-这种简单的技巧允许攻击者绕过原始查询仅返回认证用户所拥有条目的限制;修改后的查询会返回存储在数据表中的全部条目,不论这些条目的拥有者是哪个用户。+This simplification of the query allows the attacker to bypass the requirement that the query only return items owned by the authenticated user; the query now returns all entries stored in the items table, regardless of their specified owner.  
 + 
  
-==== 示例 ​- 3 ====+==== Example ​- 3 ====
 This example examines the effects of a different malicious value This example examines the effects of a different malicious value
 passed to the query constructed and executed in the previous passed to the query constructed and executed in the previous
行 181: 行 218:
  
  
-==== 示例 ​- 4 ====+==== Example ​- 4 ====
 MS SQL has a built in function that enables shell command execution. MS SQL has a built in function that enables shell command execution.
 An SQL injection in such a context could be disastrous. For example, a query An SQL injection in such a context could be disastrous. For example, a query
行 213: 行 250:
  
  
-==== 示例 ​- 5 ====+==== Example ​- 5 ====
 This code intends to print a message summary given the message This code intends to print a message summary given the message
 ID. ID.
行 249: 行 286:
  
  
-==== 示例 ​- 6 ====+==== Example ​- 6 ====
 This example attempts to take a last name provided by a user and This example attempts to take a last name provided by a user and
 enter it into a database. enter it into a database.
行 265: 行 302:
  
  
-===== 验证实例 ​=====+===== Observed Examples ​=====
 ^Reference ^Description ^ ^Reference ^Description ^
 |[[http://​cve.scap.org.cn/​CVE-2004-0366.html|CVE-2004-0366]]|chain:​ SQL injection in library intended for database authentication allows SQL injection and authentication bypass. | |[[http://​cve.scap.org.cn/​CVE-2004-0366.html|CVE-2004-0366]]|chain:​ SQL injection in library intended for database authentication allows SQL injection and authentication bypass. |
行 274: 行 311:
 |[[http://​cve.scap.org.cn/​CVE-2003-0377.html|CVE-2003-0377]]|SQL injection in security product, using a crafted group name. | |[[http://​cve.scap.org.cn/​CVE-2003-0377.html|CVE-2003-0377]]|SQL injection in security product, using a crafted group name. |
 |[[http://​cve.scap.org.cn/​CVE-2008-2380.html|CVE-2008-2380]]|SQL injection in authentication library. | |[[http://​cve.scap.org.cn/​CVE-2008-2380.html|CVE-2008-2380]]|SQL injection in authentication library. |
 +
cwe/cn/definition/89.1370243138.txt.gz · 最后更改: 2013/06/03 15:05 由 evan