SQL注入攻击与防御研究

二〇一三年五月包头师范学院本科毕业论文题目：SQL注入攻击研究学号：0914490044学生姓名：何洋学院：信息科学与技术学院专业：计算机科学与技术班级：09本指导教师：史胜利包头师范学院本科毕业论文摘要SQL注入攻击是黑客对数据库进行攻击的常用手段之一。随着B/S模式应用开发的发展，使用这种模式编写应用程序的程序员也越来越多。但是由于程序员的水平及经验也参差不齐，相当大一部分程序员在编写代码的时候，没有对用户输入数据的合法性进行判断，使应用程序存在安全隐患。用户可以提交一段数据库查询代码，根据程序返回的结果，获得某些他想得知的数据，这就是所谓的SQLInjection，即SQL注入。SQL注入是从正常的端口访问，而且表面看起来跟一般的Web页面访问没什么区别，所以市面的防火墙都不会对SQL注入发出警报，如果管理员没查看ⅡS日志的习惯，可能被入侵很长时间都不会发觉。但是，SQL注入的手法相当灵活，在注入的时候会碰到很多意外的情况，需要构造巧妙的SQL语句，从而成功获取想要的数据。目前有近70%的攻击行为是基于WEB应用，而据CVE的2006年度统计数据显示，SQL注入攻击漏洞呈逐年上升的状态，2006年更是达到了惊人的1078个，而这些还仅限于通用应用程序的漏洞，不包括更为庞大的专业web应用程序所存在的漏洞。.关键词：SQL注入攻击；数据库；SQL语句包头师范学院本科毕业论文AbstractSQLinjectionattackisoneofthecommonlyusedmeansofhackingattacksagainstthedatabase.WiththedevelopmentoftheB/Smodeapplicationdevelopment,usethismodetowritetheapplicationprogrammerisalsomoreandmore.Butbecausetheprogrammer'slevelandexperiencealsoisuneven,aconsiderablepartoftheprogrammerinwritingcode,nottojudgethelegitimacyoftheuserinputdata,maketheapplicationexistencesafehiddentrouble.Usercansubmitadatabasequerycode,onthebasisoftheresultoftheprogramtoreturntoobtaincertainhewantstoknow,thisistheSQLInjection,namely,SQLInjection.SQLinjectionfromnormalⅡShabitoflog,invasionmaybealongtimenotfound.However,SQLinjectiontechniqueisquiteflexible,atthetimeofinjectionwillencounteralotofunexpectedsituation,constructingtheSQLstatementsforclever,therebysuccessfullyobtaindesireddata.Therearenearly70%oftheapplicationsisaweb-basedattackbehavior,andaccordingtothestatisticsshowthat2006CVESQLinjectionvulnerabilityisrisingyearbyyear,hasrisenanastonishing1078,2006,whichislimitedtogeneralapplicationvulnerabilities,notincludinglargerprofessionalexistingWEBapplicationvulnerabilities.Keywords：SQLinjectionattacks;Database;TheSQLstatement包头师范学院本科毕业论文1引言................................................................................................................................................51.1课题背景............................................................................................................................51.2课题研究意义......................................................................................................................51.3国内外研究现状...................................................................................................................51.4课题研究内容......................................................................................................................72SQL语言及SQL注入环境分析.......................................................................................................82.1SQL语言简介.......................................................................................................................82.2SQL注入攻击网络背景.......................................................................................................83SQL注入攻击的实现.....................................................................................................................103.3SQL注入原理..................................................................................................................113.4SQL攻击流程..................................................................................................................123.4.1SQL注入常用函数................................................................................................153.5SQL注入实践.....................................................................................................................163.5.1ASP网页简介.........................................................................................................163.5.2注入环境搭建........................................................................................................173.5.3手工注入示例........................................................................................................183.5.4工具注入示例........................................................................................................224SQL注入攻击分类........................................................................................................................265SQL注入攻击防御........................................................................................................................305.1编程过程的防范..............................................................................................................305.1.1SQL注入攻击检测/防御/跟踪模型....................................................................325.2数据库配置防范................................................................................................................355.2.1使用安全的账号和密码策略.................................................................................355.2.2使用Windows身份验证模式................................................................................365.2.3管理扩展存储过程.................................................................................................365.3SQL注入攻击的防治.....................................................