Scientific Journal of Information Engineering

April 2013, Volume 3, Issue 2, PP.40-45

Attack and Defense of Computer Network Database

Zixin Wang
Computer Science and Technology CUMT, Xuzhou 221008, China
Email: 105564738@qq.com

Abstract
With the rapid development of computer technology, computer networks have become an important part of human society, and
have brought huge effect into the social development. It used a variety of database technology, which gave hackers one way to
attack. Thus, the paper analyzed related problem aiming at threat and prevention of the computer network database.
Keywords: Database; SQL; Database Explosion

221008
,

SQL

SQL

SQL

1.1 SQL
WebCohort 92% 60%
SQL [1] IT Sophos
SQL Sophos 2009
SQL SQL

- 40 http://www.sjie.org/

1.1.1

SQL SQL
SQL
SQL

1.1.2

1. SQL
2.
3.

1.1.3

SQL
1.

SQL statement:="
SELECT*FROM data WHERE id="+variable+";"variable id
SQL
2.

SQL

SQL
$SQL=SELECT $_GET[column1],$_GET[column2], $_GET[column3], FROM $_GET[table];
$result=mysql_query($SQL);
$rowcount=mysql_num_rows($result);
$row=1;
While($db_field=mysql_fetch_assoc($result))
{
if($row<=$rowcount)
{
print $db_field[$row] . <BR>;
$row++;
}
}
3.

||
.*/
SQL URL
Web Web SQL
SQL
$SQL=SELECT * FROM table WHERE field=$_GET[input];
$result=mysql_query($SQL);
$rowcout=mysql_num_rows($result);
$row=1;
- 41 http://www.sjie.org/

While($db_field=mysql_fetch_assoc($result))
{
If($row<=$rowcount)
{
Print $db_field[$row] . <BR>;
$row++;
}
}
4.

[2]

URL

5.

SQL
Private void SelectedIndexChanged(object sender,System.EventArgs e)
{
String SQL;
SQL=SELECT * FROM table ;
SQL+=WHERE ID=+UserList.SelectedItem.Value+;
OleDbConnection con=new OleDbConnection(connectionString);
OleDbCommand cmd=new OleDbCommand(SQL,con);
Try
{
Con.Open();
Reader=cmd.ExecuteReader();
Reader.Read();
lblResults.Text=<b>+reader[LastName];
lblResults.Text+=,+reader[FirstName]+</b><br>;
lblResults.Text+=ID:+reader[ID]+<br>;
reader.Close();
}
catch(Exception err)
{
lblResults.Text=Error getting data. ;
lblResults.Text+=err.Message;
}
Finally
{
Con.Close();
- 42 http://www.sjie.org/

}
}

1.2

1.2.1

1.2.2

%5c conn.asp
1. %5c
%5c /%5c

asp?id=
%5c
%5cIISIIS
IIS%5c
5c
%5c/%5c/%5c
%5c

http://hxhack.com/soft/view.asp?id=58/%5c
http://hxhack.com/soft%5cview.asp?id=58
2. conn.asp
conn.asp conn.asp
conn.asp
conn.asp %5c %5c
conn.asp
%5c conn.asp
conn.asp conn.asp

1.3

SQL OracleMySQLSQL Server

SQL Server saMySQL
rootanonymousOracle SYSSYSTEMDBSNMPOUTLN
- 43 http://www.sjie.org/

(xp_cmdshellOPENROWSETLOAD_FILEActiveX
Java )

SQL

SQL
1.
URL

SQL SQL
SQL
2. #
# IE #
IE
IE %23 ##
#data.mdb %23data.mdb IE
#
3. ASPASA
MDB ASP ASA

ASP ASA

4.
MD5 =MD5MD5

5.
SQL

manageadmin
login.asp
6.
URL "andor":;
execselectfrominsertdeleteupdatecountuserxp_cmdshelladdnetdroptabletruncate
mid"% SQL

public bool inputCheck string str

- 44 http://www.sjie.org/

string str1@selectinsertdeletefromcount\|drop tableupdatetruncateascmid

charxpcmdshellexec masternetlocalgroup administratorsnet userorand
string str2[|;|,|\/|\(|\)|\[|\]|\}|\{|%|@|\*|!|\};
bool resultRegexIsMatchstrstr1Regex-OptionsIgnoreCase RegexIsMatchstr
str2
return result
}

7.
RDBMS Oracle
8.
SQL SQL
SQL
SQL

SQL

REFERENCES
[1] WebCohort. WebCohort`s application defense center reports results of vulnerability testing on Web applications [EB/OL]. 2004,
3(25). http://www.imperva.com/company/news/2004feb02.html
[2] . SQL . , 2010
[3] , , . [J]. , 2004
[4] , . SQL [J]. , 2008
[5] . SQL SERVER 2005[M]. , 2008

1986-
2010
Email: 105564738@qq.com

- 45 http://www.sjie.org/