网佳创业天使社区

天使投资唐 发表于 2015-4-10 12:31:09 | 显示全部楼层 |阅读模式
网站慢?电商被黑?APP泄密?最下解析图片里SQL注入的漫画
北上广深 业天使免费沙龙 网站安全 LAMP架构 APP 服务器加速
时间:2015-4-12、18、19、25日 下午
费用:免费参与!2015年第二季度唯一一次

活动程序:早到、中场休息、会后:大家互相交流!
开场:每一位嘉宾练习【电梯推介】自己的项目或介绍自己
主讲:@天使投资唐 和各位嘉宾

上半场沙龙:探讨 云计算、建站、网络安全、技术、LAMP架构、加速
LAMP= Linux  Apache MySQL PHP 架构。在嘉宾面前建云Linux服务器、LAMP架构、和用 CMS(WordPress 或 Discuz)建简单网站,演示如何加速微型服务器=省钱,深入讲解 Apache架构,Mod_Rewrite、Mod_Security 和 GeoIP 模块与Apache沟通的流程,用GDB调试以上所有的C语言源代码 ,建议如何防黑客和竞争对手攻击,解析在B/S和App与云服务器沟通时,被黑和防黑客的实际案例。用PHP、Python 和Apache MySQL 实际编程和源代码,探讨如何在做电商、手机支付、用户信息等网站或APP,如何避险。

创业=《天使投资》自己,本身在于避险!网络安全不容忽视。

唐滔Victor自从中学就开始编程,大学也做了很多编程,1994年就开始做网站和电商,这12个月深入源代码,制作一些网站,找到了很多奥妙,想与大家分享。。因为最近很多黑客事件,或泄密,导致国内基本上除非一级网站,初创网站、支付或服务很难获得用户和合作方的亲睐和信任。如果初创失去用户的信任,还没有机会与竞争对手PK前就挂了。。

道高一尺魔高一丈。可否防范,这要看对手是谁了。刚曝光俄罗斯黑客去年底看了美国白宫的信息,斯诺登曝光美国NSA入侵华为,尝试注木马入芯片里。可是,网络创业者日常的对手并不是这些暗能量,而是很多可防范的bots spammer等>>@地球分析师:呵呵,好天真,真以为能防得住吗>>@xiao鐸鐸:拥有技术创业,真好
这次沙龙上半场面对技术群体,与过往非技术创业者的听众不同。所以webplus+微信只有几位报名,但合作方支付沙龙有16位报名,而且都是大网络公司的技术大牛。那么我肯定不可以让来宾失望。因为时间有限,我这次只会用微软的Azure云演示如何用每月20美元的Ubuntu做一个大网站,感谢微软给我免费云服务!

上半场欢迎参与者:
1)工程师——以上领域的软件工程师,有产品开发经验
2)技术准创业者——有成熟想法、有具体创业计划的程序猿
3)创业者——支付、移动支付、电商、移动互联网、互联网、O2O等
4)技术投资者、分析师、网络 服务器 和 安防行业专家。



下半场沙龙 欢迎任何参与者:
自由互动,创业、投融资案例分享、探讨。来宾的创业或投融资的问题。

其他话题:重温 由创业 成长 投融资 到上市,包括团队 产品 营销 财务 法律 商业计划 和 阿里巴巴招股书 和 上市 等。天使投资唐 分享 多年上市路演经历! http://bbs.webplus.com/forum.php?mod=viewthread&tid=9968
投资意向书或投资协议等投融资问题,创业者、投资者与合伙人的博弈,创新点子,商业化,盈利模式,市场营销,上市,破产,退出,法律,审计,等。大家互相问答,相互学习!如有您想展示项目,请大家拍砖。优秀项目在Webplus.com免费推介!
请建议其他话题。

恳请创业大侠和无名英雄, 投资界江湖大佬,还有内部创业精英,经理人,专业人士,融资顾问,资深律师,审计师,媒体,学生,各地政府园区和投资机构等出席。来宾有很强的互动和发言,与各路豪杰角逐!




解析图片里SQL注入的漫画
http://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom
Transcript  谈话全文
[罗伯茨太太 收到儿子学校的电话。]
      [Mrs. Roberts receives a call from her son's school.]
来电:你好,这是你儿子的学校。我们有一些电脑的麻烦。
      Caller: Hi, This is your son's school. We're having some computer trouble.
罗伯茨夫人:哦,亲 - 他打烂了什么东西?
      Mrs. Roberts: Oh, dear - did he break something?
来电:在某种程度上 -
      Caller: In a way -
来电:难道你真的命名你的儿子:Robert'); DROP TABLE Students;--?
      Caller: Did you really name your son:Robert'); DROP TABLE Students;--   ?
罗伯茨夫人:哦,是的。我们叫他小Bobby Tables。
      Mrs. Roberts: Oh, yes. Little Bobby Tables, we call him.
来电:嗯,我们已经失去了今年的学生记录。我希望你高兴。
      Caller: Well, we've lost this year's student records. I hope you're happy.
罗伯茨夫人:我也希望你已经学会了净化你的数据库的输入。
      Mrs. Roberts: And I hope you've learned to sanitize your database inputs.

Mrs. Roberts receives a call from her son's school. The caller, likely one of the school's administrators, asks if the she really named her son Robert'); DROP TABLE Students;--, a rather unusual name. Perhaps surprisingly, Mrs. Roberts responds in the affirmative, claiming that she uses the nickname "Little Bobby Tables". As the full name is read into the school's system's databases without data sanitization, it causes the student table in the database to be deleted.
The title of this comic is a pun—exploit can mean an accomplishment or heroic deed, but in computer science the term refers to a program or technique that takes advantage of a vulnerability in other software. In fact, one could say that her exploit is to exploit an exploit (her achievement is to make use of a vulnerability). The title can also refer to her choice of name for her son, which is rather extraordinary.
In SQL, a database programming language, commands are separated by semicolons ; and strings of text are often delimited using single quotes '. Parts of commands may also be enclosed in parentheses ( and ). Data entries are stored as "rows" within named "tables" of similar items (e.g. Students). The command to delete an entire table (and every row of data in that table) is DROP, as in DROP TABLE Students;).
The exploited vulnerability here is that the single quote in the name input was not correctly "escaped" by the software. That is, if a student's name did indeed contain a quote mark, it should have been parsed as one of the characters making up the text string and not as the marker to close the string, which it erroneously was. Lack of such escaping is a common SQL vulnerability; this type of exploit is referred to as SQL injection. Mrs. Roberts thus reminds the school to make sure they have added data filtering code to prevent code injection exploits in the future.
For example, if the site was running PHP, the code might store the student's name in a variable called $name, and generate an SQL statement to search the database and check that the name is valid, like this:
    $sql = "SELECT * FROM Students WHERE (first_name='$name');";
For a student named "Annie", this would give the following SQL command:
    SELECT * FROM Students WHERE (first_name='Annie');
which is a valid command where the 5-character string "Annie" has been substituted for "$name" in the PHP code above. However, with Mrs. Roberts' exploit, the SQL command becomes:
    SELECT * FROM Students WHERE (first_name='Robert'); DROP TABLE Students;--');
As semicolons separate statements, this will be read by the interpreter as three commands:
    SELECT * FROM Students WHERE (first_name='Robert');
    DROP TABLE Students;
    --');
  • The first line runs as normal, caused by the '); punctuation in part of Little Bobby Tables' name properly closing the current command.
  • The second injected command then does the damage, deleting the student records from the school's database.
  • The third line begins with two hyphens -- which are used to mark a comment in SQL, meaning that the interpreter ignores it as well as the partial fragment of code originally after $name in the PHP statement.

For this to work, it helps to know a little about the structure of the database. But it's quite a good guess that a school's student management database might have a table named Students. Mrs. Roberts' exploit also assumes that the person who wrote the code used exactly one set of parentheses around (first_name='$name') in the PHP example, so that the single close parenthesis in the name could match it, which apparently was a successful guess. Of course, in real life most exploits of this kind would be performed not by socially engineering a person's name such that it would eventually be entered into a database query, but rather by accessing some kind of input system (such as a website's login screen or search interface) and guessing various combinations by trial and error until something works, perhaps by first trying to inject the SHOW TABLES command to see how the database is structured.
The title text references that her daughter is named "Help I'm trapped in a driver's license factory". This is a play on how if someone is stuck and forced to work in a manufacturing factory/plant then they will write on the product "Help I am trapped in a ____ factory" in order to tell people on the outside. Having this name would cause any police officer that pulls her over to show some concern, as well as getting the license in the first place would be difficult.
This xkcd comic has become rather famous, spawning at least one site about preventing SQL injection named http://bobby-tables.com.



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|小黑屋|Archiver|手机版|网佳创业天使社区 ( 12036313号-2 )

GMT+8, 2024-12-26 23:40 , Processed in 0.018902 second(s), 20 queries .

Powered by Discuz X3.4 Licensed

© 2001-2013 WEBPLUS

快速回复 返回顶部 返回列表