<\/span><\/h4>\nWeb uygulamalar\u0131nda bir\u00e7ok i\u015flem i\u00e7in kullan\u0131c\u0131dan al\u0131nan veri ile dinamik SQL c\u00fcmlecikleri olu\u015fturulur. \u00d6rne\u011fin; “SELECT * FROM Products<\/i>” \u00f6rnek SQL c\u00fcmleci\u011fi basit \u015fekilde veritaban\u0131ndan web uygulamas\u0131na t\u00fcm \u00fcr\u00fcnleri d\u00f6nd\u00fcrecektir. Bu SQL c\u00fcmlecikleri olu\u015fturulurken araya s\u0131k\u0131\u015ft\u0131r\u0131lan herhangi bir meta-karakter SQL Injection’a neden olabilir.<\/p>\n
\u00d6ncelikle \u00f6rnek olmas\u0131 a\u00e7\u0131s\u0131ndan SQL Injection a\u00e7\u0131\u011f\u0131 bar\u0131nd\u0131ran bir betik ile ba\u015flayal\u0131m.
\nBeti\u011fimizin g\u00f6revi; \u00fcye id’sine g\u00f6re veritaban\u0131ndan o id’ye sahip \u00fcyenin bilgilerini ekrana yazd\u0131rmaktad\u0131r.<\/p>\n
sqli<\/b> isimli bir veritaban\u0131 olu\u015fturdum ve i\u00e7inde uye <\/b>isimli bir tablo mevcut. Tablonun da 4 adet s\u00fctunu var. S\u00fctunlar: id, username, password, email<\/b>
Son olarak da i\u00e7ine \u00f6rnek birka\u00e7 adet veri giri\u015fi yapt\u0131m:<\/p>\n\n
<\/div>\n
\nBeti\u011fimizi olu\u015fturan uye.php<\/b> dosyas\u0131n\u0131n kodlar\u0131 a\u015fa\u011f\u0131daki gibidir:<\/p>\n\n<?php\u00a0<\/p><\/blockquote>\n
\n$baglan = mysql_pconnect(“localhost”,”root”,”123456″); \u00a0 \u00a0\/ veritaban\u0131na ba\u011flan\u0131yoruz
$baglan = mysql_select_db(“sqli”,$baglan); \u00a0 \u00a0\/ olu\u015fturdu\u011fumuz veritaban\u0131m\u0131z\u0131 se\u00e7iyoruz<\/p><\/blockquote>\n
\n$id = $_GET[“id”];
$sorgu = “SELECT * FROM uye WHERE id=”.$id;<\/b><\/span>
$cek = mysql_fetch_object(mysql_query($sorgu));\u00a0<\/p><\/blockquote>\n\necho ‘Olusan Sorgu: ‘.$sorgu.”<br>”;
echo $cek->username.”<br>”.$cek->email;\u00a0<\/p><\/blockquote>\n
\n?><\/p><\/blockquote>\n
Bu beti\u011fi SQL Injection’a u\u011fratan kod k\u0131s\u0131mlar\u0131n\u0131 k\u0131rm\u0131z\u0131 renkle vurgulayarak g\u00f6sterdim..
\nB\u00f6yle bir kod yaz\u0131m\u0131 g\u00f6stere g\u00f6stere SQL Injection zafiyetine zemin olu\u015fturmaktad\u0131r. Zafiyete neden olan\u00a0id=<\/b>\u00a0query stringinin filtrelenmeden dinamik sql sorgusuyla birle\u015ftirilmesidir.<\/p>\n
Manuel yolla ve genel olarak PHP scriptlerde SQL Injection zafiyetini yukar\u0131daki kod \u00f6rne\u011findeki gibi tespitini yapabiliriz. Yani dinamik sorgu c\u00fcmleciklerine ve hangi y\u00f6ntemlerle sorgu \u00e7ekildiklerine odaklan\u0131lmal\u0131d\u0131r.<\/p>\n
uye.php \u00e7al\u0131\u015ft\u0131r\u0131ld\u0131\u011f\u0131nda g\u00f6r\u00fcld\u00fc\u011f\u00fc gibi 1 id’sindeki bilgiler yani benim bilgilerim ekrana yazd\u0131r\u0131ld\u0131:
\nFakat zay\u0131f bir kod yaz\u0131m \u015fekli kulland\u0131\u011f\u0131m\u0131z i\u00e7in \u015fimdi bunu SQL Injection sald\u0131r\u0131s\u0131na u\u011fratal\u0131m, nas\u0131l m\u0131? id=1 ifadesinden sonra ‘<\/b><\/span> (tek t\u0131rnak) meta-karakterini kullanarak:
<\/p>\nSayfa Warning: mysql_fetch_object()…<\/b><\/i> hatas\u0131 verdi! \u015eimdi s\u0131ra geldi bunu s\u00f6m\u00fcrmeye yani exploit etmeye \ud83d\ude42 Veritaban\u0131ndan hassas veriyi s\u0131zd\u0131r\u0131yoruz:
G\u00f6r\u00fcld\u00fc\u011f\u00fc gibi bilgiler ekrana yans\u0131d\u0131:
username: ismailsaygili<\/b><\/i>
password: iso123<\/b><\/i><\/p>\n
Ayn\u0131 exploiting i\u015flemini bir de otomatize ara\u00e7 olan SQLMap<\/b> ile exploit edelim:<\/p>\n\n
<\/div>\n
\nScript \u00fczerinde manuel y\u00f6ntemle SQL Injection zafiyetini ke\u015ffetmi\u015ftik, \u015fimdi de otomatik olarak RIPS<\/b> yaz\u0131l\u0131m\u0131 arac\u0131l\u0131\u011f\u0131yla PHP scriptler \u00fczerinde zafiyet ara\u015ft\u0131rmas\u0131 yapal\u0131m. Bu arada RIPS; PHP i\u00e7in statik kodlarda zafiyet analizi yapan bir yaz\u0131l\u0131md\u0131r.<\/p>\n<\/span>\nRIPS Kurulumu ve Kullan\u0131m\u0131<\/span><\/h4>\nRIPS hi\u00e7 bir kurulum gerektirmez! Tak-\u00c7al\u0131\u015ft\u0131r mant\u0131\u011f\u0131 \ud83d\ude42<\/p>\n
\u00d6ncelikle RIPS’i buradan<\/b> indirelim. rips<\/b> klas\u00f6r\u00fcn\u00fc localhost’unuza kopyalay\u0131n ve web taray\u0131c\u0131n\u0131zla ilgili URL’e gidin:
<\/p>\n
1. Ad\u0131mda:<\/i> Taramak istedi\u011finiz PHP scriptin klas\u00f6r yolu belirtilir. Ben yukar\u0131da \u00f6rne\u011fini yapt\u0131\u011f\u0131m\u0131z beti\u011fin klas\u00f6r yolunu yazd\u0131m, \u00e7\u00fcnk\u00fc \u015fuan onu tarayaca\u011f\u0131z.<\/p>\n
2. Ad\u0131mda:<\/i> Zafiyet tipi se\u00e7ilir. Ben SQL Injection zafiyetini se\u00e7tim.<\/p>\n
3. Ad\u0131mda:<\/i> subdirs’i se\u00e7ersek belirtti\u011finiz klas\u00f6r yolunun alt klas\u00f6rleri de taranacakt\u0131r.<\/p>\n
4. Ad\u0131mda:<\/i> Son olarak scan butonuna basarak taramay\u0131 ba\u015flat\u0131yoruz.<\/p>\n
Ben taramam\u0131 yapt\u0131m ve sonu\u00e7 bu \u015fekilde:<\/p>\n
\n
<\/div>\n
\nG\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere RIPS, 7. sat\u0131rda SQL Injection zafiyeti tespit etti. Yukar\u0131da biz manuel denetim yaparken ke\u015ffettik hat\u0131rlad\u0131n\u0131z m\u0131? \ud83d\ude42<\/p>\n
Hocam zay\u0131f kodu payla\u015ft\u0131n\u0131z, peki bu kodun g\u00fcvenli hali nas\u0131l yaz\u0131l\u0131r?<\/span><\/b>
G\u00fcvenli Kod 1:<\/b><\/p>\n\n<?php<\/p>\n
$baglan = mysql_pconnect(“localhost”,”root”,”123456″);
$baglan = mysql_select_db(“sqli”,$baglan);\u00a0<\/p>\n<\/blockquote>\n
\n$id = (int) intval($_GET[“id”]);<\/span><\/b> <\/span>\/\/ de\u011fi\u015fken tipi belirlenerek integer korumas\u0131 sa\u011fland\u0131<\/b>
$sorgu = “SELECT * FROM uye WHERE id=”.$id;
$cek = mysql_fetch_object(mysql_query($sorgu));\u00a0<\/p><\/blockquote>\n\necho ‘Olusan Sorgu: ‘.$sorgu.”<br>”;
echo $cek->username.”<br>”.$cek->email;<\/p>\n
?><\/p>\n<\/blockquote>\n
id<\/b> de\u011fi\u015fkeninin tipini belirleyerek integer korumas\u0131 sa\u011flam\u0131\u015f olduk. Yani sald\u0131rgan\u00a0http:\/\/localhost\/sqli\/uye.php?id=1<\/i> URL’inden sonra tek t\u0131rnak meta-karakterini ekledi\u011finde amac\u0131na ula\u015famayacakt\u0131r \u00e7\u00fcnk\u00fc id=<\/b> query’sinden sonra sadece integer de\u011ferler kabul edilecektir. String yani karakter dizileri kabul edilemeyecektir.<\/p>\n\n
<\/div>\n
G\u00f6rd\u00fc\u011f\u00fcn\u00fcz gibi kullan\u0131c\u0131 ad\u0131 ve \u015fifreyi veritaban\u0131ndan \u00e7ekemiyoruz \ud83d\ude41<\/p>\n
SQL Injection’dan korunma tabi ki sadece bununla s\u0131n\u0131rl\u0131 de\u011fildir.. \u00d6rne\u011fin id de\u011fi\u015fkeni\u00a0mysql_real_escape_string<\/i>\u00a0fonksiyonu i\u00e7ine al\u0131narak SQL sorgular\u0131 i\u00e7in zararl\u0131 olabilecek karakterlerin ba\u015f\u0131na <\/span><\/b> ekler.<\/p>\n