{"id":477603,"date":"2023-08-09T09:17:42","date_gmt":"2023-08-09T09:17:42","guid":{"rendered":""},"modified":"2023-09-05T11:15:02","modified_gmt":"2023-09-05T11:15:02","slug":"injection-attacks","status":"publish","type":"wiki","link":"https:\/\/oneproxy.pro\/vn\/wiki\/injection-attacks\/","title":{"rendered":"T\u1ea5n c\u00f4ng ti\u00eam ch\u00edch"},"content":{"rendered":"

T\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m l\u00e0 m\u1ed9t lo\u1ea1i khai th\u00e1c b\u1ea3o m\u1eadt nh\u1eafm v\u00e0o c\u00e1c \u1ee9ng d\u1ee5ng d\u1ec5 b\u1ecb t\u1ed5n th\u01b0\u01a1ng b\u1eb1ng c\u00e1ch thao t\u00fang d\u1eef li\u1ec7u \u0111\u1ea7u v\u00e0o. C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng n\u00e0y khai th\u00e1c vi\u1ec7c thi\u1ebfu x\u00e1c th\u1ef1c v\u00e0 v\u1ec7 sinh th\u00edch h\u1ee3p d\u1eef li\u1ec7u do ng\u01b0\u1eddi d\u00f9ng cung c\u1ea5p, cho ph\u00e9p c\u00e1c t\u00e1c nh\u00e2n \u0111\u1ed9c h\u1ea1i ch\u00e8n v\u00e0 th\u1ef1c thi m\u00e3 t\u00f9y \u00fd ho\u1eb7c c\u00e1c truy v\u1ea5n SQL ngo\u00e0i \u00fd mu\u1ed1n. H\u1eadu qu\u1ea3 c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m th\u00e0nh c\u00f4ng c\u00f3 th\u1ec3 r\u1ea5t nghi\u00eam tr\u1ecdng, bao g\u1ed3m truy c\u1eadp d\u1eef li\u1ec7u tr\u00e1i ph\u00e9p, thao t\u00e1c d\u1eef li\u1ec7u, leo thang \u0111\u1eb7c quy\u1ec1n v\u00e0 th\u1eadm ch\u00ed l\u00e0 x\u00e2m ph\u1ea1m ho\u00e0n to\u00e0n \u1ee9ng d\u1ee5ng ho\u1eb7c h\u1ec7 th\u1ed1ng. \u0110\u1ed1i v\u1edbi nh\u00e0 cung c\u1ea5p m\u00e1y ch\u1ee7 proxy OneProxy (oneproxy.pro), vi\u1ec7c hi\u1ec3u r\u00f5 c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m l\u00e0 r\u1ea5t quan tr\u1ecdng \u0111\u1ec3 c\u1ee7ng c\u1ed1 d\u1ecbch v\u1ee5 c\u1ee7a h\u1ecd tr\u01b0\u1edbc c\u00e1c m\u1ed1i \u0111e d\u1ecda ti\u1ec1m \u1ea9n.<\/p>\n

L\u1ecbch s\u1eed ngu\u1ed3n g\u1ed1c c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m<\/h2>\n

C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m xu\u1ea5t hi\u1ec7n s\u1edbm nh\u1ea5t l\u00e0 v\u00e0o nh\u1eefng n\u0103m 1990 khi Internet b\u1eaft \u0111\u1ea7u tr\u1edf n\u00ean ph\u1ed5 bi\u1ebfn r\u1ed9ng r\u00e3i. S\u1ef1 \u0111\u1ec1 c\u1eadp n\u1ed5i b\u1eadt \u0111\u1ea7u ti\u00ean v\u1ec1 c\u00e1c l\u1ed7 h\u1ed5ng ti\u00eam nhi\u1ec5m l\u00e0 v\u00e0o gi\u1eefa nh\u1eefng n\u0103m 1990 v\u1edbi vi\u1ec7c ph\u00e1t hi\u1ec7n ra c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m SQL. Nh\u1eefng tr\u01b0\u1eddng h\u1ee3p ban \u0111\u1ea7u n\u00e0y \u0111\u00e3 m\u1edf \u0111\u01b0\u1eddng cho nghi\u00ean c\u1ee9u s\u00e2u h\u01a1n v\u00e0 ph\u00e1t hi\u1ec7n ra c\u00e1c lo\u1ea1i t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m kh\u00e1c, ch\u1eb3ng h\u1ea1n nh\u01b0 Ch\u00e8n l\u1ec7nh, T\u1eadp l\u1ec7nh ch\u00e9o trang (XSS) v\u00e0 Th\u1ef1c thi m\u00e3 t\u1eeb xa (RCE).<\/p>\n

Th\u00f4ng tin chi ti\u1ebft v\u1ec1 c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam ch\u00edch<\/h2>\n

C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m th\u01b0\u1eddng khai th\u00e1c c\u00e1c c\u01a1 ch\u1ebf x\u00e1c th\u1ef1c \u0111\u1ea7u v\u00e0o y\u1ebfu ho\u1eb7c kh\u00f4ng t\u1ed3n t\u1ea1i trong c\u00e1c \u1ee9ng d\u1ee5ng web v\u00e0 c\u00e1c h\u1ec7 th\u1ed1ng ph\u1ea7n m\u1ec1m kh\u00e1c. Khi m\u1ed9t \u1ee9ng d\u1ee5ng kh\u00f4ng v\u1ec7 sinh \u0111\u00fang c\u00e1ch th\u00f4ng tin \u0111\u1ea7u v\u00e0o c\u1ee7a ng\u01b0\u1eddi d\u00f9ng, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 ch\u00e8n d\u1eef li\u1ec7u \u0111\u1ed9c h\u1ea1i m\u00e0 \u1ee9ng d\u1ee5ng hi\u1ec3u nh\u1ea7m l\u00e0 c\u00e1c l\u1ec7nh ho\u1eb7c truy v\u1ea5n h\u1ee3p ph\u00e1p. T\u00f9y thu\u1ed9c v\u00e0o ki\u1ec3u ch\u00e8n, \u0111i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 d\u1eabn \u0111\u1ebfn c\u00e1c ki\u1ec3u khai th\u00e1c v\u00e0 l\u1ed7 h\u1ed5ng kh\u00e1c nhau.<\/p>\n

C\u1ea5u tr\u00fac b\u00ean trong c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m<\/h2>\n

Nguy\u00ean t\u1eafc ho\u1ea1t \u0111\u1ed9ng c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m c\u00f3 th\u1ec3 kh\u00e1c nhau t\u00f9y thu\u1ed9c v\u00e0o lo\u1ea1i l\u1ed7 h\u1ed5ng \u0111\u01b0\u1ee3c nh\u1eafm t\u1edbi. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 t\u00f3m t\u1eaft chung v\u1ec1 c\u00e1ch th\u1ee9c ho\u1ea1t \u0111\u1ed9ng c\u1ee7a c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m:<\/p>\n

    \n
  1. \n

    X\u00e1c \u0111\u1ecbnh c\u00e1c \u0111i\u1ec3m \u0111\u1ea7u v\u00e0o d\u1ec5 b\u1ecb t\u1ed5n th\u01b0\u01a1ng<\/strong>: K\u1ebb t\u1ea5n c\u00f4ng x\u00e1c \u0111\u1ecbnh c\u00e1c khu v\u1ef1c trong \u1ee9ng d\u1ee5ng m\u00e0 d\u1eef li\u1ec7u do ng\u01b0\u1eddi d\u00f9ng cung c\u1ea5p kh\u00f4ng \u0111\u01b0\u1ee3c x\u00e1c th\u1ef1c ho\u1eb7c v\u1ec7 sinh \u0111\u1ea7y \u0111\u1ee7.<\/p>\n<\/li>\n

  2. \n

    T\u1ea1o \u0111\u1ea7u v\u00e0o \u0111\u1ed9c h\u1ea1i<\/strong>: Sau \u0111\u00f3, h\u1ecd t\u1ea1o \u0111\u1ea7u v\u00e0o \u0111\u01b0\u1ee3c ch\u1ebf t\u1ea1o c\u1ea9n th\u1eadn c\u00f3 ch\u1ee9a m\u00e3 \u0111\u1ed9c ho\u1eb7c h\u01b0\u1edbng d\u1eabn b\u1ed5 sung.<\/p>\n<\/li>\n

  3. \n

    Ti\u00eam m\u00e3 \u0111\u1ed9c h\u1ea1i<\/strong>: \u0110\u1ea7u v\u00e0o \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c g\u1eedi t\u1edbi \u1ee9ng d\u1ee5ng, t\u1ea1i \u0111\u00f3 n\u00f3 \u0111\u01b0\u1ee3c th\u1ef1c thi nh\u1ea7m ho\u1eb7c \u0111\u01b0\u1ee3c hi\u1ec3u l\u00e0 c\u00e1c l\u1ec7nh h\u1ee3p l\u1ec7.<\/p>\n<\/li>\n

  4. \n

    Khai th\u00e1c v\u00e0 gi\u00e0nh quy\u1ec1n ki\u1ec3m so\u00e1t<\/strong>: Vi\u1ec7c th\u1ef1c thi th\u00e0nh c\u00f4ng m\u00e3 \u0111\u1ed9c cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng truy c\u1eadp tr\u00e1i ph\u00e9p, tr\u00edch xu\u1ea5t d\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m ho\u1eb7c thao t\u00fang h\u00e0nh vi c\u1ee7a \u1ee9ng d\u1ee5ng \u0111\u1ec3 c\u00f3 l\u1ee3i cho ch\u00fang.<\/p>\n<\/li>\n<\/ol>\n

    Ph\u00e2n t\u00edch c\u00e1c t\u00ednh n\u0103ng ch\u00ednh c\u1ee7a t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m<\/h2>\n

    C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m c\u00f3 m\u1ed9t s\u1ed1 \u0111\u1eb7c \u0111i\u1ec3m chung khi\u1ebfn ch\u00fang tr\u1edf n\u00ean nguy hi\u1ec3m v\u00e0 ph\u1ed5 bi\u1ebfn:<\/p>\n

      \n
    1. \n

      Thao t\u00e1c \u0111\u1ea7u v\u00e0o<\/strong>: T\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m khai th\u00e1c \u0111i\u1ec3m y\u1ebfu trong x\u00e1c th\u1ef1c \u0111\u1ea7u v\u00e0o, cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng b\u1ecf qua c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o m\u1eadt.<\/p>\n<\/li>\n

    2. \n

      Kh\u00f4ng c\u1ea7n x\u00e1c th\u1ef1c<\/strong>: Trong nhi\u1ec1u tr\u01b0\u1eddng h\u1ee3p, k\u1ebb t\u1ea5n c\u00f4ng kh\u00f4ng c\u1ea7n ph\u1ea3i l\u00e0 ng\u01b0\u1eddi d\u00f9ng \u0111\u01b0\u1ee3c x\u00e1c th\u1ef1c \u0111\u1ec3 th\u1ef1c hi\u1ec7n c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m, khi\u1ebfn b\u1ea5t k\u1ef3 ai c\u00f3 quy\u1ec1n truy c\u1eadp internet \u0111\u1ec1u c\u00f3 th\u1ec3 truy c\u1eadp ch\u00fang.<\/p>\n<\/li>\n

    3. \n

      \u1ee8ng d\u1ee5ng-b\u1ea5t kh\u1ea3 tri<\/strong>: C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m kh\u00f4ng g\u1eafn li\u1ec1n v\u1edbi c\u00e1c c\u00f4ng ngh\u1ec7 ho\u1eb7c n\u1ec1n t\u1ea3ng c\u1ee5 th\u1ec3 v\u00e0 c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c \u00e1p d\u1ee5ng tr\u00ean nhi\u1ec1u h\u1ec7 th\u1ed1ng kh\u00e1c nhau, bao g\u1ed3m c\u1ea3 \u1ee9ng d\u1ee5ng web v\u00e0 c\u01a1 s\u1edf d\u1eef li\u1ec7u.<\/p>\n<\/li>\n

    4. \n

      B\u1ea3n ch\u1ea5t l\u00e9n l\u00fat<\/strong>: C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m th\u00e0nh c\u00f4ng c\u00f3 th\u1ec3 kh\u00f3 ph\u00e1t hi\u1ec7n v\u00ec ch\u00fang th\u01b0\u1eddng kh\u00f4ng \u0111\u1ec3 l\u1ea1i d\u1ea5u v\u1ebft trong nh\u1eadt k\u00fd m\u00e1y ch\u1ee7 ho\u1eb7c c\u00e1c h\u1ec7 th\u1ed1ng gi\u00e1m s\u00e1t kh\u00e1c.<\/p>\n<\/li>\n<\/ol>\n

      C\u00e1c ki\u1ec3u t\u1ea5n c\u00f4ng ti\u00eam ch\u00edch<\/h2>\n

      C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m c\u00f3 nhi\u1ec1u h\u00ecnh th\u1ee9c kh\u00e1c nhau, nh\u1eafm v\u00e0o c\u00e1c c\u00f4ng ngh\u1ec7 v\u00e0 ngu\u1ed3n d\u1eef li\u1ec7u kh\u00e1c nhau. D\u01b0\u1edbi \u0111\u00e2y l\u00e0 m\u1ed9t s\u1ed1 lo\u1ea1i ph\u1ed5 bi\u1ebfn:<\/p>\n\n\n\n\n\n\n\n\n\n\n
      Ki\u1ec3u<\/th>\nS\u1ef1 mi\u00eau t\u1ea3<\/th>\n<\/tr>\n<\/thead>\n
      Ti\u00eam SQL<\/td>\nKhai th\u00e1c l\u1ed7 h\u1ed5ng trong truy v\u1ea5n SQL.<\/td>\n<\/tr>\n
      L\u1ec7nh ti\u00eam<\/td>\nTh\u1ef1c thi c\u00e1c l\u1ec7nh h\u1ec7 th\u1ed1ng ngo\u00e0i \u00fd mu\u1ed1n.<\/td>\n<\/tr>\n
      T\u1eadp l\u1ec7nh ch\u00e9o trang<\/td>\nTi\u00eam c\u00e1c t\u1eadp l\u1ec7nh \u0111\u1ed9c h\u1ea1i v\u00e0o c\u00e1c trang web.<\/td>\n<\/tr>\n
      Ti\u00eam LDAP<\/td>\nNh\u1eafm m\u1ee5c ti\u00eau Giao th\u1ee9c truy c\u1eadp th\u01b0 m\u1ee5c nh\u1eb9.<\/td>\n<\/tr>\n
      Th\u1ef1c th\u1ec3 b\u00ean ngo\u00e0i XML<\/td>\nKhai th\u00e1c l\u1ed7 h\u1ed5ng ph\u00e2n t\u00edch c\u00fa ph\u00e1p XML.<\/td>\n<\/tr>\n
      Ti\u00eam NoSQL<\/td>\nNh\u1eafm m\u1ee5c ti\u00eau c\u01a1 s\u1edf d\u1eef li\u1ec7u NoSQL nh\u01b0 MongoDB.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      C\u00e1ch s\u1eed d\u1ee5ng c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m, v\u1ea5n \u0111\u1ec1 v\u00e0 gi\u1ea3i ph\u00e1p<\/h2>\n

      C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m g\u00e2y ra r\u1ee7i ro \u0111\u00e1ng k\u1ec3 cho c\u00e1c \u1ee9ng d\u1ee5ng v\u00e0 h\u1ec7 th\u1ed1ng web. M\u1ed9t s\u1ed1 v\u1ea5n \u0111\u1ec1 li\u00ean quan \u0111\u1ebfn t\u1ea5n c\u00f4ng ti\u00eam ch\u00edch bao g\u1ed3m:<\/p>\n

        \n
      1. \n

        R\u00f2 r\u1ec9 d\u1eef li\u1ec7u<\/strong>: D\u1eef li\u1ec7u nh\u1ea1y c\u1ea3m c\u00f3 th\u1ec3 b\u1ecb l\u1ed9 ho\u1eb7c r\u00f2 r\u1ec9 cho nh\u1eefng c\u00e1 nh\u00e2n kh\u00f4ng \u0111\u01b0\u1ee3c ph\u00e9p.<\/p>\n<\/li>\n

      2. \n

        Thao t\u00e1c d\u1eef li\u1ec7u<\/strong>: K\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 s\u1eeda \u0111\u1ed5i ho\u1eb7c x\u00f3a d\u1eef li\u1ec7u, d\u1eabn \u0111\u1ebfn c\u00e1c v\u1ea5n \u0111\u1ec1 v\u1ec1 t\u00ednh to\u00e0n v\u1eb9n d\u1eef li\u1ec7u.<\/p>\n<\/li>\n

      3. \n

        N\u00e2ng cao \u0111\u1eb7c quy\u1ec1n<\/strong>: C\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m c\u00f3 th\u1ec3 n\u00e2ng cao \u0111\u1eb7c quy\u1ec1n c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng, c\u1ea5p cho ch\u00fang quy\u1ec1n truy c\u1eadp tr\u00e1i ph\u00e9p.<\/p>\n<\/li>\n<\/ol>\n

        \u0110\u1ec3 gi\u1ea3m thi\u1ec3u c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng ti\u00eam nhi\u1ec5m, c\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n v\u00e0 nh\u00e0 cung c\u1ea5p m\u00e1y ch\u1ee7 proxy nh\u01b0 OneProxy n\u00ean tri\u1ec3n khai c\u00e1c bi\u1ec7n ph\u00e1p m\u00e3 h\u00f3a an to\u00e0n, ch\u1eb3ng h\u1ea1n nh\u01b0:<\/p>\n