|
|
|||
| Rule General Information |
|---|
| Release Date: | 2021-12-20 | |
| Rule Name: | SQL Injection Detection - Oracle Delayed Injection | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | SQL注入漏洞是由于Web应用对用户输入过滤不严格产生的。攻击者提交sql语句,改变后台sql查询的执行逻辑,从而获得敏感信息或上传Webshell。本规则用于检测HTTP请求中的延时注入。 | |
| Impact: | Through SQL injection attacks, an attacker can inject any SQL commands to view or modify the database of the target system. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | ||
| Solutions |
|---|
| 1. Filter and escape the data entered by users to ensure that the input does not contain malicious SQL code. 2. use parameterized queries or precompiled statements to avoid directly splicing user input data into SQL statements. 3, ensure that the application connects to the database with the principle of least permission, avoid using the database account with too high permission to perform unnecessary operations. |