Prevent using SQLi to create shell\backdoor.

2012.02.11

Thx to this nice post for   Arvind Doraiswamy, here we have few tips of how to prevent someone from creating shell or backdoor script on Your system\website by using SQLi vuln.

Trivial, but well explained with pictures, IMHO must read for those who not familiar.

Here them, extended by me :)

1. Sanitize Your input, that included in SQL query, properly. See manuals, plenty of them in Internet

2. Don’t leave world writeable directories on Your webserver. If needed, know them (logs directories, etc), try to move to not web accessible or change web access to them (via .htaccess file or somehow else).

3. Use restricted user without FILE permission for querying the SQL. Use restricted account for running SQL as well (on MS machines, for example).

4. Disable default DB accounts, use passwords and password policies.

5. Securely manage not only worldwide accessible parts of Your website or webapp, but also restricted directories and functions. WebShell can be placed in Your Admin directory, and linked or by LFI included in  worldwide-accessible script.

 

Leave a comment