CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
常见后果
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Code or Commands
说明: Adversaries could execute system commands, typically by changing the SQL statement to redirect output to a file that can then be executed.
影响范围: Confidentiality
技术影响: Read Application Data
说明: Since SQL databases generally hold sensitive data, loss of confidentiality is a frequent problem with SQL injection vulnerabilities.
影响范围: Authentication
技术影响: Gain Privileges or Assume Identity Bypass Protection Mechanism
说明: If poor SQL commands are used to check user names and passwords or perform other kinds of authentication, it may be possible to connect to the product as another user with no previous knowledge of the password.
影响范围: Access Control
技术影响: Bypass Protection Mechanism
说明: If authorization information is held in a SQL database, it may be possible to change this information through the successful exploitation of a SQL injection vulnerability.
影响范围: Integrity
技术影响: Modify Application Data
说明: Just as it may be possible to read sensitive information, it is also possible to modify or even delete this information with a SQL injection attack.
潜在缓解措施
阶段: Architecture and Design
策略: Libraries or Frameworks
阶段: Architecture and Design
策略: Parameterization
阶段: Architecture and Design Operation
策略: Environment Hardening
阶段: Architecture and Design
描述: For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
阶段: Implementation
策略: Output Encoding
阶段: Implementation
策略: Input Validation
阶段: Architecture and Design
策略: Enforcement by Conversion
描述: When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
阶段: Implementation
阶段: Operation
策略: Firewall
描述: Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481.
有效性: Moderate
阶段: Operation Implementation
策略: Environment Hardening
描述: When using PHP, configure the application so that it does not use register_globals. During implementation, develop the application so that it does not rely on this feature, but be wary of implementing a register_globals emulation that is subject to weaknesses such as CWE-95, CWE-621, and similar issues.
检测方法
方法: Automated Static Analysis
方法: Automated Dynamic Analysis
This weakness can be detected using dynamic tools and techniques that interact with the software using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The software's operation may slow down, but it should not become unstable, crash, or generate incorrect results.
有效性: Moderate
方法: Manual Analysis
Manual analysis can be useful for finding this weakness, but it might not achieve desired code coverage within limited time constraints. This becomes difficult for weaknesses that must be considered for all inputs, since the attack surface can be too large.
方法: Automated Static Analysis - Binary or Bytecode
有效性: High
方法: Dynamic Analysis with Automated Results Interpretation
有效性: High
方法: Dynamic Analysis with Manual Results Interpretation
有效性: SOAR Partial
方法: Manual Static Analysis - Source Code
有效性: High
方法: Automated Static Analysis - Source Code
有效性: High
方法: Architecture or Design Review
有效性: High
观察示例
参考: CVE-2023-32530
SQL injection in security product dashboard using crafted certificate fields
参考: CVE-2021-42258
SQL injection in time and billing software, as exploited in the wild per CISA KEV.
参考: CVE-2021-27101
SQL injection in file-transfer system via a crafted Host header, as exploited in the wild per CISA KEV.
参考: CVE-2020-12271
SQL injection in firewall product's admin interface or user portal, as exploited in the wild per CISA KEV.
参考: CVE-2019-3792
An automation system written in Go contains an API that is vulnerable to SQL injection allowing the attacker to read privileged data.
参考: CVE-2004-0366
chain: SQL injection in library intended for database authentication allows SQL injection and authentication bypass.
参考: CVE-2008-2790
SQL injection through an ID that was supposed to be numeric.
参考: CVE-2008-2223
SQL injection through an ID that was supposed to be numeric.
参考: CVE-2007-6602
SQL injection via user name.
参考: CVE-2008-5817
SQL injection via user name or password fields.
参考: CVE-2003-0377
SQL injection in security product, using a crafted group name.
参考: CVE-2008-2380
SQL injection in authentication library.
参考: CVE-2017-11508
SQL injection in vulnerability management and reporting tool, using a crafted password.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | REALIZATION: This weakness is caused during implementation of an architectural security tactic. |
| Implementation | This weakness typically appears in data-rich applications that save user inputs in a database. |
适用平台
编程语言
技术
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | SQL injection | - |
| 7 Pernicious Kingdoms | - | SQL Injection | - |
| CLASP | - | SQL injection | - |
| OWASP Top Ten 2007 | A2 | Injection Flaws | CWE More Specific |
| OWASP Top Ten 2004 | A1 | Unvalidated Input | CWE More Specific |
| OWASP Top Ten 2004 | A6 | Injection Flaws | CWE More Specific |
| WASC | 19 | SQL Injection | - |
| Software Fault Patterns | SFP24 | Tainted input to command | - |
| OMG ASCSM | ASCSM-CWE-89 | - | |
| SEI CERT Oracle Coding Standard for Java | IDS00-J | Prevent SQL injection | Exact |
关键信息
CWE ID: CWE-89
抽象级别: Base
结构: Simple
状态: Stable
利用可能性: High