28,409
社区成员
发帖
与我相关
我的任务
分享50分求mssql除了以下不安全字符还有那些不安全的字符是需要替换的,暂时多分,到时补
(and|or|insert|exec|select|delete|update|count|chr|mid|master|truncate|char|declare|database|backup|\=)([\'| ])
以上用正则替换掉,请高手解答还有那些需要过滤的
以上用正则替换掉,请高手解答还有那些需要过滤的
...全文
请发表友善的回复…
发表回复
yonghanyang 2009-08-25
- 打赏
- 举报
继续顶
y34ml 2009-08-22
- 打赏
- 举报
运用注释语句绕过
用/**/代替空格,如:UNION /**/ Select/**/user,pwd,from tbluser
用/**/分割敏感词,如:U/**/ NION /**/ SE/**/ LECT /**/user,pwd from tbluser
0x730079007300610064006D0069006E00 =hex(sysadmin)
0x640062005F006F0077006E0065007200 =hex(db_owner)
用/**/代替空格,如:UNION /**/ Select/**/user,pwd,from tbluser
用/**/分割敏感词,如:U/**/ NION /**/ SE/**/ LECT /**/user,pwd from tbluser
0x730079007300610064006D0069006E00 =hex(sysadmin)
0x640062005F006F0077006E0065007200 =hex(db_owner)
yonghanyang 2009-08-22
- 打赏
- 举报
再次顶起
yonghanyang 2009-08-21
- 打赏
- 举报
期待高手
xzx99 2009-08-18
- 打赏
- 举报
学习...
y34ml 2009-08-18
- 打赏
- 举报
[Quote=引用 7 楼 jiewenxu 的回复:]
VBScript codePublicFunction Checkstr(Str)IfIsnull(Str)Then
CheckStr=""ExitFunctionEndIf
Str=Replace(Str,Chr(0),"")
CheckStr=Replace(Str,"'","''")End Function
我一直使用的过滤函数,只要过滤一个chr(0),其他只要单引号配对,随便你怎么怎么弄,他都无法注入
[/Quote]
VBScript codePublicFunction Checkstr(Str)IfIsnull(Str)Then
CheckStr=""ExitFunctionEndIf
Str=Replace(Str,Chr(0),"")
CheckStr=Replace(Str,"'","''")End Function
我一直使用的过滤函数,只要过滤一个chr(0),其他只要单引号配对,随便你怎么怎么弄,他都无法注入
[/Quote]
<%
--QueryString = ?id=1or%201=1
--输出的sql语句为SELECT * FROM users where uid =1or 1=1在mssql中正常运行
dim sql : sql = "SELECT * FROM users where uid ="
Response.Write(sql & CheckStr(Request.QueryString("id")))
Public Function Checkstr(Str)
If Isnull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"")
CheckStr = Replace(Str,"'","''")
End Function
%>
y34ml 2009-08-18
- 打赏
- 举报
[Quote=引用 7 楼 jiewenxu 的回复:]
VBScript codePublicFunction Checkstr(Str)IfIsnull(Str)Then
CheckStr=""ExitFunctionEndIf
Str=Replace(Str,Chr(0),"")
CheckStr=Replace(Str,"'","''")End Function
我一直使用的过滤函数,只要过滤一个chr(0),其他只要单引号配对,随便你怎么怎么弄,他都无法注入
[/Quote]
哈哈,代码要严谨才行,一般的人只对Request.form和Request.QueryString而往往忽略了对cookie进行过滤已经判断,只要仿造cookie你就玩完了
VBScript codePublicFunction Checkstr(Str)IfIsnull(Str)Then
CheckStr=""ExitFunctionEndIf
Str=Replace(Str,Chr(0),"")
CheckStr=Replace(Str,"'","''")End Function
我一直使用的过滤函数,只要过滤一个chr(0),其他只要单引号配对,随便你怎么怎么弄,他都无法注入
[/Quote]
哈哈,代码要严谨才行,一般的人只对Request.form和Request.QueryString而往往忽略了对cookie进行过滤已经判断,只要仿造cookie你就玩完了
jiewenxu 2009-08-18
- 打赏
- 举报
Public Function Checkstr(Str)
If Isnull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"")
CheckStr = Replace(Str,"'","''")
End Function我一直使用的过滤函数,只要过滤一个chr(0),其他只要单引号配对,随便你怎么怎么弄,他都无法注入
yonghanyang 2009-08-18
- 打赏
- 举报
[Quote=引用 4 楼 joking520 的回复:]
只要过滤 ' 单引号 以及对应的ASCII 编码就好了,
另外,MSSQL 2000 小心二进制注入漏洞。
[/Quote]
过滤'肯定不行,只要or 1=1就完蛋了,小心二进制注入漏洞,不懂,给一些例子
只要过滤 ' 单引号 以及对应的ASCII 编码就好了,
另外,MSSQL 2000 小心二进制注入漏洞。
[/Quote]
过滤'肯定不行,只要or 1=1就完蛋了,小心二进制注入漏洞,不懂,给一些例子
chenjianyong94 2009-08-17
- 打赏
- 举报
给你写个过滤函数,在添加到数据库的时候,先将字符串过滤,调用一下该函数即可。
/// <summary>
/// 去除HTML标记
/// </summary>
/// <param name="NoHTML">包括HTML的源码 </param>
/// <returns>已经去除后的文字</returns>
public static string NoHTML(string Htmlstring)
{
if (Htmlstring == null)
{
return "";
}
else
{
//删除脚本
Htmlstring = Regex.Replace(Htmlstring, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);
//删除HTML
Htmlstring = Regex.Replace(Htmlstring, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"([\r\n])[\s]+", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"-->", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"<!--.*", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);", "\"", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(nbsp|#160);", " ", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(iexcl|#161);", "\xa1", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(cent|#162);", "\xa2", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(pound|#163);", "\xa3", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(copy|#169);", "\xa9", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&#(\d+);", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);
//删除与数据库相关的词
Htmlstring = Regex.Replace(Htmlstring, "select ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "insert ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "delete from ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "count''", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "drop table ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "truncate ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "asc", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "mid", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "char", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "exec master", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "net localgroup administrators", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " and ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "net user", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " or ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " net ", "", RegexOptions.IgnoreCase);
//Htmlstring = Regex.Replace(Htmlstring,"*", "", RegexOptions.IgnoreCase);
//Htmlstring = Regex.Replace(Htmlstring,"-", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "delete ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "drop ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "script", "", RegexOptions.IgnoreCase);
//特殊的字符
Htmlstring = Htmlstring.Replace("<", "");
Htmlstring = Htmlstring.Replace(">", "");
Htmlstring = Htmlstring.Replace("*", "");
Htmlstring = Htmlstring.Replace("--", "");
Htmlstring = Htmlstring.Replace("?", "");
Htmlstring = Htmlstring.Replace(",", "");
Htmlstring = Htmlstring.Replace("/", "");
Htmlstring = Htmlstring.Replace(";", "");
Htmlstring = Htmlstring.Replace("*/", "");
Htmlstring = Htmlstring.Replace("\r\n", "");
Htmlstring = HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();
return Htmlstring;
}
} mailbao 2009-08-16
- 打赏
- 举报
Chr(0
""
<
>
script
SCRIPT
Script
script
object
OBJECT
Object
object
applet
APPLET
Applet
applet
[
]
""
=
’
select
execute
exec
join
union
where
insert
delete
update
like
drop
create
rename
count
chr
mid
truncate
nchar
char
alter
cast
exists
Chr(13)
""
<
>
script
SCRIPT
Script
script
object
OBJECT
Object
object
applet
APPLET
Applet
applet
[
]
""
=
’
select
execute
exec
join
union
where
insert
delete
update
like
drop
create
rename
count
chr
mid
truncate
nchar
char
alter
cast
exists
Chr(13)
joking520 2009-08-16
- 打赏
- 举报
只要过滤 ' 单引号 以及对应的ASCII 编码就好了,
另外,MSSQL 2000 小心二进制注入漏洞。
另外,MSSQL 2000 小心二进制注入漏洞。
cngothic 2009-08-16
- 打赏
- 举报
注入就是在SQL语句中加上一些条件。
你只要把'过滤吊就没有任何问题。
你只要把'过滤吊就没有任何问题。
三楼の郎 2009-08-16
- 打赏
- 举报
这些都替换掉了,你英文还能输入吗!
