50分求mssql除了以下不安全字符还有那些不安全的字符是需要替换的,暂时多分,到时补

yonghanyang 2009-08-16 12:03:13

...全文

137 14 打赏收藏转发到动态举报

写回复

用AI写文章

14 条回复

切换为时间正序

请发表友善的回复…

发表回复

yonghanyang 2009-08-25

打赏
举报

继续顶

y34ml 2009-08-22

打赏
举报

运用注释语句绕过
用/**/代替空格，如：UNION /**/ Select/**/user，pwd，from tbluser
用/**/分割敏感词，如：U/**/ NION /**/ SE/**/ LECT /**/user，pwd from tbluser
0x730079007300610064006D0069006E00 =hex(sysadmin)
0x640062005F006F0077006E0065007200 =hex(db_owner)

yonghanyang 2009-08-22

打赏
举报

再次顶起

yonghanyang 2009-08-21

打赏
举报

期待高手

xzx99 2009-08-18

打赏
举报

学习...

y34ml 2009-08-18

打赏
举报



<%

--QueryString = ?id=1or%201=1

--输出的sql语句为SELECT * FROM users where uid =1or 1=1在mssql中正常运行

dim sql : sql = "SELECT * FROM users where uid ="

Response.Write(sql & CheckStr(Request.QueryString("id")))

    Public Function Checkstr(Str)

        If Isnull(Str) Then

            CheckStr = ""

            Exit Function 

        End If

        Str = Replace(Str,Chr(0),"")

        CheckStr = Replace(Str,"'","''")

    End Function

%>

y34ml 2009-08-18

打赏
举报

[Quote=引用 7 楼 jiewenxu 的回复:]
VBScript codePublicFunction Checkstr(Str)IfIsnull(Str)Then
CheckStr=""ExitFunctionEndIf
Str=Replace(Str,Chr(0),"")
CheckStr=Replace(Str,"'","''")End Function

我一直使用的过滤函数，只要过滤一个chr(0)，其他只要单引号配对，随便你怎么怎么弄，他都无法注入
[/Quote]
哈哈,代码要严谨才行,一般的人只对Request.form和Request.QueryString而往往忽略了对cookie进行过滤已经判断,只要仿造cookie你就玩完了

jiewenxu 2009-08-18

打赏
举报

	Public Function Checkstr(Str)

		If Isnull(Str) Then

			CheckStr = ""

			Exit Function 

		End If

		Str = Replace(Str,Chr(0),"")

		CheckStr = Replace(Str,"'","''")

	End Function

我一直使用的过滤函数，只要过滤一个chr(0)，其他只要单引号配对，随便你怎么怎么弄，他都无法注入

yonghanyang 2009-08-18

打赏
举报

[Quote=引用 4 楼 joking520 的回复:]
只要过滤 ' 单引号以及对应的ASCII 编码就好了，
另外，MSSQL 2000 小心二进制注入漏洞。
[/Quote]
过滤'肯定不行,只要or 1=1就完蛋了,小心二进制注入漏洞,不懂,给一些例子

chenjianyong94 2009-08-17

打赏
举报

给你写个过滤函数，在添加到数据库的时候，先将字符串过滤，调用一下该函数即可。

/// <summary>

    /// 去除HTML标记

    /// </summary>

    /// <param name="NoHTML">包括HTML的源码 </param>

    /// <returns>已经去除后的文字</returns>

    public static string NoHTML(string Htmlstring)

    {

        if (Htmlstring == null)

        {

            return "";

        }

        else

        {

            //删除脚本

            Htmlstring = Regex.Replace(Htmlstring, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);

            //删除HTML

            Htmlstring = Regex.Replace(Htmlstring, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"([\r\n])[\s]+", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"-->", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"<!--.*", "", RegexOptions.IgnoreCase);



            Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);", "\"", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(nbsp|#160);", " ", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(iexcl|#161);", "\xa1", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(cent|#162);", "\xa2", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(pound|#163);", "\xa3", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(copy|#169);", "\xa9", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&#(\d+);", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);



            //删除与数据库相关的词 

            Htmlstring = Regex.Replace(Htmlstring, "select ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "insert ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "delete from ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "count''", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "drop table ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "truncate ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "asc", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "mid", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "char", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "exec master", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "net localgroup administrators", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, " and ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "net user", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, " or ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, " net ", "", RegexOptions.IgnoreCase);

            //Htmlstring =  Regex.Replace(Htmlstring,"*", "", RegexOptions.IgnoreCase);

            //Htmlstring =  Regex.Replace(Htmlstring,"-", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "delete ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "drop ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "script", "", RegexOptions.IgnoreCase);



            //特殊的字符

            Htmlstring = Htmlstring.Replace("<", "");

            Htmlstring = Htmlstring.Replace(">", "");

            Htmlstring = Htmlstring.Replace("*", "");

            Htmlstring = Htmlstring.Replace("--", "");

            Htmlstring = Htmlstring.Replace("?", "");

            Htmlstring = Htmlstring.Replace(",", "");

            Htmlstring = Htmlstring.Replace("/", "");

            Htmlstring = Htmlstring.Replace(";", "");

            Htmlstring = Htmlstring.Replace("*/", "");

            Htmlstring = Htmlstring.Replace("\r\n", "");

            Htmlstring = HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();



            return Htmlstring;

        }

    }

mailbao 2009-08-16

打赏
举报

Chr(0
""
<
>
script
SCRIPT
Script
script
object
OBJECT
Object
object
applet
APPLET
Applet
applet
[
]
""
=
’
select
execute
exec
join
union
where
insert
delete
update
like
drop
create
rename
count
chr
mid
truncate
nchar
char
alter
cast
exists
Chr(13)