MSSQL general anti-injection program Vulnerability

Currently, web-based attacks are generally injected. Generally, the cause of injection is that the variables are not completely filtered, so that intruders can illegally execute programs or query and modify arbitrary data. As injection attacks become increasingly popular, some specialized filtering code emerged. However, incomplete filtering code may lead to new attacks. The following is the most widely used

Currently, web-based attacks are generally injected. Generally, the cause of injection is that the variables are not completely filtered, so that intruders can illegally execute programs or query and modify arbitrary data. As injection attacks become increasingly popular, some specialized filtering code emerged. However, incomplete filtering code may lead to new attacks. The following is the most widely used

Currently, web-based attacks are generally injected. Generally, the cause of injection is that the variables are not completely filtered, so that intruders can illegally execute programs or query and modify arbitrary data. As injection attacks become increasingly popular, some specialized filtering code emerged. However, incomplete filtering code may lead to new attacks. The following uses the most widely used SQL universal anti-injection program to describe the causes, exploitation methods, and prevention measures of vulnerabilities.

The SQL universal anti-injection program is compiled by Feng Zhiqiu of Firefox and has a complete function to prevent injection code. It can filter the defined filter characters and record the data submitted by the attacker's IP address. You only need to add the Code <-- # Include File = "WrSky_ SQL .Asp" --> in the header of the File to prevent injection to filter variables. If you add program code after the database connection file (such as conn. asp), you can implement variable filtering on the entire site to prevent injection.

Now let's take a look at the variable filtering code:

'-------- Definition section ------------------

Dim Fy_Post, Fy_Get, Fy_In, Fy_Inf, Fy_Xh, Fy_db, Fy_dbstr

'Custom string to be filtered, separated by 'maple'

Fy_In = "'maple; maple and Maple exec maple insert maple select maple delete maple update maple count maple * maple % maple chr maple mid maple master maple truncate maple char maple declare"

'----------------------------------

%>

<

Fy_Inf = split (Fy_In, "Feng ")

'-------- POST part ------------------

If Request. Form <> Then

For Each Fy_Post In Request. Form

For Fy_Xh = 0 To Ubound (Fy_Inf)

If Instr (LCase (Request. Form (Fy_Post), Fy_Inf (Fy_Xh) <> Then

'-------- GET part -------------------

If Request. QueryString <> Then

For Each Fy_Get In Request. QueryString

For Fy_Xh = 0 To Ubound (Fy_Inf)

If Instr (LCase (Request. QueryString (Fy_Get), Fy_Inf (Fy_Xh) <> Then

This Code defines filtering of common injection variables such as "'" and ". You can increase or decrease the number of characters if you think the filtering is not enough. Obviously, any data submitted to the server through get or post contains filtered characters, which will be banned by the program. This leads to a problem. If the program code is added after the database connection file of the forum, the post will be disabled as long as the post content includes filtered characters. According to the default filter content, it seems that the posts cannot be published in English. In addition, when defining the Forum style, some special characters (such as the percent sign "%") are sometimes used. If these special characters are filtered, the entire forum cannot run normally. I have tested dvbbs for the problem mentioned above, and the results are exactly the same as I guess.

To solve the above problem, we only need to prevent injection of connection statements in the files to be filtered. However, the workload is relatively large, and generally the webmaster does not know what files need to be filtered out. Therefore, I suggest adding the filter code to conn. after asp, create a connl that does not contain the filter code. asp: connect a file that does not need to be filtered out and the code that affects the running of the file to conn1.asp. Note that the basic content of the two data connection files must be consistent. In addition, it is recommended that you do not use the characters to be filtered in style settings. You can delete the characters to be filtered in the anti-injection program.

The above is about the impact of the anti-injection program on the operation of the site, and it cannot cause any harm. In fact, the real harm comes from the data record part. Let's look at this part of code:

''-------- Write to database ------- header --------

Fy_dbstr = "DBQ =" + server. mappath ("SqlIn. mdb") + "; DefaultDir =; DRIVER = {Microsoft Access Driver (*. mdb )};"

Set Fy_db = Server. CreateObject ("ADODB. CONNECTION ")

Fy_db.open Fy_dbstr

Fy_db.Execute ("insert into SqlIn (Sq