Prevent MSSQL database from being infected with Trojans and insert JavaScript/SQL injection)

At this time, many websites designed using ASP + MSSQL may experience SQL database Trojans inserting JS Trojans. No, a friend's website is fooled by hackers, each varchar and text field in mssql is automatically inserted into a piece of js Code. Even if this code is deleted, if it is not resolved from the source, the js Code will be automatically inserted into the database in a few minutes.

 

After observation, it is very likely that the program is automatically executed. Hackers first use asp + mssql to search for websites with vulnerabilities such as google and Baidu, then, the system uses an injection scanning tool like Tom to scan the entire website. Once an SQL injection vulnerability or an upload vulnerability is discovered, hackers can upload their own Trojans, such as Haiyang Trojans, by various means; then, the hacker adds the website to his zombie list and the js Code he wants to add to the database at any time. These codes often contain a large number of viruses and Trojans, computer poisoning of users accessing controlled websites.

 

Although the SQL query analyzer can be used for batch replacement to temporarily solve the inserted js Code problem, it does not fundamentally solve the vulnerabilities of the entire website, including program and server security permissions, then hackers can intrude into your website database at any time.

 

In the SQL query analyzer, You can execute the following code to replace JavaScript code in batches:

 

"
Update table name set field = replace (field name, '<Script Src = http://c.n % 75clear3.com/css/c.js> </Script> ','')
"

 

Flymorn carefully checked the website and found that the website had several security problems:

 

First, the website has the Upload Vulnerability;Although administrator authentication is required to upload files and file format authentication is performed on uploaded files, Administrator authentication uses cookies, which can be forged, in addition, if you do not take any judgment on the content of the file after uploading an image, the image Trojan is also likely to be uploaded.

 

Flymorn solution: 1. delete the file to be uploaded (not practical); 2. Modify the user verification to session verification; 3. Verify the uploaded file content. If it is an image Trojan, click Delete. You can refer to the following verification code:

 

Code

''======================== Determine whether the uploaded file contains an invalid string start ======================== =
Set MyFile = server. CreateObject ("Scripting. FileSystemObject ")
Set MyText = MyFile. OpenTextFile (Server. mappath (filePath), 1) 'read text files
STextAll = lcase (MyText. ReadAll)
MyText. close
Set MyFile = nothing
SStr = "<% |. getfolder |. createfolder |. deletefolder |. createdirectory |. deletedirectory |. saveas | wscript. shell | script. encode | server. |. createobject | execute | activexobject | language ="
SNoString = split (sStr, "| ")
For I = 0 to ubound (sNoString)
If instr (sTextAll, sNoString (I) then
Set filedel = server. CreateObject ("Scripting. FileSystemObject ")
Filedel. deletefile Server. mappath (filePath)
Set filedel = nothing
Response. Write ("<script> alert ('the upload failed because the file you uploaded has a problem! '); History. back (); </script> ")
Response. End
End if
Next
''=================================Determine whether the uploaded file contains an invalid string end ================== ======

Second, the website has the cookie injection vulnerability.In programming, in order to reduce the overhead of the server, all users use cookies for verification after login. This cookie stores the user ID and NAME, which is well known, cookies are often forged by hackers. In addition, some external parameters do not use strict requests. form and request. querystring is used to obtain the content. For convenience, the request ("id") method is used.

 

We know that ASP requests first obtain the content from form and querystring. If the two are empty, they need to obtain the content from cookies. We often consider the request in programming. form and request. querystring SQL injection, so requests are usually filtered. form and request. querystring performs SQL injection, but forgets to filter the injection in cookies. Let's take a look at the following SQL statement:

 

SQL = "select * from table name where id =" & request ("id ")

 

If this id happens to be obtained through cookies, think about how terrible it is! The attacker can easily forge a false cookie named id because the cookie of this id is allocated to the client by the server. This cookie can be forged into a code similar to the following:

 

Code

DEcLaRe @ s vArChAr (4000); sEt @ s = cAsT (Broadcast
Artificial IT talent Network (http://it.ad0.cn) 12e6e416d452c622e6e416d
Forbidden. ad0.cn43d622e6
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
3615213207441624c655f637572736f520d0a aS vArChAr (4000); exec (@ s );--

Look dizzy. This is the use of HEX for SQL injection, which can bypass normal IDS verification. As long as the system has SQL injection, the above Code will be executed, traverse all tables and columns in the database using a cursor and insert js Code into the column.

 

Solution: 1. Strictly filter the request. form and request. the content obtained by querystring does not need to be obtained by request ("name"). Any content stored using cookies should not be used in SQL statements for database query; 2. Use session verification as much as possible for important user data. Because session is a server end, the client cannot forge data unless it has the permissions of your server.

 

You can use the following code to prevent get, post, and cookie injection to filter SQL injection attacks:

 

Code

<%
Response. Buffer = true' cache page
'Prevent get Injection
If Request. QueryString <> "Then StopInjection (Request. QueryString)
'Prevents post injection
If Request. Form <> "" Then StopInjection (Request. Form)
'Prevent cookie Injection
If Request. Cookies <> "" Then StopInjection (Request. Cookies)

'Regularized subfunctions
Function StopInjection (Values)
Dim regEx
Set regEx = New RegExp
RegEx. IgnoreCase = True
RegEx. Global = True
RegEx. pattern = "'|; | # | ([\ s \ B + ()] + ([email = select % 7 Cupdate % 7 Cinsert % 7 Cdelete % 7 Cdeclare % 7C @ % 7 Cexec % 7 Cdbcc % 7 Calter % 7 Cdrop % 7 Ccreate % 7 Cbackup % 7Cif % 7 Celse % 7 Cend % 7 Cand % 7Cor % 7 Cadd % 7 Cset % 7 Copen % 7 Cclose % 7 Cuse % 7 Cbegin % 7 Cretun % 7Cas % 7Cgo % 7 Cexists) [/s/B] select | update | insert | delete | declare | @ | exec | dbcc | alter | drop | create | backup | if | else | end | and | or | add | set | open | close | use | begin | retun | as | go | exists) [\ s \ B [/email] +] *)"
Dim sItem, sValue
For Each sItem In Values
SValue = Values (sItem)
If regEx. Test (sValue) Then
Response. Write "<Script Language = javascript> alert ('invalid injection! Your behavior has been recorded !! '); History. back (-1); </Script>"
Response. End
End If
Next
Set regEx = Nothing
End function
%>

Save the above Code as a file, such as antisql. asp, and include this file at the beginning of the database connection file <! -- # Include file = "antisql. asp" --> to prevent SQL injection attacks.

 

Third, strictly filter external submitted data.Determine the source of the submitted page. If it is not the current site, it is rejected. You can refer to the following code. Although the source website can be forged, such a judgment can block malicious submissions with no technical content:

 

 

Code

<% ''Determine the source and prohibit external submission
Dim server_v1, server_v2
Server_v1 = Cstr (Request. ServerVariables ("HTTP_REFERER "))
Server_v2 = Cstr (Request. ServerVariables ("SERVER_NAME "))
If server_v1 = "" or instr (server_v1, "Name of the published page") <= 0 or mid (server_v1, 8, len (server_v2) <> server_v2 then
Response. write "<SCRIPT language = JavaScript> alert ('external submission is prohibited because the source is invalid! ');"
Response. write "this. location. href = 'vbscript: history. back () '; </SCRIPT>"
Response. end
End if %>

 

Fourth, assign server permissions.The minimum permissions should be allocated to users for database permissions. If sa or administrator permissions are assigned, once attacked, this will be a devastating blow. Mssql port 1433 is recommended when it is easy to use.

 

In short, the security issue is a comprehensive problem. A small detail may make you feel at ease for months or even years. We should not only focus on every detail of the program, but also carefully perform server security work. For users of virtual hosts, we must also prevent cross-site attacks on servers. Details determine success or failure.

 

Turn: http://www.piaoyi.org/database/MSSQL-guama-js.html