The main manifestation of MSSQL website project injection is that scriptsrcaaa. bbb. cccjs. jsscript is added to the database field to a code similar to this. Typical JS injection for databases. The main cause is: 31. The attacker obtained the read and write permissions of SQLServer and operated the database directly for injection solution sql2000.
MSSQL website projects are injected with a piece of code like script src = http://aaa.bbb.ccc/js.js/script in the database field. Typical JS injection for databases. The main cause is: 1. Attackers obtain the read and write permissions of SQLServer and directly operate the database for injection solution sql2000.
MSSQL website project isInjectionIs as follows:DatabaseAdded", System. Text. RegularExpressions. RegexOptions. IgnoreCase );
Html = regex. Replace (html, ""); // filter the script mark
System. text. regularExpressions. regex regex1 = new System. text. regularExpressions. regex (@ "href * = * [\ s \ S] * script *:", System. text. regularExpressions. regexOptions. ignoreCase );
Html = regex1.Replace (html, ""); // filter href = javascript: () attributes
System. text. regularExpressions. regex regex2 = new System. text. regularExpressions. regex (@ "on [\ s \ S] * =", System. text. regularExpressions. regexOptions. ignoreCase );
Html = regex2.Replace (html, "_ disibledevent ="); // filter events of other controls.
System. Text. RegularExpressions. Regex regex3 = new System. Text. RegularExpressions. Regex (@" ", System. Text. RegularExpressions. RegexOptions. IgnoreCase );
Html = regex3.Replace (html, ""); // filter iframe
System. Text. RegularExpressions. Regex regex4 = new System. Text. RegularExpressions. Regex (@" ", System. Text. RegularExpressions. RegexOptions. IgnoreCase );
Html = regex4.Replace (html, ""); // filter frameset
System. Text. RegularExpressions. Regex regex5 = new System. Text. RegularExpressions. Regex (@ "javascript:", System. Text. RegularExpressions. RegexOptions. IgnoreCase );
Html = regex5.Replace (html, ""); // filter all javascript
System. Text. RegularExpressions. Regex regex6 = new System. Text. RegularExpressions. Regex (@ ": * expression", System. Text. RegularExpressions. RegexOptions. IgnoreCase );
Html = regex6.Replace (html, ""); // filter all javascript
System. Text. RegularExpressions. Regex regex7 = new System. Text. RegularExpressions. Regex (@" ", System. Text. RegularExpressions. RegexOptions. IgnoreCase );
Html = regex7.Replace (html ,"");//
System. text. regularExpressions. regex regex8 = new System. text. regularExpressions. regex (@ "src * = * [\ s \ S] * script *:", System. text. regularExpressions. regexOptions. ignoreCase );
Html = regex1.Replace (html, ""); // filter src = javascript :( ) Attribute
System. Text. RegularExpressions. Regex regex9 = new System. Text. RegularExpressions. Regex (@ "", System. Text. RegularExpressions. RegexOptions. IgnoreCase );
Html = regex3.Replace (html, ""); // filter the applet and discard the support for the applet
Return html;
}
# Endregion
2. Filter SQL Server keywords using strings
Code
// Delete andDatabaseRelated Words
Htmlstring = Regex. Replace (Htmlstring, "select", "", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "insert", "", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "delete from", "", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "count'' "," ", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "drop table", "", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "truncate", "", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "asc", "", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "mid", "", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "char", "", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "xp_mongoshell", "", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "exec master", "", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "net localgroup administrators", "", RegexOptions. IgnoreCase );
Htmlstring = Regex. Replace (Htmlstring, "and", "", RegexOptions. IgnoreCase );
3. Filter SQL Server keywords by passing value strings
Code
Protectedvoid Application_BeginRequest (Object sender, EventArgs e)
{
// SQL defenseInjection
String SQL _1 = "exec | insert + | select + | delete + | update + | count | chr | mid | master + | truncate | char | declare | drop + table | creat + | creat + table ";
String SQL _2 = "exec + | insert + | delete + | update + | count (| count + | chr + | + mid (| + mid + | + master + | truncate + | char + | + char (| declare + | drop + | creat + | drop + table | creat + table ";
String [] SQL _c = SQL _1.Split ('| ');
String [] SQL _c1 = SQL _2.Split ('| ');
If (Request. QueryString! = Null)
{
Foreach (string sl in SQL _c)
{
If (Request. QueryString. ToString (). ToLower (). IndexOf (sl. Trim ()> = 0)
{
Response. Write ("warning! Your IP address has been recorded! Do not use sensitive characters! ");//
Response. Write (sl );
Response. Write (Request. QueryString. ToString ());
Response. End ();
Break;
}
}
}
If (Request. Form. Count> 0)
{
String s1 = Request. ServerVariables ["SERVER_NAME"]. Trim (); // server name
If (Request. ServerVariables ["HTTP_REFERER"]! = Null)
{
String s2 = Request. ServerVariables ["HTTP_REFERER"]. Trim (); // name received by http
String s3 = "";
If (s1.Length> (s2.Length-7 ))
{
S3 = s2.Substring (7 );
}
Else
{
S3 = s2.Substring (7, s1.Length );
}
If (s3! = S1)
{
Response. Write ("warning! Your IP address has been recorded! Do not use sensitive characters! ");//
Response. End ();
}
}
}
}
3. Obtain the data connection string of web. config.
Solution: encrypt web. config
Asp.net 2.0 encrypted web. config
Aspnet_regiis-pe "connectionStrings"-app "/xx" (xx indicates the application name)
Decryption: aspnet_regiis-pd "connectionStrings"-app "/xx"
After encryption, web. config:
After decryption ,:
The encrypted web. config program can be normally accessed, and decryption and encryption must be performed on the same machine (web. config encrypted on machine A can be decrypted only on machine ).
This is what we can think of. there will be problems later, and we will continue to improve. Please keep your colleagues correct.