How to fix the SQL injection point of the website with the ah d injection tool

Source: Internet
Author: User

My website also has a single-chip computer website I made to my teacher which has been hacked one after another. I learned from him that he used the "ah d injection tool". First, find out if my website has any injection points, if there is, inject, the background password can be cracked and the previous day and yesterday, my website also has a single-chip computer website I made to my teacher has been hacked. In my website, I had an uncertain article and a set of textures. I am wondering who can log on to my backend to post articles and images. When I pop up a message via QQ, a stranger sent me a message saying my website has vulnerabilities, he also said that he got my website. But fortunately, he gave me a detailed explanation of the method of hacking my website, and reminded me to fix it properly, otherwise it would be hacked by others. He learned from him that he used the "ah d injection tool". First, find out if my website has any injection points. If yes, the injection can crack the background password. That night, I downloaded the "ah d injection tool" for research, learned the principle of its injection, and made some modifications to the webpage. However, I used the tool to check whether there were injection points. I had to search online and found the following method. After modifying the method as follows, I used the "ah d injection tool" to check that there was no injection point. The following is a repair method: If a tool detects an SQL injection point on the website, how can we fix it? 1. Create an asp file, write the following code, and save the file name as checkSQL. asp. The Code is as follows:

<% Dim Fy_Url, Fy_a, Fy_x, Fy_Cs (), Fy_Cl, Fy_Ts, Fy_Zx ''' --- define some headers ------ Fy_Cl = 3 ''' processing method: 1 = prompt message, 2 = Turn to page, 3 = Prompt before turning to Fy_Zx = "[color = Red] Enter Your webpage Address [/color]" ''' page ''' to be switched when an error occurs ''' --- define part tail ------ On Error Resume Next Fy_Url = Request. serverVariables ("QUERY_STRING") Fy_a = split (Fy_Url, "&") redim Fy_Cs (ubound (Fy_a) On Error Resume Next for Fy_x = 0 to ubound (Fy_a) fy_Cs (Fy_x) = left (Fy_a (Fy_x), instr (Fy_a (Fy_x), "=")-1) Next For Fy_x = 0 to ubound (Fy_Cs) If Fy_Cs (Fy_x) <> "" Then If Instr (LCase (Request (Fy_Cs (Fy_x ))), "'''") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "and ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "select") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x ))), "update") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "chr ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "delete % 20 from ") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), ";") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x), "insert") <> 0 or Instr (LCase (Request (Fy_Cs (Fy_x ))), "mid") <> 0 Or Instr (LCase (Request (Fy_Cs (Fy_x), "master. ") <> 0 Then Select Case Fy_Cl Case" 1 "Response. write "<Script Language = JavaScript> alert (''' your IP address has been recorded. We will send it to China Network Security within 24 hours for IP analysis. please do it yourself !! \ N \ n'''); window. close (); </Script> "Case" 2 "Response. write "<Script Language = JavaScript> location. href = ''' [color = Red] Enter Your webpage Address [/color] ''' </Script> "Case" 3 "Response. write "<Script Language = JavaScript> alert (''' your IP address has been recorded. We will send it to China Network Security within 24 hours for IP analysis. please do it yourself !! '''); Location. href = ''' [color = Red] Enter Your webpage Address [/color] '''; </Script> "End Select Response. end If Next %>

 

Put the file in the website directory, and find the following code in the file where the injection point is found: <! -- # Include file = "***. * ** "--> note:" ***. *** "is the connected file. Find the relevant similar code and add a sentence <! -- # Include file = "checkSQL. asp" --> pay attention to the path in which checkSQL. asp is stored and modified accordingly. After that, use the tool and scan it again to confirm that the problem is not solved after the SQL injection point is found.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.