Vulnerabilities of generic anti-injection programs for MSSQL

Web based attacks are now generally injected. The cause of the injection is generally incomplete filtering of the variable, which allows the intruder to execute the program or query to modify arbitrary data illegally. With the intensification of injection attacks, some special filtering code came into being. But some of the filtering code imperfections are likely to lead to new attacks. The following is the most widely used filter code--SQL general Anti-injection program for the following description of the causes of the vulnerability, the use of methods and preventive measures.

SQL General Anti-injection program is written by Firefox maple Autumn, the function is quite perfect injection code. It can filter the defined filter characters to get submitted, and can record the data information of the attacker's IP submission. Use only in the file to prevent injection of the header code <--#Include file= "wrsky_sql.asp"--> can be implemented to filter the variable. If the database connection file (such as conn.asp) after adding the program code, you can achieve the whole station variable filtering, so as to achieve the effect of injection.

OK, let's look at the code for the variable filter section first:

'--------Definition part------------------

Dim Fy_post,fy_get,fy_in,fy_inf,fy_xh,fy_db,fy_dbstr

' Custom need to filter the string, separated by "maple"

fy_in = "' Maple", maple and maple, select maple Delete maple Update maple count maple * Maple% maple chr Maple mid maple maple truncate maple char Maple declare "

'----------------------------------

%>

<

Fy_inf = Split (fy_in, "maple")

'--------Post part------------------

If request.form<> Then

For each fy_post in Request.Form

For fy_xh=0 to Ubound (Fy_inf)

If Instr (LCase (Request.Form (Fy_post)), Fy_inf (FY_XH)) <>then

'--------Get part-------------------

If request.querystring<> Then

For each fy_get in Request.QueryString

For fy_xh=0 to Ubound (Fy_inf)

If Instr (LCase (Request.QueryString (Fy_get)), Fy_inf (FY_XH)) <>then

This code defines the "'" and "and" the common injection variable filter, if you feel that the filter is not enough or too much to increase or decrease the character. Obviously, any data that is submitted to the server via get or post will be banned by the program if it contains filtered characters. This leads to a problem, if it is in the Forum database to join the file after the program code, posts when the post content including the filtered characters will be banned. According to the default filter content, it seems almost impossible to post content in English. In addition, some special characters (such as percent "%") are sometimes used when defining the forum style, and if these special characters are filtered, the entire forum will not function properly. I used Dvbbs to test the problem mentioned above, and the result was exactly the same as what I had guessed.

The solution to this problem is to inject the connection statements only in the files that need to be filtered. But this workload is relatively large, and the general webmaster is not aware of what files need to filter. So my advice is to add the filter code to the conn.asp, and then build a connl.asp that does not contain the filtering code, and connect the files that are definitely not needed to filter and filter the code to run the file to conn1.asp, but be aware that the basic content of the two data connection files should be consistent. In addition, it is best not to use the filtered characters in the style setting, and the filter for the character can be deleted in the anti-injection program.

The above is about the impact of the anti-injection program on the site, and does not cause any harm. Actually, the real hazard comes from the Data Logging section, and we look at this part of the code:

'--------write to the database-------header--------

Fy_dbstr= "dbq=" +server.mappath ("Sqlin.mdb") + ";D efaultdir=;D river={microsoft Access DRIVER (*.mdb)};"

Set fy_db=server.createobject ("ADODB. CONNECTION ")

Fy_db.open Fy_dbstr

fy_db. Execute ("INSERT INTO Sqlin" (Sq