在 C#/VB.NET 中解码 T-SQL CAST
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/109/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Decoding T-SQL CAST in C#/VB.NET
提问by Dillie-O
Recently our site has been deluged with the resurgence of the Asprox botnetSQL injectionattack. Without going into details, the attack attempts to execute SQL code by encoding the T-SQLcommands in an ASCII encoded BINARY string. It looks something like this:
最近,我们的网站被Asprox 僵尸网络SQL 注入攻击的死灰复燃所淹没。没有详细说明,攻击尝试通过将T-SQL命令编码为 ASCII 编码的 BINARY 字符串来执行 SQL 代码。它看起来像这样:
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x44004500...06F007200%20AS%20NVARCHAR(4000));EXEC(@S);--
I was able to decode this in SQL, but I was a little wary of doing this since I didn't know exactly what was happening at the time.
我能够在 SQL 中对此进行解码,但我对这样做有点谨慎,因为我不知道当时到底发生了什么。
I tried to write a simple decode tool, so I could decode this type of text without even touching SQL Server. The main part I need to be decoded is:
我试图编写一个简单的解码工具,这样我就可以在不接触SQL Server 的情况下解码这种类型的文本。我需要解码的主要部分是:
CAST(0x44004500...06F007200 AS
NVARCHAR(4000))
I've tried all of the following commands with no luck:
我已经尝试了以下所有命令,但都没有运气:
txtDecodedText.Text =
System.Web.HttpUtility.UrlDecode(txtURLText.Text);
txtDecodedText.Text =
Encoding.ASCII.GetString(Encoding.ASCII.GetBytes(txtURLText.Text));
txtDecodedText.Text =
Encoding.Unicode.GetString(Encoding.Unicode.GetBytes(txtURLText.Text));
txtDecodedText.Text =
Encoding.ASCII.GetString(Encoding.Unicode.GetBytes(txtURLText.Text));
txtDecodedText.Text =
Encoding.Unicode.GetString(Convert.FromBase64String(txtURLText.Text));
What is the proper way to translate this encoding without using SQL Server? Is it possible? I'll take VB.NET code since I'm familiar with that too.
在不使用 SQL Server 的情况下转换此编码的正确方法是什么?是否可以?我将采用 VB.NET 代码,因为我也熟悉它。
Okay, I'm sure I'm missing something here, so here's where I'm at.
好的,我确定我在这里遗漏了一些东西,所以这就是我所在的位置。
Since my input is a basic string, I started with just a snippet of the encoded portion - 4445434C41 (which translates to DECLA) - and the first attempt was to do this...
由于我的输入是一个基本字符串,我从编码部分的一个片段开始 - 4445434C41(转换为 DECLA) - 第一次尝试是这样做......
txtDecodedText.Text = Encoding.UTF8.GetString(Encoding.UTF8.GetBytes(txtURL.Text));
...and all it did was return the exact same thing that I put in since it converted each character into is a byte.
...它所做的只是返回与我输入的完全相同的东西,因为它将每个字符转换为一个字节。
I realized that I need to parse every two characters into a byte manually since I don't know of any methods yet that will do that, so now my little decoder looks something like this:
我意识到我需要手动将每两个字符解析为一个字节,因为我还不知道有任何方法可以做到这一点,所以现在我的小解码器看起来像这样:
while (!boolIsDone)
{
bytURLChar = byte.Parse(txtURLText.Text.Substring(intParseIndex, 2));
bytURL[intURLIndex] = bytURLChar;
intParseIndex += 2;
intURLIndex++;
if (txtURLText.Text.Length - intParseIndex < 2)
{
boolIsDone = true;
}
}
txtDecodedText.Text = Encoding.UTF8.GetString(bytURL);
Things look good for the first couple of pairs, but then the loop balks when it gets to the "4C" pair and says that the string is in the incorrect format.
前几对看起来不错,但是当它到达“4C”对时循环停止并说字符串格式不正确。
Interestingly enough, when I step through the debugger and to the GetString method on the byte array that I was able to parse up to that point, I get ",-+" as the result.
有趣的是,当我逐步执行调试器并转到我能够解析到该点的字节数组上的 GetString 方法时,结果是“,-+”。
How do I figure out what I'm missing - do I need to do a "direct cast" for each byte instead of attempting to parse it?
我如何找出我遗漏了什么 - 我是否需要对每个字节进行“直接转换”而不是尝试解析它?
采纳答案by Dillie-O
I went back to Michael's post, did some more poking and realized that I did need to do a double conversion, and eventually worked out this little nugget:
我回到迈克尔的帖子,做了一些更多的探索,并意识到我确实需要做一个双重转换,最终找到了这个小金块:
Convert.ToString(Convert.ToChar(Int32.Parse(EncodedString.Substring(intParseIndex, 2), System.Globalization.NumberStyles.HexNumber)));
From there I simply made a loop to go through all the characters 2 by 2 and get them "hexified" and then translated to a string.
从那里我只是做了一个循环来遍历所有字符 2 x 2 并让它们“十六进制”,然后转换为字符串。
To Nick, and anybody else interested, I went ahead and posted my little applicationover in CodePlex. Feel free to use/modify as you need.
对于 Nick 和其他任何感兴趣的人,我继续在CodePlex 中发布了我的小应用程序。根据需要随意使用/修改。
回答by Michael Stum
Try removing the 0xfirst and then call Encoding.UTF8.GetString. I think that may work.
尝试删除第0x一个然后调用Encoding.UTF8.GetString. 我认为这可能奏效。
Essentially: 0x44004500
本质上:0x44004500
Remove the 0x, and then always two bytes are one character:
去掉0x,然后总是两个字节是一个字符:
44 00 = D
45 00 = E
6F 00 = o
72 00 = r
So it's definitely a Unicode/UTF format with two bytes/character.
所以它绝对是一个有两个字节/字符的 Unicode/UTF 格式。
