SQL注入攻击

发布于 2024-12-17 03:50:54 字数 782 浏览 0 评论 0原文

我有一个 asp.net 站点...最近几天,我在日志中看到我正在受到 sql 注入的攻击,例如:

例外:在 Application_Error 事件中捕获错误 错误位于:http://gramma.ro/Site/DetaliiProdus.aspx?c=m1&p=1465&s1=45&s2=79/**/or /**/1=@@版本))--

当然,这会引发异常,因为我在执行任何 sql 查询之前检查参数:

Error Message:Input string was not in a correct format.

对于所有这些异常,我将用户重定向到特定的错误页面。

当然,这些攻击现在不会影响我(我正在使用参数化的sql命令),但我正在获取ip并将它们放入IIS - Ip地址和域限制中,以便ip不再可以访问我的网站。

我的问题:我还能做些什么吗?看来这个恶意用户,即使我阻止了他的 IP,也会尝试从另一个 IP 进行相同的攻击(我在过去 3 天中阻止了大约 6 个 ip,这非常难看......)。你能建议我还应该做什么吗?

更新:所有这些攻击都使用 /**/or/**/1=@@version 而不是查询参数值,因此我很确定该攻击不是来自用户的随机问题,但却是真正的 SQL 注入攻击。问题是这些 ip 来自不同的位置,所以我无法将它们报告给某些互联网提供商或托管公司......

I have an asp.net site...Last days, I saw in my logs that I'm being attacked with sql injection like:

Exceptia: Error Caught in Application_Error event Error in: http://gramma.ro/Site/DetaliiProdus.aspx?c=m1&p=1465&s1=45&s2=79/**/or/**/1=@@version))--

Of course this will throw an exception because I check the parameters before doing any sql query:

Error Message:Input string was not in a correct format.

For all this exceptions I redirect the user to a specific error page.

Of course, these attacks do not affect me right now (I'm using parameterized sql commands), but I am taking the ips and put them in IIS - Ip Address and domain restrictions so that ip no longer can access my site.

My question: is anything else I can do? Seems that this malicious user, even I block his ip, is going and tries the same attack from another ip (I have blocked about 6 ips in last 3 days which is quite ugly...). Can you suggest anything else I should do?

UPDATE: All these attacks put /**/or/**/1=@@version instead of a query parameter value so I am pretty sure the attack it's NOT a random issue from the users but a real SQL injection attack. The problem is that these ips are from different locations so I cannot report them to some internet providers or hosts companies...

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

琴流音 2024-12-24 03:50:54

这将针对您所显示的单个请求提供保护。为了正确防止 SQL 注入,请参数化所有查询,并尽可能验证用户输入参数。

在我的代码中,我实际上更进一步,对任何意外的查询字符串抛出异常,这使得 API 发现(这就是这次攻击)变得更加困难。

将其添加到 global.asax

void Application_BeginRequest(object sender, EventArgs e)
{
    if(HttpContext.Current.Request.Url.ToString().Contains("@@version"))
    {
        throw new HttpException(400,"Bad Request");
    }
}

This will provide protection against the single request you've show. To properly protect against SQL injection, parameterize all queries, to the extent you can, validate user input parameters.

In my code, I actually go further and throw exceptions on any unexpected querystrings, which makes API discovery (which is what this attack is), much more difficult.

Add this to global.asax

void Application_BeginRequest(object sender, EventArgs e)
{
    if(HttpContext.Current.Request.Url.ToString().Contains("@@version"))
    {
        throw new HttpException(400,"Bad Request");
    }
}
影子是时光的心 2024-12-24 03:50:54

在您的应用程序中使用存储过程。这样就可以防止SQL注入。因为存储过程仅接受开发人员描述的有限参数。

Use Stored Procedures to your application. So that you can prevent SQL injection. Because Stored procedures accepts only the limited parameters as described by the developer.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文