SQL Injection vulnerabilities on the network using attack, JS script, HTML scripting attacks seem to play over more than strong. One after another of the many sites are plagued by such attacks, did not like the host vulnerabilities can be repaired immediately, the attack from the WEB so that we in the prevention or repair that brings a lot of inconvenience. A webmaster is the most painful this. How strong your password to the attacker has always been available, but how can we achieve real security? First, do not password and link your life; second, Supermaster the PWD only you know best ; third, absolutely necessary to improve your Web site program. But how can we improve, it will be our ultimate goal of this article.
Security, how to do security? Want protection is necessary to know how to attack each other. Many articles are written to capture a particular site, in fact, the way of their attacks but also the following:
1. Simple scripting attack
Such attacks should trouble it is boring. For example ****: alert (); so, because of a filter is not close to what the attacker not only available, but he can be disruptive to the purpose. Many sites present free service, or program on their own site is not strictly a filtration problem.
2. Dangerous script attacks
Such attacks have been over to the script can steal the administrator or other user information on the extent. For example we all know, steal cookies, use the script on the local client write more.
3. Sql Injection exploits
It can be said that this attack is to start from Dongwangluntan and BBSXP. Filtering using SQL special characters are not tight, and cross-database query attacks. For example:
http://127.0.0.1/forum/showuser.asp?id=999 and 1 = 1
http://127.0.0.1/forum/showuser.asp?id=999 and 1 = 2
http://127.0.0.1/forum/showuser.asp?id=999 and 0 <> (select count (*) from admin)
http://127.0.0.1/forum/showuser.asp?id=999''; declare @ a sysname set @ a =''xp_''+
''Cmdshell''exec @ a''dir c :''---& aid = 9
Get the administrator password means that the whole station has been controlled, though not necessarily to be the host of privileges, but also for this step to do a lot of foreshadowing. SQL Injection attacks similar to the ways and means many different file filter is not taken to close the query in different ways. So to make a complete character filter where procedures are not the next effort is impossible.
4. Remote Injection Attacks
Filter of a site called the submission form page is a simple JS filtering. For the average user, you need not prevent; of the premeditated attack are concerned, seem not to be such a filtering effect. We often say that the POST attack is one example. Submitted by remote attacks illicit information in order to achieve the purpose.
Through the above description of attack methods, we generally understand the attackers way, the following description we focus on the start, how to effectively prevent script attacks!
So we start from the simplest:
Against script attacks
JS scripts and HTML scripting attack prevention is very simple: server.HTMLEncode (Str) bin. Of course you do not cry, how could that be? You for allowing me to the station I do not like all add to filter exhausted? In order to facilitate the filtering, we only need to HTML scripts and JS scripts to filter out some key characters can be : the procedure body (1) as follows:
'The following is a filter function
'The following are application examples
Username = CHK (replace (request ("username "),"''",""))
Include the function written using the public page, so efficiency is the best.
Procedure body (1)
In addition, it is worth our attention is that many site users to register, or modify user information page is also a lack of script filtering, or only in one filter, modify the information registered into the post-script can still attack. Data submitted by a user to detect and filter, the program body (2) as follows:
'The following is a filter function
If Instr (request ("username "),"=")> 0 or
Instr (request ("username "),"%")> 0 or
Instr (request ("username"), chr (32))> 0 or
Instr (request ("username "),"?")> 0 or
Instr (request ("username "),"&")> 0 or
Instr (request ("username "),";")> 0 or
Instr (request ("username "),",")> 0 or
Instr (request ("username "),"''")> 0 or
Instr (request ("username "),"?")> 0 or
Instr (request ("username"), chr (34))> 0 or
Instr (request ("username"), chr (9))> 0 or
Instr (request ("username"), "")> 0 or
Instr (request ("username "),"$")> 0 or
Instr (request ("username "),">")> 0 or
Instr (request ("username "),"<")> 0 or
Instr (request ("username "),"""")> 0 then
response.write "friend, to submit your user name contains illegal characters, change, thank you to return"
response.end
end if
Procedure body (2)
In order to provide the efficiency we seek to further filter the contents of procedures, so the filtration efficiency of the various parameters will be largely increased: such as program body (3)
'Following the main program
dim Bword (18)
Bword (0 )="?"
Bword (1 )=";"
Bword (2 )=">"
Bword (3 )="<"
Bword (4 )="-"
Bword (5 )="''"
Bword (6 )=""""
Bword (7 )="&"
Bword (8 )="%"
Bword (9 )="$"
Bword (10 )="''"
Bword (11 )=":"
Bword (12 )="|"
Bword (13 )="("
Bword (14 )=")"
Bword (15 )="--"
Bword (16) = "chr (9)"
Bword (17) = "chr (34)"
Bword (18) = "chr (32)"
errc = false
'The following are examples of some Application
for i = 0 to ubound (Bword)
if instr (FQYs, Bword (i)) <> 0 then
errc = true
end if
next
if errc then
response.write ""
response.end
end if
Procedure body (3)
With the above filter function you need in any application where filtration filter function directly on it. This brings us to the restoration work greatly simplified.
In addition, more than I would like to remind once again, a small number of sites during the expression of UBB icon will appear when the filter transformation issue, since it was hidden is not easy to find:
Such as:
We label the text to modify
Did not know you understand, before a single quote and procedures provided for in the left quotation mark, single quotation marks used in the second and closed the right quotation mark, so the output process as:
ARP attack is not a virus - and thus almost all anti-virus software for all helpless; but it worth a virus - because it slows down light can cause communications, network paralysis, weight will cause information leakage. Over the years, ARP attack has always existed, but not a good solution. Many Internet users suffer, network management personnel is unable to start, miserable. In this study, the analysis of ARP Protocol and cheating principle, this paper introduces how to implement the ARP attacks, how to determine the ARP attack is suffering, how to prevent and resolve ARP attack.
1.ARP Agreement and deception theory
(1) Ethernet works. Ethernet in the data packet is sent out, first we have to split (the largest grouping of packages), packaging (in the Network layer to add the source IP address and target IP address in the Data Link layer to add the source MAC address and next hop's MAC address), into a binary bit stream, the process shown in Figure I-1. Packets reach the target after the implementation of the process of sending the opposite side, the flow of binary bits into the frame, solution package (Data Link layer of the first goal of the MAC is compared with the same local network card's MAC or broadcast MAC, as the same is Remove frame header, then pass on Network layer packets, or discarded; Network Layer destination IP address is compared with the same machine, the same will continue to address, otherwise discarded). If the sender and receiver in the same network, the next hop's MAC is the goal of the MAC, such as the sender and receiver not on the same network, the next hop's MAC is the gateway MAC. From this process is not difficult to find, Ethernet data transmission speed only goal of the IP address that is not enough, also need to know the next hop's MAC address, which requires the help of another look at the agreement, ARP (Address Resolution Protocol).
Figure I-1 data packing and unpacking
2) ARP works. Computer before sending the data package, compared to target IP address, determine the source and target are not the same segment, such as the same network segment, the package target MAC; if not on the same network segment, the package gateway MAC. Before packaging, see the machine's ARP cache to see if there is no corresponding next hop IP and MAC mapping entries, if the direct encapsulation; if not then send the ARP query packet. ARP query and response packets of the format as shown in Figure I-2, query package "Ethernet destination address" for 0xffffffffffff broadcast address, "Ethernet source address," based network card's MAC address of machines, "Frame Type" is 0x0806 said ARP response or request, "hardware type" Ethernet address for the 0x0001, said, "protocol type" for that IP address 0x0800, "OP" for the ARP request or response, ARP request packet OP value of 1, ARP response package of OP is 2, "Ethernet address of the sender," the MAC address for the sender, "sender IP" as the sender's IP address, "the purpose Ethernet address" here for 0x000000000000, "the purpose IP" for the check MAC address of IP. The package sent to the network in broadcast mode, the LAN computers are all received this package, only the machine IP address for the "purpose of IP" the computer responds to this packet, and respond to this packet. When beginning to send receive this ARP reply packet chu later, the corresponding access to the destination IP MAC address, and then the data packets can be encapsulated.
Figure I-2 ARP query and response packet format
(3) ARP deception. In the TCP sequence number and acknowledgment number through the different fields, the implementation of three-way handshake to ensure reliability of data transmission, ARP is a stateless protocol, meaning that with or without sending ARP request sent to the machine as long as the ARP response package, the computer will not add validation to receive, and update their ARP cache. After about ARP works as long as the intention of filling Figure I-2 in certain fields, can achieve the effect of ARP attack: IP address conflict, ARP deception, ARP attacks.
P address conflicts. Local IP address of the computer detects whether the methods used in the Internet is the purpose of the machine IP address as the IP address, send a ARP query packet, if the received response, it indicates the IP address has been used in the Internet, pop-up IP address to be used dialog box, release the IP address of the machine. ARP attacker take advantage of this principle, with arbitrary MAC address (not being a real attacker MAC address) filled with "sender Ethernet address" field, use the IP address of the attacker was filled with "sender IP" field used by the attacker's real MAC address of filling the "purpose Ethernet address" field, use the IP address of the attacker was filled with "purpose IP" field, OP of the value of "2", as shown in Figure I-3 . When the attacker received after this ARP Response, it considered that the machine's IP address on the network has been used, pop-up dialog box IP address conflicts.
Figure I-3 IP address conflicts of ARP response packet
ARP cheating: as shown in Figure I-4, PC1 is the attacker, the attacker's aim is "PC2 interrupt communication with the gateway." PC1 generates an ARP response packet, "the sender's IP" fill in as the gateway IP address, "the sender Ethernet address" fill a non-gateway MAC address (this address can be randomly generated), "Objective IP" fill in PC2's IP address, "the purpose Ethernet address" fill in the PC2's MAC address. Host PC2 receive the latest after the ARP response packet, it will use this gateway is not the correct MAC address to update their ARP cache table, after this error after PC2 encapsulated MAC address, causing the packet after encapsulation can not correctly reach the gateway; PC1 similar re-send an incorrect ARP response packet to the gateway, "the sender's IP" fill in the IP address into PC2, "Ethernet address of the sender," fill out a non-PC2's MAC address (this address can be randomly generated), "Objective IP" fill in the gateway IP address. Gateway ARP response received such information, are saved in the wrong cache PC2 map entries. PC1 and PC2 to the gateway periodically sends such a packet, so that the aging of their ARP tables, thus prevent them from reaching the purpose of communication.
Figure I-4 ARP cheating diagram
ARP attack. To as middle attacks (Man-in-the-middle attack), and ARP cheating like, only PC1 sends ARP request, which fill in the "sender Ethernet address" is not randomly generated, but replace the PC1 machines MAC address, open the PC1 routing function - modify (add) registry option HKEY_LOCAL_ MACH INE SYSTEMCurrentControlSetServicesTcpipParametersIPEnableRouter = 0x1, while tapping the software installed on PC1, PC2 and intercept all communications between the gateway package.
2. How to implement the ARP attack
Here are two ARP attack to use the software, topology shown in Figure I-5.
Figure I-5 ARP attack
Software is mainly used for the first attack, disruption of normal network traffic, as shown in Figure I-5, 2 in the virtual machine to install "network magistrate" software, destroy the virtual machine 1 and the normal communication between the real machine experiment steps are as follows.
Correctly configured IP address of the computer. Virtual Machine 1 card type Bridged, IP address is 192.168.1.220, mask 255.255.255.0, gateway 192.168.1.1, DNS is 218.2.135.1. Virtual Machine 2 card types Bridged, IP address is 192.168.1.210, mask 255.255.255.0, gateway 192.168.1.1, DNS is 218.2.135.1. The IP address of the real machine is 192.168.1.200, mask 255.255.255.0, gateway 192.168.1.1, DNS is 218.2.135.1.
2 in the virtual machine to install WinPcap. Extract "network magistrates. Rar" file, double-click "WinPcap30.exe" file to start the installation WinPcap.
In the virtual machine to install the network magistrate software 2. Double-click "Network magistrate crack version 2.8. Exe" file to install the network magistrate.
Run the network magistrate. First run magistrates, open the dialog box shown in Figure I-6, suggesting that monitoring parameters.
Figure I-6 control parameters
Because only one network block, select the top card check box, click "OK" button. As shown in Figure I-7 to open the control range selection dialog box, specify the monitoring range is listed in the card where all the available IP address subnet, click the chart in the "add / edit", adding the scope, click "OK" button.
Figure I-7 control the scope of choice
Attack before the test. 1 on a virtual machine, open the DOS window, type ping 192.168.1.200-t, continuous ping the IP address of the real machine can be found is through the. Do not close the window.
Began to attack. Magistrate software can monitor the network to the same subnet to all online hosts magistrate in the network management interface, right-click the real machine, from the shortcut menu, select "manually manage", as shown in Figure I-8.
Figure I-8 magistrate management interface
As shown in Figure I-9 in the dialog box, select the third option "against all other hosts ...", click "Start", then the virtual machine can be found between 1 and real machine test ping Start Tips "Request timed out", communication cut off. Real environment, you can also just select the "Prohibition and key host connection ..." and then click the "key master", by adding the address of the gateway, so that the attacked computer and the gateway connection will be interrupted, and the LAN computer uninterrupted communication between.
Figure I-9 management computer manual
Second paragraph of the software used to steal valuable information, as shown in Figure I-5 in the virtual machine to install a "Cain & Abel" software, undermining the real machine virtual machine 1 and the normal communication between the experimental steps are as follows.
Installed on the virtual machine a Cain & Abel. Double-click "ca_setup.exe" file to start the installation, the installation close to the end comes, will be prompted to install WinPcap4.0, as shown in Figure I-10, select "Install", to start the installation WinPcap4.0.
Figure I-10 to install WinPcap4.0
Run Cain & Abel. Double-click the desktop, "Cain" icon, open the Cain & Abel's management interface, click the management interface in the "Start / Stop Sniffer" icon, as shown in Figure I-11 to begin packet capture.
Figure I-11 began Sniffer
Under the password for the hub. Click the map I-11 in the top of the "Sniffer" tab, then click below the "Passwords" tab, and start to capture passwords and sensitive information, including e-mail, Telnet, FTP and so on. In the virtual machine 2 open a Telnet service, in the real machine telnet 192.168.1.210, and then enter user and password, as shown in Figure I-12 left-hand navigation bar to capture a Telnet prompt information.
Figure I-12 monitor sensitive information
Click the left navigation bar of the "Telnet", the list in the right column, right-click the capture of the entry, the shortcut menu, select "View", open as shown in Figure I-13 notebook paper, from not hard to see the user name is administrator, password is cisco. The figure for each letter of the word administrator show twice, because once a telnet echo.
Figure I-13 to capture the password file
The password for the switch environment. Just very easy to get the password because the virtual machine virtual machine 1 and 2, and the real machines are connected to the real computer's network card, the equivalent of all connected in a hub, the real environment, the more often switches, two switches will not host or a host and the gateway to pass traffic between the attacker's host. Then need to use ARP deception, click as shown in Figure I-12 under the "ARP" tab, then click "Add to list" toolbar icon, as shown in Figure I-14.
Figure I-14 to increase ARP cheating to the list
Open the ARP entries as shown in Figure I-15, on the left to select an IP address, the right to select an IP address, host two IP addresses will be deceived.
Figure I-15 selection by deceiving the computer
Click "OK" button to return, and then click the Chart I-11 as shown in the toolbar "Start / Stop Sniffer" icon to the right of "Start / Stop ARP" icon to begin the implementation of ARP deception, as shown in Figure I-15 selection communication between computers a transfer from the virtual machine, virtual machine one can naturally obtain sensitive information between them explicit. Seen in this light switch network security risks exist.
3. How to determine is suffering ARP attack
ARP spoofing attack described above will not cause network congestion, but leakage occurs, followed by introducing a solution. Determine whether there is the first ARP attack method is simple, follow these steps.
Continuous ping can not access the IP address. In the problem computer (virtual machine 1) of the DOS window, type "ping 192.168.1.200-t", is used to test network connectivity; 192.168.1.200 is not normal communication computer (This is the real machine), the actual project replaced can not access the same segment of the target computer's IP address. If you are suffering from ARP attacks, the screen will be prompted to "Request time out".
In the affected computer (virtual machine 1) Previous to open another DOS window, type "arp-d", arp is a DOS command, to resolve the IP address of the corresponding network card MAC address,-d to clear the cache of all the IP of the machine and the corresponding MAC address. If you find that Step 1 of the window contents into a sustained "Reply from ... ...", the ARP that have been subjected to attacks, has now been normalized; If only there was a "Reply from ... ..." package, the back has become a "Request time out" packages, and then the computer is subjected to continuous ARP attack.
4. How to prevent and resolve ARP attack
ARP attack solutions varied, but due to various constraints, very little can be implemented eventually, even a kind of can not find the implementation. The following solutions did not exhaustive, but no matter how the actual network hardware equipment, will be able to find the most suitable solution.
Method 1: After a judge has found, ARP attacks, if the attack persists, the victim's computer implementation of the "arp-d", then the implementation of "arp-a",-a role is displayed on the computer all the ARP cache . From which we may find a few records, one record is the gateway or to access the target host, there is one other record, there may be several. More than the implementation of several "arp-d", "arp-a", sum up, there is essentially the largest piece of record ARP IP address of the real attacker.
The advantage: It is simple, suitable for nearly all of the network environment, without any supporting software and does not require knowledge of network management are very professional, you can identify the attacker, then the attacker for network isolation. Disadvantage if the attacker is only destruction, not for control purposes, "arp-a" see no reliable record of the.
Method 2: In the target device and the victim computer IP address and MAC respectively the static address binding. For example, the implementation of the computer:
"Arp-s 192.168.1.1 00-aa-00-62-c6-09"
In the routing or switching equipment (where only Cisco equipment for example) to perform:
"Cisco-6509 (config) # arp 192.168.1.2 0009.6be2.3ca3 ARPA"
The need to protect the target device IP address and MAC address binding for illegal entry ARP attack without holes. Not every user has the right to their own devices at the gateway to use the IP address and MAC address binding, but customers can be done at least in their own computers to the gateway's IP address and MAC address binding be the best made a batch file every time the computer starts, all the implementation of the file, using this method can effectively avoid the attack the second leak.
This method has the advantage of relatively small-scale application of the network. Drawback is the difficulty of implementation, larger, more if the Internet host, and host frequent changes, such as the universities of this group each year and graduate students new to report, still bound to huge workload, difficult to implement; too much tied items of equipment will affect the execution speed and reduce efficiency; even ARP attack would not affect the Internet, but a large number of ARP packets being sent, or to take up a lot of useful bandwidth; required equipment to support static binding function.
Method 3: Using the Dynamic ARP Attorney technology, combined with the functions of DHCP, IP and MAC to achieve the automatic binding. Similar to the method and method 2, but binding is done automatically, and can be deployed in the access layer switch, the illegal ARP packet switch will be discarded, interested friends, to find technical documentation related equipment.
The advantage is the best way to resolve ARP attack, do not need the assistance of management, the illegal ARP packets can not access the network. There is neither harm nor affect network performance. Drawback is to require the administrator has better technology; requested the support of network equipment, Cisco devices support this feature at least three more (few domestic enterprises in the access layer using the three devices), many manufacturers of equipment is not yet supported.
Method 4: Managed switch, with a minute you can find the attacker. 1 in the previous solution, you can find the MAC address of target IP is not a real MAC, MAC address of this note, if the MAC is "0050.bae3.2305", in the managed switches (where only Cisco equipment example) to perform:
"Cisco-2950 # show arp | include 0050.bae3.2305
Internet 10.168.168.9 239 0050.bae3.2305
ARPA FastEthernet1/17 "
The first line is the implementation of the order, a simple "show arp" will show all the switches learn MAC addresses, MAC attack is very difficult to find, "| include 0050.bae3.2305" play a filtering function, only display the corresponding line . The second line is the implementation of the results, you will find the MAC address from the Fa1/17 port. Find the port the host is found corresponding to attack the source, if the port is not connected to a computer, but another switch, repeat methods until you find the ultimate computer.
Advantage of the method is the most feasible, the implementation of more efficient, all the managed switches support this feature, strongly recommended. Drawback is that there are many units still use the unmanaged switch or hub.
Method 5: unmanaged switch or hub of the case, you can use 10 minutes of time to find the attacker. Being the attacker's computer (virtual machine 1) to open two DOS window, a window of the implementation of "ping 192.168.1.200-t", another DOS window intermittent implementation of "arp-d", if a number of Taiwan and Africa Network tube-type switch or hub, in turn cut off their power, when it became the second DOS window of a sustained "Reply from ... ...", then it can be concluded from this ARP attack source network devices. Took to restore power to the device, the cable pull down a root, when finding a second DOS window of a sustained "Reply from ... ...", then it can be concluded that the network cable is connected equipment is ARP attack source. If this search method slow, you can use binary search, that is, half of a pull line, measuring what is generally no more than 10 minutes you can find the attack source.
Advantage of the method is suitable for nearly any network environment. Drawback is that the implementation of up a little bit hard, the best type of switch or the network it replaced.
Method 6: common user self-rescue. As an ordinary Internet users to the network repair may not be solved in time, write a batch file to run the computer can solve the problem ARP attack. Batch file as follows:: a
Arp-d
Ping 1.1.1.1-n 1-w 100
Goto a
To the text file as a.bat, and then double-click the implementation of the user's computer will open a DOS window, the program will loop, do not close the window ARP attacks can solve the problem. If the ARP removal method is too slow, you can change the above 100 (for 0.1s) to the desired value.
This method has the advantage of common user ARP attack the problem can be solved, for almost any network environment. Drawback is the frequent clear ARP cache, ARP broadcast packets to send frequent, she would present an additional burden on the computer and network.
If the picture does not exist, then the tag will activate onerror implementation script. For the single quotes have been filtering sites, like here, complete with double quotation marks. **** For the filtered field, and only alert () also can. So we must filter to filter completely, do not give the attacker the opportunity to leave a trace.
Prevent SQL Injection exploits
It can be said here seems to be the focus of the entire article. SQL Injection vulnerability on the diversification also makes the process protection we have to think on some more. SQL Injection in the face of strong "offensive", what we in the end of the filter?
The risk of some commonly used characters have
Database fields''closed Discrimination
- Mark some of the database annotation
# Some database annotation signs
"May lead to error,
Cross directory
3221143836nicode character encoding features
$ May be used for variable label
/ And the same
NULL careful "empty" entry in the risk of treatment may lead to the database or system error, use error structure overflow.
With space and''to construct sql injeciton
= & If the second parameter may be rewritten querystr.
(1) from the ordinary. SQL Injection exploits of view: user name and password on the filtering problems, such as:
Author: User name:''or''''='' user password is:''or''''=''
Starting from the process, we can come to, the following database
Sql = "SELECT backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp FROM lUsers WHERE Username ='''' or''''='''' and Password =''''or ''''=''''"
In this way, so, SQL server will return all records lUsers table, while the ASP script will be mistaken for an attacker to enter a lUsers the first record in the table, allowing the attacker to the user login name website. Seems to prevent this type of injection is very simple:
Use the following procedure can be achieved, the program body (4)
strUsername = Replace (Request.Form ("Username"), "''''", "''''''''")
strPassword = Replace (Request.Form ("Password"), "''''", "''''''''")
Procedure body (4)
(2) to prevent SQL injection attacks, the first step is to use a variety of security means control from the ASP request object (Reques, Request.QueryString, Request.Form, Request.Cookies, and Request.ServerVariables) user input, to ensure that the SQL command reliability. Specific security measures vary according to your DBMS.
SQL injection attacks may cause harm to the environment depends on the site's software and configuration. When the Web server to the operator (dbo) of the identity to access the database, using SQL injection attack, which could remove all the forms, create new forms, and so on. When the server to super user (sa) to access the identity database, using SQL injection attack, which could control the entire SQL server; in some configurations, an attacker can even create your own user account to fully manipulate the database is located in the Windows server.
Such as:
http://127.0.0.1/forum/showuser.asp?id=999''; declare @ a sysname set @ a =''xp_''+
''Cmdshell''exec @ a''dir c :''--& aid = 9
http://127.0.0.1/forum/showuser.asp?id=999''; declare @ a sysname set @ a =''xp''+
''_cm''+'' Dshell''exec @ a''dir c :''--& aid = 9
Can even perform like: net user fqy fqy / add this command. Of course this requires you to run the current status must be Sa, or you attack only a virtual host, I advise you to stop there.
For some sites used for the machine to prevent attacks through port 80 directly to get machine administrative rights, it has become essential. Filter on xp_cmdshell to be the primary, many sites are using the procedures GET and POST or GET to submit data, mixed, and for this, we give a way of preventing SQL injection procedure GET conduct: such as program body (5)
fqys = request.servervariables ("query_string")
dim nothis (18)
nothis (0) = "net user"
nothis (1) = "xp_cmdshell"
nothis (2) = "/ add"
nothis (3) = "exec% 20master.dbo.xp_cmdshell"
nothis (4) = "net localgroup administrators"
nothis (5) = "select"
nothis (6) = "count"
nothis (7) = "asc"
nothis (8) = "char"
nothis (9) = "mid"
nothis (10 )="''"
nothis (11 )=":"
nothis (12 )=""""
nothis (13) = "insert"
nothis (14) = "delete"
nothis (15) = "drop"
nothis (16) = "truncate"
nothis (17) = "from"
nothis (18 )="%"
errc = false
for i = 0 to ubound (nothis)
if instr (FQYs, nothis (i)) <> 0 then
errc = true
end if
next
if errc then
response.write ""
response.end
end if
Procedure body (5)
I want to point the statement is: The above procedure is a GET method on the data submitted by the filter, do not blindly apply.
Like other objects from the ASP request (Reques, Request.QueryString, Request.Form, Request.Cookies, and Request.ServerVariables) attack method of user input methods, largely concentrated in the script input variable is the expected number of variables (ID ), of course, we can not just look at the number variables, such as:
http://127.0.0.1/systembbs/showtopic.asp?tid=99&name=abc''and left (userpasswor
d, 1) =''a
http://127.0.0.1/systembbs/addtopic.asp?tid=99&name=abc''and userpasswor
d =''or''''=''
In addition, how a single injection to prevent errors like this?
http://127.0.0.1/systembbs/addtopic.asp?tid=99''; delete forum_forum; - & page = 33
Prevention program: program body (6)
...... Addtopic.asp? Action = add ......
...... Addtopic.asp? Action = delect ......
Action1 = trim (Request.QueryString ())
if left (action1, 7) <> "action =" then''must be limited to action = querystring
error (err01)''error handling
else
action = Request.querystring ("action")''to obtain the value of querystring
end if
select case action''to deal on the querystring
case "add"
.....
case "delete"
......
case else''if the querystring is not this the value for error handling
error (err02)
end select
Procedure body (6)
Such an attack occurs, so that our webmasters have a headache again, here I can give you a solution to the best way, in general, the user name length, number of characters does not exceed 15 characters, most of the 14 characters . Then we proceed from the length to filter: If program body (7)
Name = replace (name ,"''","")
If len (name)> 16 then
Response.write "You do what?"
Response.end
End if
Procedure body (7)
为什么我们这里以及过滤了单引号,怎么还要再次取一个长度限制呢?不多说了,看看4ngel的文章先<<饶过''限制继续射入>> .别问我怎么转数字格式,我不会,嘿嘿...^_^!
还继续回到我们的主题," 脚本期望的输入变量是数字变量 (ID)".怎样进行注入防范,天呐,方法太多了,最直接的就是判断是否是数字整型,还有一些比较个性的验证办法,我们一一介绍一下 如:程序体(8)
一,判断数字是否是整型
p_lngID = CLng(Request("ID"))
二 取字长 这一点我相信一般的数据长度不会大于8位所以:
If len(ID)>8 then
response.write "bedpost"
response end
end if
三 我认为这是一种比较冒险的办法,就是再进行一次数据库的查询,如果数据库表内没有相同的值与之相同那么返回错误.
sql = "SELECT NAME FROM Category where ID="&ID
set temp=conn.Execute(SQL)
if temp.bof or temp.eof then
response.Redirect("index.asp")
else
cat_name=temp("name")
end if
set temp=nothing
‘上面的是数据ID 的检测,下面则是正式的查询
sql = "SELECT ID T_ID, NAME FROM Category where ID="&ID&" ORDER BY xh asc"
rs.open sql,conn,1,1
四,我自己常用的数据过滤脚本,专利,呵~
id=replace(id,"''","")
If len( request("id"))>8 then ‘ 为什么取长度上面程序中已经说明
response.write ""
response.end
else
If request("id")<>"" then ‘取不为空则是为了防止一些程序页中会出现空值情况,如果不在这里做判断,程序会校验出错.
If IsNumeric(request("id"))=False then '' 风清扬修改 ID数据监控程式
response.write ""
response.end
end if
end if
end if
程序体(8)
由于我个人的编程习惯,我喜欢将所有的数据检验程序全部保留到整站的公用程序中,比如:conn.asp啦,只需要写一次就可以修复全站的问题.
说到这里,我提一点关于攻击的问题,就是跑用户密码或者是用户名,一般常用的就是
....../show.asp?id=1 and 0<>(select count(*) from admin where id=3 and left(username,1)=''a'')
这样去一个一个尝试,当然我们不能在这里提什么Perl程序去跑密码,程序是别人写,要自己知道原理.这里我只是想给个比较方便的办法就是取ASC码范围.这个要比单独跑要快很多.不论是是字母,数字,汉字,特殊字符,他们总会有对应的ASC码,用以下办法:
....../show.asp?id=1 and 0<>(select count(*) from admin where id=3 and asc(right(left(username
e,3),1)) between 1 and 10000) 剩下的就随你了,一般的从97到122就可以啦,字母嘛,很快D.呵呵,有人想用mid 函数当然也是不错 asc(mid(username,2,1)) between 1 and 10000 也成.
如何更加有效的防止SQL注入攻击?我们将在下面的文章中具体提到!
防范远程注入攻击
这类攻击在以前应该是比较常见的攻击方式,比如POST攻击,攻击者可以随便的改变要提交的数据值已达到攻击目的.又如:COOKIES 的伪造,这一点更值得引起程序编写者或站长的注意,不要使用COOKIES来做为用户验证的方式,否则你和把钥匙留给贼是同一个道理.
比如:
If trim(Request. cookies ("uname"))="fqy" and Request.cookies("upwd")
="fqy#e3i5.com" then
........more.........
End if
我想各位站长或者是喜好写程序的朋友千万别出这类错误,真的是不可饶恕.伪造COOKIES 都多少年了,你还用这样的就不能怪别人跑你的密码.涉及到用户密码或者是用户登陆时,你最好使用session 它才是最安全的.如果要使用COOKIES就在你的COOKIES上多加一个信息,SessionID,它的随机值是64位的,要猜解它,不可能.例:
if not (rs.BOF or rs.eof) then
login="true"
Session("username"&sessionID) = Username
Session("password"& sessionID) = Password
‘Response.cookies("username")= Username
‘Response.cookies("Password")= Password
下面我们来谈谈如何防范远程注入攻击,一般的攻击都是将单表提交文件拖到本地,将Form ACTION="chk.asp" 指向你服务器中处理数据的文件即可.如果你全部的数据过滤都在单表页上,那么恭喜你,你将已经被脚本攻击了.
怎么才能制止这样的远程攻击?好办,请看代码如下: 程序体(9)
‘个人感觉上面的代码过滤不是很好,有一些外部提交竟然还能堂堂正正的进来,于是再写一个.
‘这个是过滤效果很好,建议使用.
if instr(request.servervariables("http_referer"),"http://"&request.servervariables("host") )<1 then
response.write "处理 URL 时服务器上出错。
如果您是在用任何手段攻击服务器,那你应该庆幸,你的所有操作已经被服务器记录,我们会第一时间通知公安局与国家安全部门来调查你的IP. "
response.end
end if
程序体(9)
本以为这样就万事大吉了,在表格页上加一些限制,比如maxlength啦,等等..但天公就是那么不作美,你越怕什么他越来什么.你别忘了,攻击者可以突破sql注入攻击时输入框长度的限制.写一个SOCKET程序改变HTTP_REFERER?我不会。网上发表了这样一篇文章:
------------len.reg-----------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExt扩展(&E)]
@="C:Documents and SettingsAdministrator桌面len.htm"
"contexts"=dword:00000004
-----------end----------------------
-----------len.htm------------------
----------end-----------------------
用法:先把len.reg导入注册表(注意文件路径)
然后把len.htm拷到注册表中指定的地方.
打开网页,光标放在要改变长度的输入框上点右键,看多了一个叫扩展的选项了吧
单击搞定! 后记:同样的也就可以对付那些限制输入内容的脚本了.
怎么办?我们的限制被饶过了,所有的努力都白费了?不,举起你de键盘,说不。让我们继续回到脚本字符的过滤吧,他们所进行的注入无非就是进行脚本攻击。我们把所有的精力全都用到ACTION以后的页面吧,在chk.asp页中,我们将非法的字符全部过滤掉,结果如何?我们只在前面虚晃一枪,叫他们去改注册表吧,当他们改完才会发现,他们所做的都是那么的徒劳。
ASP木马
已经讲到这里了,再提醒各位论坛站长一句,小心你们的文件上传:为什么论坛程序被攻破后主机也随之被攻击者占据。原因就在......对!ASP木马!一个绝对可恶的东西。病毒么?非也.把个文件随便放到你论坛的程序中,您老找去吧。不吐血才怪哦。如何才能防止ASP木马被上传到服务器呢?方法很简单,如果你的论坛支持文件上传,请设定好你要上传的文件格式,我不赞成使用可更改的文件格式,直接从程序上锁定,只有图象文件格式,和压缩文件就完全可以,多给自己留点方便也就多给攻击者留点方便。怎么判断格式,我这里收集了一个,也改出了一个,大家可以看一下: 程序体(10)
''判断文件类型是否合格
Private Function CheckFileExt (fileEXT)
dim Forumupload
Forumupload="gif,jpg,bmp,jpeg"
Forumupload=split(Forumupload,",")
for i=0 to ubound(Forumupload)
if lcase(fileEXT)=lcase(trim(Forumupload(i))) then
CheckFileExt=true
exit Function
else
CheckFileExt=false
end if
next
End Function
‘验证文件内容的合法性
set MyFile = server.CreateObject ("Scripting.FileSystemObject")
set MyText = MyFile.OpenTextFile (sFile, 1) '' 读取文本文件
sTextAll = lcase(MyText.ReadAll): MyText.close
''判断用户文件中的危险操作
sStr ="8|.getfolder|.createfolder|.deletefolder|.createdirectory|
.deletedirectory"
sStr = sStr &"|.saveas|wscript.shell|script.encode"
sNoString = split(sStr,"|")
for i = 1 to sNoString(0)
if instr(sTextAll, sNoString(i)) <>0 then
sFile = Upl.Path &sFileSave: fs.DeleteFile sFile
Response.write "
"& sFileSave &"文件中含有与操作目录等有关的命令"&_
"
"& mid(sNoString(i),2) &",为了安全原因,不能上传。"&_
"
"
Response.end
end if
next
程序体(10)
把他们加到你的上传程序里做一次验证,那么你的上传程序安全性将会大大提高.
什么?你还不放心?拿出杀手锏,请你的虚拟主机服务商来帮忙吧。登陆到服务器,将PROG ID 中的"shell.application"项和"shell.application.1"项改名或删除。再将"WSCRIPT.SHELL"项和"WSCRIPT.SHELL.1"这两项都要改名或删除。呵呵,我可大胆的说,国内可能近半以上的虚拟主机都没改过。只能庆幸你们的用户很合作,否则......我删,我删,我删删删......
Summary
如何更好的达到防范SQL Injection的攻击?这里我个人给推荐几个办法,第一,免费程序不要真的就免费用,既然你可以共享原码,那么攻击者一样可以分析代码。如果有能力的站长最好还是更改一下数据库表名,字段名,只修改关键的admin, username, password就可以了,比如forum_upasswd 这样的字段名谁能猜到?如果你猜到了,最好赶快去买彩票吧,特等奖不是你还会有谁呢?另外,一般站点的关键就在于管理员的密码,很好的保护好你的管理员密码那是至关重要的,至少10位的数字字母组合。另外加上现在大多数站点程序都会使用MD5来加密用户密码,加上你密码的强壮性,那样你站点的安全性就大大的提高了。即使出现了SQL Injection漏洞,攻击者也不可能马上拿下你的站点。