SQL Injection vulnerabilities on the network using attack, JS script, HTML scripting attacks seem to play over more than strong. One after another of the many sites are plagued by such attacks, did not like the host vulnerabilities can be repaired immediately, the attack from the WEB so that we in the prevention or repair that brings a lot of inconvenience. A webmaster is the most painful this. How strong your password to the attacker has always been available, but how can we achieve real security? First, do not password and link your life; second, Supermaster the PWD only you know best ; third, absolutely necessary to improve your Web site program. But how can we improve, it will be our ultimate goal of this article.
Security, how to do security? Want protection is necessary to know how to attack each other. Many articles are written to capture a particular site, in fact, but also its means of attack is the following:
1. Simple scripting attack
Such attacks should trouble it is boring. For example ****: alert (); so, because of a filter is not close to what the attacker not only available, but he can be disruptive to the purpose. Many sites present free service, or program on their own site is not strictly a filtration problem.
2. Dangerous scripting attack
Such over-script attack has to be the administrator or other users to steal information on the extent. For example we all know, steal cookies, use the script on the local client write more.
3. Sql Injection exploits
It can be said that this attack is to start from Dongwangluntan and BBSXP. Filtering using SQL special characters are not tight, and cross-database query attacks. For example:
http://127.0.0.1/forum/showuser.asp?id=999 and 1 = 1
http://127.0.0.1/forum/showuser.asp?id=999 and 1 = 2
http://127.0.0.1/forum/showuser.asp?id=999 and 0 <> (select count (*) from admin)
http://127.0.0.1/forum/showuser.asp?id=999 '; declare @ a sysname set @ a =' xp_ '+
'Cmdshell' exec @ a 'dir c :'---& aid = 9
Get the administrator password has control means the whole station does not need to be the host of privileges, but also for this step to do a lot of foreshadowing. SQL Injection attacks similar to the ways and means many different file filter is not taken to close the query in different ways. So to make a complete character filter where procedures are not the next effort is impossible.
4. Remote Injection Attacks
Filter of a site called the submission form page is a simple JS filtering. For the average user, you need not prevent; of the premeditated attack are concerned, seem not to be such a filtering effect. We often say that the POST attack is one example. Submitted by remote attacks illicit information in order to achieve the purpose.
Through the above description of attack methods, we generally understand the attackers way, the following description we focus on the start, how to effectively prevent script attacks!
So we start from the simplest:
Against script attacks
JS scripts and HTML scripting attack prevention is very simple: server.HTMLEncode (Str) bin. Of course you do not cry, how could that be? You for allowing me to the station I do not like all add to filter exhausted? In order to facilitate the filtering, we only need to HTML scripts and JS scripts to filter out some key characters can be : the procedure body (a) as follows:
'The following is a filter function
'The following are application examples
Username = CHK (replace (request ("username "),"'",""))
Include the function written using the public page, so efficiency is the best.
Procedure body (1)
In addition, it is worth our attention is that many site users to register, or modify user information page is also a lack of script filtering, or only in one filter, modify the information registered into the post-script can still attack. Data submitted by a user to detect and filter, the program body (2) as follows:
'The following is a filter function
If Instr (request ("username "),"=")> 0 or
Instr (request ("username "),"%")> 0 or
Instr (request ("username"), chr (32))> 0 or
Instr (request ("username "),"?")> 0 or
Instr (request ("username "),"&")> 0 or
Instr (request ("username "),";")> 0 or
Instr (request ("username "),",")> 0 or
Instr (request ("username "),"'")> 0 or
Instr (request ("username "),"?")> 0 or
Instr (request ("username"), chr (34))> 0 or
Instr (request ("username"), chr (9))> 0 or
Instr (request ("username"), "")> 0 or
Instr (request ("username "),"$")> 0 or
Instr (request ("username "),">")> 0 or
Instr (request ("username "),"<")> 0 or
Instr (request ("username "),"""")> 0 then
response.write "friend, to submit your user name contains illegal characters, change, thank you to return"
response.end
end if
Procedure body (2)
In order to provide the efficiency we seek to further filter the contents of procedures, so the filtration efficiency of the various parameters will be largely increased: such as program body (3)
'Following the main program
dim Bword (18)
Bword (0 )="?"
Bword (1 )=";"
Bword (2 )=">"
Bword (3 )="<"
Bword (4 )="-"
Bword (5 )="'"
Bword (6 )=""""
Bword (7 )="&"
Bword (8 )="%"
Bword (9 )="$"
Bword (10 )="'"
Bword (11 )=":"
Bword (12 )="|"
Bword (13 )="("
Bword (14 )=")"
Bword (15 )="--"
Bword (16) = "chr (9)"
Bword (17) = "chr (34)"
Bword (18) = "chr (32)"
errc = false
'The following are examples of some Application
for i = 0 to ubound (Bword)
if instr (FQYs, Bword (i)) <> 0 then
errc = true
end if
next
if errc then
response.write ""
response.end
end if
Procedure body (3)
With the above filter function that you can place in the application of any need to filter filter function directly on it. This brings us to the restoration work greatly simplified.
In addition, more than I would like to remind once again, a small number of sites during the expression of UBB icon will appear when transformation filtered problem, since it was hidden so I do not easy to find:
Such as:
We modify the text labels,
Did not know you understand, before a single quote and procedures provided for in the left quotation mark, single quotation marks for the second and closed right in quotation marks, so that the output process as:
If the picture does not exist, then the tag will activate onerror implementation script. For the single quotes have been filtering sites, like here, complete with double quotation marks. **** For the filtered field, and only alert () also can. So we must filter to filter completely, do not give the attacker the opportunity to leave a trace.
Prevent SQL Injection exploits
It can be said here seems to be the focus of the entire article. SQL Injection vulnerability on the diversification process makes us have to think more protection on a number. SQL Injection in the face of strong "offensive", what we in the end of the filter?
The risk of some commonly used characters have
'Database fields distinguish closed
- Mark some of the database annotation
# Some database annotation signs
"May lead to error,
Cross directory
3221143836nicode character encoding features
$ May be used for variable label
/ And the same
NULL careful "empty" entry in the risk of treatment may lead to a database or system error, use error structure overflow.
Spaces and 'together, construct sql injeciton
= & If the second parameter may rewrite querystr.
(1) from the most general. SQL Injection exploits of view: user name and password on the filtering problems, such as:
Submitted: username: 'or''=' user password: 'or''='
Starting from the process, we can come to, the following database
Sql = "SELECT backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp FROM lUsers WHERE Username =''or''='' and Password =''or''=''"
In this way, so, SQL server will return all records lUsers table, while the ASP script will be mistaken that the attacker's input line lUsers the first record in the table, allowing the attacker to the user login name Website. Seems to prevent this type of injection is very simple:
Use the following procedure can be achieved, the program body (4)
strUsername = Replace (Request.Form ("Username"), "''", "''''")
strPassword = Replace (Request.Form ("Password"), "''", "''''")
Procedure body (4)
(2) to prevent SQL injection attacks, the first step is to use a variety of security means control from the ASP request object (Reques, Request.QueryString, Request.Form, Request.Cookies, and Request.ServerVariables) user input, to ensure that the SQL command reliability. Specific security measures vary according to your DBMS.
SQL injection attacks may cause harm to the environment depends on the site's software and configuration. When the Web server to the operator (dbo) of the identity to access the database, using SQL injection attack, which could remove all the forms, create new forms, and so on. When the server to super user (sa) when the capacity to access the database, using SQL injection attack, which could control the entire SQL server; in some configurations were under attack or even create your own user account to fully manipulate the database is located in the Windows 服务器.
Such as:
http://127.0.0.1/forum/showuser.asp?id=999 '; declare @ a sysname set @ a =' xp_ '+
'Cmdshell' exec @ a 'dir c :'--& aid = 9
http://127.0.0.1/forum/showuser.asp?id=999 '; declare @ a sysname set @ a =' xp '+
'_cm' + 'Dshell' exec @ a 'dir c :'--& aid = 9
Can even perform like: net user fqy fqy / add this command. Of course this requires you to run the current status must be Sa, or you attack only a virtual host, I advise you to stop there.
For some sites for the machine to use port 80 to prevent attacks by machine directly to get administrative rights, it has become essential. Filter on the xp_cmdshell become the primary, many sites are using the procedures GET and POST or GET to submit data, mixed, and for this, we give a kind of GET to prevent SQL injection procedures: such as program body (5)
fqys = request.servervariables ("query_string")
dim nothis (18)
nothis (0) = "net user"
nothis (1) = "xp_cmdshell"
nothis (2) = "/ add"
nothis (3) = "exec% 20master.dbo.xp_cmdshell"
nothis (4) = "net localgroup administrators"
nothis (5) = "select"
nothis (6) = "count"
nothis (7) = "asc"
nothis (8) = "char"
nothis (9) = "mid"
nothis (10 )="'"
nothis (11 )=":"
nothis (12 )=""""
nothis (13) = "insert"
nothis (14) = "delete"
nothis (15) = "drop"
nothis (16) = "truncate"
nothis (17) = "from"
nothis (18 )="%"
errc = false
for i = 0 to ubound (nothis)
if instr (FQYs, nothis (i)) <> 0 then
errc = true
end if
next
if errc then
response.write ""
response.end
end if
Procedure body (5)
I want to point the statement is: The above procedure is a GET method on the data submitted by the filter, do not blindly apply.
Like other objects from the ASP request (Reques, Request.QueryString, Request.Form, Request.Cookies, and Request.ServerVariables) attack method of user input methods, largely concentrated in the script variable is the expected number of variable input (ID ), of course, we can not just look at the number variables, such as:
http://127.0.0.1/systembbs/showtopic.asp?tid=99&name=abc 'and left (userpasswor
d, 1) = 'a
http://127.0.0.1/systembbs/addtopic.asp?tid=99&name=abc 'and userpasswor
d = 'or''='
In addition, how a single injection to prevent errors like this?
http://127.0.0.1/systembbs/addtopic.asp?tid=99 '; delete forum_forum; - & page = 33
Prevention program: program body (6)
...... Addtopic.asp? Action = add ......
...... Addtopic.asp? Action = delect ......
Action1 = trim (Request.QueryString ())
if left (action1, 7) <> "action =" then 'must be limited to action = querystring
error (err01) 'error handling
else
action = Request.querystring ("action") 'get value of querystring
end if
select case action 'to deal on the querystring
case "add"
.....
case "delete"
......
case else 'If the querystring is not this the value for error handling
error (err02)
end select
Procedure body (6)
Such an attack occurs, so that our webmasters have a headache again, here I can give you a solution to the best way, in general, the user name length, number of characters does not exceed 15 characters, most of the 14 characters . Then we proceed from the length to filter: If program body (7)
Name = replace (name ,"'","")
If len (name)> 16 then
Response.write "You do what?"
Response.end
End if
Procedure body (7)
Why are we here and filtering the single quotation marks, how it should once again take a length limit? Little said to see 4ngel article first <
Also continued to return to our theme, "the script expected number of input variables is the variable (ID)". How to carry into the prevention, damn, way too many, the most direct is to determine whether the digital integer, there verify some of the more personalized approach, we introduce one by one, such as: program body (8)
First, determine whether the number is integer
p_lngID = CLng (Request ("ID"))
Second, take this I believe the word length of data length is not greater than eight so:
If len (ID)> 8 then
response.write "bedpost"
response end
end if
3 I think this is a more risky approach is to conduct a database query, if the database table with the same value is not the same then return an error.
sql = "SELECT NAME FROM Category where ID =" & ID
set temp = conn.Execute (SQL)
if temp.bof or temp.eof then
response.Redirect ("index.asp")
else
cat_name = temp ("name")
end if
set temp = nothing
'The above is the ID of the test data, the following is the formal inquiry
sql = "SELECT ID T_ID, NAME FROM Category where ID =" & ID & "ORDER BY xh asc"
rs.open sql, conn, 1,1
Fourth, I used the data filter scripts, patents, oh ~
id = replace (id ,"'","")
If len (request ("id"))> 8 then 'Why did he choose the length of the above procedures have shown
response.write ""
response.end
else
If request ("id ")<>"" then 'take is not empty some of the procedures is to prevent null values will appear in the page, and if we do not here to judge, the program will check an error.
If IsNumeric (request ("id")) = False then 'Feng Qingyang modify ID data monitoring program
response.write ""
response.end
end if
end if
end if
Procedure body (8)
As my programming habits, I like all the data inspection procedures were maintained to the entire station's public programs, such as: conn.asp matter, just write the whole station could be restored once the issue.
Here, I raise the question a little on the attack, is running the user password or user name, commonly used is
...... / Show.asp? Id = 1 and 0 <> (select count (*) from admin where id = 3 and left (username, 1) = 'a')
This way one by one try, of course, we can not mention here what Perl program to run the password, the program someone else wrote, it has to know the principles. Here, I just want to give a more convenient way is to take the scope of ASC code. This than running alone to be much faster. whether the letters, numbers, characters, special characters, they always have the corresponding ASC code, use the following methods:
...... / Show.asp? Id = 1 and 0 <> (select count (*) from admin where id = 3 and asc (right (left (username
e, 3), 1)) between 1 and 10000) with you on the rest of the general from 97 to 122 can be friends, letters Well, soon D. Oh, of course, someone wants to use the mid function is also good asc ( mid (username, 2,1)) between 1 and 10000 have become.
How much more effective to prevent SQL injection attacks? We will specifically mention the following article!
Injection attacks against remote
Such attacks in the past should be a more common attack methods, such as POST attack, an attacker can easily change the data value to be submitted to the purpose has been to attack. Another example: COOKIES forged, it also deserves the programmer or station long note, do not use COOKIES to do for the user authentication method, or you and the thief left the key is the same reason.
For example:
If trim (Request. cookies ("uname "))=" fqy" and Request.cookies ("upwd")
= "Fqy # e3i5.com" then
........ More .........
End if
I would like you to write programs like webmaster or friends do not make such mistakes, really is unforgivable. Counterfeit COOKIES are many years from now, you can not blame other people use this to run your password. Relating to the user password or a user login, you'd better use it is the most secure session. If you want to use COOKIES COOKIES in your add a message on, SessionID, which is 64-bit random value, the solution to guess it is not possible . Example:
if not (rs.BOF or rs.eof) then
login = "true"
Session ("username" & sessionID) = Username
Session ("password" & sessionID) = Password
'Response.cookies ("username") = Username
'Response.cookies ("Password") = Password
Let's talk about how to prevent remote injection attacks, attacks are generally single-sheet filing onto the local, the Form ACTION = "chk.asp" point to your server can process the data file. If you all data filtering in a single form page, then congratulate you, you will have to be script attack.
How can we stop such a remote attack? Easy to handle, see the code below: procedure body (9)
'Personal sense of the above code filtering is not very good, there are some external and she was proud to submit in, then write one.
'This is the filter works well, recommended.
if instr (request.servervariables ("http_referer"), "http://" & request.servervariables ("host")) <1 then
response.write "server error when processing URL.
If you are using any means to attack the server, you should be glad, for your server, all operations have been recorded, we will first inform the Public Security Bureau and the national security department to investigate your IP. "
response.end
end if
Procedure body (9)
I thought that everything will be fine, in the form page by adding some constraints, such as maxlength friends, etc. .. but God is so Buzuo Mei, you increasingly more afraid of what he was. Do not forget, an attacker can break through sql injection attack, limit the length of the input box. write a SOCKET procedure to change HTTP_REFERER? I will not. Online published an article:
------------ Len. Reg -----------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExt extended (& E)]
@ = "C: Documents and SettingsAdministrator Desktop len.htm"
"Contexts" = dword: 00000004
----------- End ----------------------
----------- Len. Htm ------------------
---------- End -----------------------
Usage: first len.reg into the registry (note the file path)
And then copying it to len.htm place specified in the registry.
Open the Web page, the cursor on the input box to change the length of the right click to see more of a call option to the right extension
Click to get! Postscript: The same restrictions also can deal with those elements of the script input.
How do? Our limit was spared, and all efforts were in vain? Not, raise your de keyboard, say no. Let us continue to filter it back to the script characters, they were nothing more than to script injection attacks. We all use all the energy ACTION page after it, in chk.asp page, we will filter out all illegal characters, the result? We only shot feint in front and told them to change the registry it, when They will find complete change, they are doing so in vain.
ASP Trojan
Has been mentioned here, to remind you a webmaster forum, be careful of your file uploads: Why the Forum program was broken after being attacked by the host also will occupy. Reason why ...... right! ASP Trojan! An absolutely abominable thing. What virus? Definitely not. The files easily into your forum program, go find your old. Oh no hematemesis strange. How to prevent ASP Trojan was uploaded to the server? Method is simple, if your forum to support file upload, you can set the file format you want to upload, I do not use can change the file format, directly from the procedure locked, only the image file format, and compressed files can be completely more convenient to leave their own also more convenient to leave the attacker. How to judge the format, I have here a collection, also changed out a, you can look at: The procedure body (10)
'Determine the file type is qualified
Private Function CheckFileExt (fileEXT)
dim Forumupload
Forumupload = "gif, jpg, bmp, jpeg"
Forumupload = split (Forumupload ,",")
for i = 0 to ubound (Forumupload)
if lcase (fileEXT) = lcase (trim (Forumupload (i))) then
CheckFileExt = true
exit Function
else
CheckFileExt = false
end if
next
End Function
'Verify the legitimacy of the document
set MyFile = server.CreateObject ("Scripting.FileSystemObject")
set MyText = MyFile.OpenTextFile (sFile, 1) 'read a text file
sTextAll = lcase (MyText.ReadAll): MyText.close
'Determine the risk of the user file operations
sStr = "8 |. getfolder |. createfolder |. deletefolder |. createdirectory |
. Deletedirectory "
sStr = sStr & "|. saveas | wscript.shell | script.encode"
sNoString = split (sStr ,"|")
for i = 1 to sNoString (0)
if instr (sTextAll, sNoString (i)) <> 0 then
sFile = Upl.Path & sFileSave: fs.DeleteFile sFile
Response.write "
"& SFileSave &" documents and operation of directories containing the relevant orders "& _
"
"& Mid (sNoString (i), 2) &", for security reasons, can not upload. "& _
"
"
Response.end
end if
next
Procedure body (10)
Add to your upload their procedures in doing a validation, then the security of your upload process will be greatly enhanced.
What? You not worry? Out killer, ask your hosting provider to help it. Login to the server, the PROG ID in the "shell.application" items and "shell.application.1" item renamed or deleted. Then "WSCRIPT.SHELL" items and "WSCRIPT.SHELL.1" These two should be renamed or deleted. Oh, I dare say, more than half of China may be no rehabilitation of the virtual host. Fortunately, you can very cooperative users, otherwise ...... I delete, I delete, delete delete delete my ......
Summary
How better to prevent SQL Injection attacks? Here I am to recommend several ways, first, free programs do not really have free use, since you can share the original code, then the attacker can analyze the same code. If the owners have the ability to change what is best database table names, field names, only modify the key admin, username, password on it, such as forum_upasswd this field who can guess the name? If you guessed, the most good buy lottery it quickly, a top award will not you then who? In addition, the key lies in the general site administrator's password, well protect your administrator password that is crucial, at least 10 the number of letter combinations. Another plus is that most sites will use MD5 to encrypt the program the user password, plus your password robustness, so the security of your site on the greatly increased. If there is a SQL Injection vulnerability, an attacker can not win you the site immediately.