网站每天都被sql注入攻击,有什么特效药没?
立竿见影的效果的.IIS方面?程序方面?改程序有点麻烦,服务器方面有什么可行的方法.
在Global.asax文件中加入如下方法即可:
#region SQL注入式攻击代码分析
/// <summary>
/// 处理用户提交的请求
/// </summary>
private void StartProcessRequest()
{
try
{
string getkeys = "";
if (System.Web.HttpContext.Current.Request.QueryString != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Write(" <h3>不能包含执行语句 </h3>");
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
if (getkeys == "__VIEWSTATE") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
jcFAQApp.FAQ_Util.Log.WriteMessage(" <font color:red>注入攻击 </red>", System.Web.HttpContext.Current.Request.UserHostAddress.ToString());
System.Web.HttpContext.Current.Response.Write(" <h3>不能包含执行语句 </h3>");
System.Web.HttpContext.Current.Response.End();
}
}
}
}
catch
{
}
}
/// <summary>
/// 分析用户请求是否正常
/// </summary>
/// <param name="Str">传入用户提交数据 </param>
/// <returns>返回是否含有SQL注入式攻击代码 </returns>
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
//string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦* ¦chr ¦mid ¦master ¦truncate ¦char ¦declare";
string SqlStr = "exec ¦insert ¦select ¦delete ¦update ¦mid ¦master ¦truncate ¦declare";
string[] anySqlStr = SqlStr.Split('¦');
foreach (string ss in anySqlStr)
{
if (Str.ToLower().IndexOf(ss) >= 0)
{
ReturnValue = false;
break;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
#endregion
C# code
/// <summary>
/// 自己封装的Request 可以在其中进行一些操作
/// </summary>
/// <param name="str"></param>
/// <returns></returns>
public static string BbnRequest(string str)
{
if (System.Web.HttpContext.Current.Request.HttpMethod == "GET")
{
string value = System.Web.HttpContext.Current.Request[str];
if (value == null)
{
return null;
}
string pattern = @"'|xp_cmdshell|/add|exec|%|select|count|insert|delete|drop|update|truncate|or|and|*|@|master|char|declare|join";
bool bl = Regex.IsMatch(value, pattern, RegexOptions.IgnoreCase);
if (bl)
{
string clientIp = WbfTools.BLL.Utils.GetIP();
string clientURL = System.Web.HttpContext.Current.Request.Url.ToString();
string serverParch = System.Web.HttpContext.Current.Server.MapPath("~/");
//写日志
StreamWriter sw = File.AppendText(serverParch + "sqlin.txt");
sw.WriteLine("IP:" + clientIp + " URL:" + clientURL + " DateTime:" + DateTime.Now.ToString());
sw.Flush();
sw.Close();
sw.Dispose();
System.Web.HttpContext.Current.Response.Write("希望您只是来做俯卧撑的!!!<br />");
System.Web.HttpContext.Current.Response.Write(clientIp);
System.Web.HttpContext.Current.Response.End();
return "";
}
else
{
return value;
}
}
else
{
string value = System.Web.HttpContext.Current.Request[str];
value = Regex.Replace(value, "<", ">", RegexOptions.IgnoreCase);
value = Regex.Replace(value, ">", "<", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "xp_cmdshell", "<span>xp_cmdshell</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "/add", "<span>/add</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "%", "<span>%</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "select", "<span>select</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "count", "<span>count</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "'", """, RegexOptions.IgnoreCase);
value = Regex.Replace(value, "insert", "<span>insert</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "delete", "<span>delete</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "drop", "<span>drop</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "update", "<span>update</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "truncate", "<span>truncate</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "iframe", "<span>iframe</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "or", "<span>or</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "and", "<span>and</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "@", "<span>@</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "chr", "<span>chr</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "mid", "<span>mid</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "master", "<span>master</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "truncate", "<span>truncate</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "char", "<span>char</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "declare", "<span>declare</span>", RegexOptions.IgnoreCase);
value = Regex.Replace(value, "join", "<span>join</span>", RegexOptions.IgnoreCase);
return value;
}
}
两种办法,一种是在glob中加判断,上面已经有人接了, 另外一种办法就是把访问数据的帐号的权限变小,把对应数据库中的系统表syscolumns和sysobjects中的权限中的public的select权限去掉,因为大部份的注入都是从系统表中找出你这个数据库中的大字段,然后再批量替换。所以不能他查系统表的权限就可以较少很多风险。除非他清除你系统中的表结构。
在GLOBAL加过滤不可取
1.我可以将SQL语句转为ASCII码绕过你的检查
2.为什么我的QUERYSTRING或者FORM中不能包含SELECT?如果按照此方法,那么我这次回复就会失败,因为我的回复中也包含SELECT。
假如服务器是你自己的,那么就很好处理这个问题,在SQL用户权限方面限制一下就可以基本防止注入了,就是说一般的浏览用户权限只有很小的只读而已,至于后台用户就用另一个权限稍大的SQL用户,然后修补好后台程序,或者把“查找”,“插入”,“修改”,“删除”这四个基本操作全部封装在存储过程里面(我就是这样做),然后通过参数传递调用即可。
最简单的办法是修改IIS配置,将500错误指向自定义的错误报告页面. 这样客户端无法得到详细的错误报告信息, 就可以防止sql注入了.
|
京ICP备14024464 公安备案号 京1081234