½â¾öSQL Injection©¶´µÄÒ»¸öº¯Êý
½â¾öSQL Injection©¶´µÄÒ»¸öº¯Êý
http://blog.csdn.net/cncco/archive/2006/04/07/654254.aspx
º¯Êý
<%
Function CheckInput(str,strType)
'º¯Êý¹¦ÄÜ£º¹ýÂË×Ö·û²ÎÊýÖеĵ¥ÒýºÅ£¬¶ÔÓÚÊý×Ö²ÎÊý½øÐÐÅжϣ¬Èç¹û²»ÊÇÊýÖµÀàÐÍ£¬Ôò¸³Öµ0
'²ÎÊýÒâÒ壺 str ---- Òª¹ýÂ˵IJÎÊý
' strType ---- ²ÎÊýÀàÐÍ£¬·ÖΪ×Ö·ûÐͺÍÊý×ÖÐÍ£¬×Ö·ûÐÍΪ"s"£¬Êý×ÖÐÍΪ"i"
Dim strTmp
strTmp = ""
If strType ="s" Then
strTmp = Replace(Trim(str),"'","'")
ElseIf strType="i" Then
If isNumeric(str)=False Then str="0"
strTmp = str
Else
strTmp = str
End If
CheckInput = strTmp
End Function
%>
Õâ¸öº¯ÊýºÜ¼òµ¥£¬ Ö÷ÒªÊÇÕë¶Ô×Ö·û´®ºÍÊý×ÖÁ½ÖÖÀàÐ͵Ĵ«ÈëÊý¾Ý·Ö±ð½øÐÐÁË´¦Àí£¬¾ßÌåÓ÷¨£º
×Ö·ûÀàÐ͵Ä
strUsername = CheckInput(Request(“username“),“s“)
Êý×ÖÀàÐ͵Ä
ID = CheckInput(Request(“id“),“i“)
SQL InjectionµÄΣº¦ÊǺܴóµÄ£¬±ÈÈç¶ÔÓÚSQL Server£¬¿ÉÒÔ´´½¨¡¢É¾³ýÊý¾Ý¿â£¬Ö´ÐÐϵͳÃüÁîµÈµÈ£¬ Èçdrop table tbl_name, execute master.dbo.xp_cmdshell "command"ËùÒԺܶàÈËдµÄº¯Êý¾ÍÊÇÆ´ÃüµÄÈ¥¹ýÂËÕâЩ¿ÉÄÜÒýÆðΣº¦µÄ¹Ø¼ü´Ê£¬±ÈÈçdrop ,·ÖºÅ,and,exe,midµÈµÈ£¬ÂÞÁÐÁËÒ»´ó¶Ñ¡£
Æäʵ£¬¾¡¿ÉÒÔ²»±ØÄÇô·±Ëö£¬·ÇÒª°Ñ¼òµ¥µÄÊÂÇ鸴ÔÓ»¯¡£
¶ÔÓÚ¹ýÂË£¬ASPÖÐÖ»ÒªÕë¶Ô×Ö·ûÐͺÍÊý×ÖÐÍ·Ö±ð´¦Àí¾Í¿ÉÒÔÁË£¬
×Ö·ûÐ͵ģ¬°Ñµ¥ÒýºÅת»»³ÉÁ½¸öµ¥ÒýºÅ strTmp = Replace(Trim(str),"'","'")
Êý×ÖÐ͵ģ¬¾ÍÅжÏÊÇ·ñÄܹ»×ª»»³ÉÊý×ÖÐ굀 £¬Óà isNumericº¯Êý
ÏÖÔÚÍøÉÏ˵µÄÄܹ»Èƹýµ¥ÒýºÅµÄ¹¥»÷£¬ÆäʵÊÇÕë¶ÔÊý×ÖÀàÐ͵Ä,Èç¹û¶ÔÓÚ¹ýÂËÁ˵¥ÒýºÅµÄ×Ö·ûÐÍ£¬»¹Óа취Èƹý£¬ÄǾÍûµÃÍæÁË........
±¾ÎÄÀ´×ÔCSDN²©¿Í£¬×ªÔØÇë±êÃ÷³ö´¦£ºhttp://blog.csdn.net/cncco/archive/2006/04/07/654254.aspx
Ïà¹ØÎĵµ£º
CREATE OR REPLACE PACKAGE BODY PACK_RISK_FUNCTION AS
--- 1 ½«·ûºÅÌæ»»³É#ºÅ »òÐí¿ÉÒÔÓÃÕýÔò±í´ïʽ£¬µ«ÊÇÏÓÂé·³»¹ÊÇÖ±½ÓÓÃÌæ»»
FUNCTION CHANGE_OPERATOR(FORMULA VARCHAR2)
RETURN VARCHAR2
AS
V_FORMULA VARCHAR2(100);
BEGIN
V_FORMULA := REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(REPLACE(FORMULA,'(',''), ......
--´´½¨Á´½Ó·þÎñÆ÷
exec sp_addlinkedserver 'server_tmp','','SQLOLEDB','Ô¶³Ì·þÎñÆ÷Ãû»òipµØÖ·'
exec sp_addlinkedsrvlogin 'server_tmp','false',null,'Óû§Ãû','ÃÜÂë'
exec sp_serveroption 'server_lnk','rpc out','true' --Õâ¸öÔÊÐíµ÷ÓÃÁ´½Ó·þÎñÆ÷ÉϵĴ洢¹ý³Ì
go
--µ÷Óãº
exec server_tmp.Êý¾ ......
1.µÇ½ϵͳÓû§
sqlplus È»ºóÊäÈëϵͳÓû§ÃûºÍÃÜÂë
µÇ½±ðµÄÓû§
conn Óû§Ãû/ÃÜÂë;
2.´´½¨±í¿Õ¼ä
create tablespace ¿Õ¼äÃû
datafile 'c:"¿Õ¼äÃû' size 15M --±í¿Õ¼äµÄ´æ·Å·¾¶,³õʼֵΪ15M
autoExtend on next 10M --¿Õ¼äµÄ×Ô¶¯Ôö³¤µÄÖµÊÇ10M
permanent online; --ÓÀ¾ÃʹÓÃ
3.´´½¨Óû§
create user s ......
Áù¸ö·ÀÖ¹SQL×¢Èëʽ¹¥»÷µÄ½¨Òé
http://blog.csdn.net/jefflam/archive/2009/06/01/4233359.aspx
SQL×¢Èë¹¥»÷µÄΣº¦ÐԺܴó¡£ÔÚ½²½âÆä·ÀÖ¹°ì·¨Ö®Ç°£¬Êý¾Ý¿â¹ÜÀíÔ±ÓбØÒªÏÈÁ˽âÒ»ÏÂÆä¹¥»÷µÄÔÀí¡£ÕâÓÐÀûÓÚ¹ÜÀíÔ±²ÉÈ¡ÓÐÕë¶ÔÐԵķÀÖδëÊ©¡£
¡¡¡¡Ò»¡¢ SQL×¢Èë¹¥»÷µÄ¼òµ¥Ê¾Àý¡£
¡¡¡¡statement := "SELECT * from Users WHERE Va ......
ÓÃADO¹ÜÀíSQL SERVER
http://blog.csdn.net/cncco/archive/2009/11/09/4789123.aspx
ÔÚÈí¼þ¿ª·¢ÖУ¬³£³£ÐèҪΪ³ÌÐò½¨Á¢Sql ServerÊý¾Ý¿âµÄÔËÐл·¾³¡£Íê³ÉÈçÔÚSQL ServerÊý¾Ý¿âÖн¨Á¢É豸£¬½¨Á¢Êý¾Ý¿â£¬½¨Á¢±í¸ñ£¬·ÖÅäȨÏ޵ȹ¦ÄÜ£¬ÈçºÎ·½±ãµÄ½¨Á¢Ó¦ÓóÌÐòËùÐèSql Server»·¾³µÄÊý¾Ý¿â»·¾³£¬¶ø²»ÓÃÆô¶¯SQL Enterprise Manage ......
