最近看到很多人的网站都被注入js,被iframe之类的。非常多。
1.首先检查一下服务器配置,重新配置一次服务器安全,可以参考
http://hi.baidu.com/zzxap/blog/item/18180000ff921516738b6564.html
2.其次,用麦咖啡自定义策略,即使网站程序有漏洞,别人也很难在文件上写入代码了。
参考自定义策略,有了这个策略,再烂的程序,你也无法写入我的文件
http://hi.baidu.com/zzxap/blog/item/efe093a7e0f2c190d04358ef.html
3.可以用网络超级巡警删除被注入的JS代码。
参考
http://hi.baidu.com/anlish/blog/item/ba45bb18eac77e0534fa4134.html
4.如何批量删除数据库中被注入的代码?
在数据库查询分析器运行这段代码即可
代码
DECLARE @fieldtype sysname
SET @fieldtype='varchar'
--删除处理
DECLARE hCForEach CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)
+N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')'
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
AND c.xusertype=t.xusertype
AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'
SET @fieldtype='varchar'
--删除处理
DECLARE hCForEach CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)
+N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')'
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
AND c.xusertype=t.xusertype
AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'
5.创建一个触发器,只要有 </script>就不给插入,对性能会有点影响
create trigger tr_table_insertupdate
on tablename
for insert,update
as
if exists (
select 1 from inserted
where data like '%</script>%'
)
begin
RAISERROR ('不能修改或者添加',16,1);
ROLLBACK TRANSACTION
end
go
on tablename
for insert,update
as
if exists (
select 1 from inserted
where data like '%</script>%'
)
begin
RAISERROR ('不能修改或者添加',16,1);
ROLLBACK TRANSACTION
end
go
6.最重要的还是程序的写法,用参数化SQL或存储过程
例如
代码
protected void cmdok_Click(object sender, EventArgs e)
{
//添加信息
StringBuilder sql = new StringBuilder( " insert into m_phone ( pid,PhoneName,num,price,phonetype,onSellTime,color,weight,Video,Camera,phoneSize,phoneSystem,Memorysize,PhoneDesc,Standbytime,ScreenSize,Frequency,InputMethod,Soundrecord,gps,fm,mp3,email,Infrared,game,clock,Calendar,Calculator,Bluetooth) ");
sql.Append(" values (@pid,@TextPhoneName,@Textnum,@Textprice,@Dropphonetype2,@TextonSellTime,@Textcolor,@Textweight ");
.................
SqlParameter[] paras = { new SqlParameter("@pid", SqlDbType.Int, 4) ,
new SqlParameter("@TextPhoneName", SqlDbType.NVarChar, 50) ,
new SqlParameter("@Textnum", SqlDbType.Int, 4) ,
new SqlParameter("@Textprice", SqlDbType.Int, 4) ,
new SqlParameter("@Dropphonetype2", SqlDbType.VarChar, 20) ,
new SqlParameter("@TextonSellTime", SqlDbType.DateTime, 8) ,
new SqlParameter("@Textcolor", SqlDbType.VarChar, 20) ,
new SqlParameter("@Textweight", SqlDbType.NVarChar, 50) ,
...........
};
string[] stra = {Dropphonetype.SelectedValue,TextPhoneName.Text , Textnum.Text, Textprice.Text, Dropphonetype2.SelectedValue, TextonSellTime.Text, Textcolor.Text, Textweight.Text,
.............};
int a=stra.Length;
int j;
for ( j = 0; j < a; j++)
{
paras[j].Value = stra[j];
}
int strpid = 0;
string sqla = sql.ToString();
try
{
SqlHelper.ExcuteNonQurey(sqla, CommandType.Text, paras);//执行添加数据
strpid = Convert.ToInt32(SqlHelper.ExcuteSclare(sqla, CommandType.Text, paras)); //获取刚才插入的id号
}
catch (SqlException ex)
{
cmdreturn.Text = ex.Message.ToString();
}
cmdreturn.Text = strpid.ToString();
。。。。。。。。。
{
//添加信息
StringBuilder sql = new StringBuilder( " insert into m_phone ( pid,PhoneName,num,price,phonetype,onSellTime,color,weight,Video,Camera,phoneSize,phoneSystem,Memorysize,PhoneDesc,Standbytime,ScreenSize,Frequency,InputMethod,Soundrecord,gps,fm,mp3,email,Infrared,game,clock,Calendar,Calculator,Bluetooth) ");
sql.Append(" values (@pid,@TextPhoneName,@Textnum,@Textprice,@Dropphonetype2,@TextonSellTime,@Textcolor,@Textweight ");
.................
SqlParameter[] paras = { new SqlParameter("@pid", SqlDbType.Int, 4) ,
new SqlParameter("@TextPhoneName", SqlDbType.NVarChar, 50) ,
new SqlParameter("@Textnum", SqlDbType.Int, 4) ,
new SqlParameter("@Textprice", SqlDbType.Int, 4) ,
new SqlParameter("@Dropphonetype2", SqlDbType.VarChar, 20) ,
new SqlParameter("@TextonSellTime", SqlDbType.DateTime, 8) ,
new SqlParameter("@Textcolor", SqlDbType.VarChar, 20) ,
new SqlParameter("@Textweight", SqlDbType.NVarChar, 50) ,
...........
};
string[] stra = {Dropphonetype.SelectedValue,TextPhoneName.Text , Textnum.Text, Textprice.Text, Dropphonetype2.SelectedValue, TextonSellTime.Text, Textcolor.Text, Textweight.Text,
.............};
int a=stra.Length;
int j;
for ( j = 0; j < a; j++)
{
paras[j].Value = stra[j];
}
int strpid = 0;
string sqla = sql.ToString();
try
{
SqlHelper.ExcuteNonQurey(sqla, CommandType.Text, paras);//执行添加数据
strpid = Convert.ToInt32(SqlHelper.ExcuteSclare(sqla, CommandType.Text, paras)); //获取刚才插入的id号
}
catch (SqlException ex)
{
cmdreturn.Text = ex.Message.ToString();
}
cmdreturn.Text = strpid.ToString();
。。。。。。。。。
7.通过URL传递的参数要用加密解密
传输
string szTmp = "safdsfdsafdsfytrsd";
szTmp = Server.UrlEncode(szTmp);
接收
STRING STRA=Server.UrlDecode(request.querystring(szTmp));
string szTmp = "safdsfdsafdsfytrsd";
szTmp = Server.UrlEncode(szTmp);
接收
STRING STRA=Server.UrlDecode(request.querystring(szTmp));
8.把要使用的参数处理一下单引号,再放到SQL里面
例如 string stra=aa.replace("'","''")
用参数化SQL可以不用处理单引号
指定参数类型和过滤掉单引号,就可以杜绝99.9%入侵了
网上那些过滤 update insert 等关键字的程序是用处不大的 upupdatedate 过滤掉 update还是update
还会造成不必要的麻烦
//-------------------------------------上面需要的存储过程。
代码
============================================================
USE [master]
GO
/****** 对象: StoredProcedure [dbo].[sp_MSforeach_workers] 脚本日期: 07/16/2009 10:24:23 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
/*
* This is the workers proc for all of the "for each" type procs. Its function is to read the
* next replacement name from the cursor (which returns only a single name), plug it into the
* replacement locations for the commands, and execute them. It assumes the cursor "hCForEach"
* has already been opened by its caller.
*/
CREATE proc [dbo].[sp_MSforeach_workers]
@command1 nvarchar(2000), @replacechar nchar(1) = N'?', @command2 nvarchar(2000) = null, @command3 nvarchar(2000) = null
as
create table #qtemp ( /* Temp command storage */
qnum int NOT NULL,
qchar nvarchar(2000) COLLATE database_default NULL
)
set nocount on
declare @name nvarchar(517), @namelen int, @q1 nvarchar(2000), @q2 nvarchar(2000)
declare @q3 nvarchar(2000), @q4 nvarchar(2000), @q5 nvarchar(2000)
declare @q6 nvarchar(2000), @q7 nvarchar(2000), @q8 nvarchar(2000), @q9 nvarchar(2000), @q10 nvarchar(2000)
declare @cmd nvarchar(2000), @replacecharindex int, @useq tinyint, @usecmd tinyint, @nextcmd nvarchar(2000)
declare @namesave nvarchar(517), @nametmp nvarchar(517), @nametmp2 nvarchar(258)
open hCForEach
fetch hCForEach into @name
/* Loop for each database */
while (@@fetch_status >= 0) begin
/* Initialize. */
/* save the original dbname */
select @namesave = @name
select @useq = 1, @usecmd = 1, @cmd = @command1, @namelen = datalength(@name)
while (@cmd is not null) begin /* Generate @q* for exec() */
/*
* Parse each @commandX into a single executable batch.
* Because the expanded form of a @commandX may be > OSQL_MAXCOLLEN_SET, we'll need to allow overflow.
* We also may append @commandX's (signified by '++' as first letters of next @command).
*/
select @replacecharindex = charindex(@replacechar, @cmd)
while (@replacecharindex <> 0) begin
/* 7.0, if name contains ' character, and the name has been single quoted in command, double all of them in dbname */
/* if the name has not been single quoted in command, do not doulbe them */
/* if name contains ] character, and the name has been [] quoted in command, double all of ] in dbname */
select @name = @namesave
select @namelen = datalength(@name)
declare @tempindex int
if (substring(@cmd, @replacecharindex - 1, 1) = N'''') begin
/* if ? is inside of '', we need to double all the ' in name */
select @name = REPLACE(@name, N'''', N'''''')
end else if (substring(@cmd, @replacecharindex - 1, 1) = N'[') begin
/* if ? is inside of [], we need to double all the ] in name */
select @name = REPLACE(@name, N']', N']]')
end else if ((@name LIKE N'%].%]') and (substring(@name, 1, 1) = N'[')) begin
/* ? is NOT inside of [] nor '', and the name is in [owner].[name] format, handle it */
/* !!! work around, when using LIKE to find string pattern, can't use '[', since LIKE operator is treating '[' as a wide char */
select @tempindex = charindex(N'].[', @name)
select @nametmp = substring(@name, 2, @tempindex-2 )
select @nametmp2 = substring(@name, @tempindex+3, len(@name)-@tempindex-3 )
select @nametmp = REPLACE(@nametmp, N']', N']]')
select @nametmp2 = REPLACE(@nametmp2, N']', N']]')
select @name = N'[' + @nametmp + N'].[' + @nametmp2 + ']'
end else if ((@name LIKE N'%]') and (substring(@name, 1, 1) = N'[')) begin
/* ? is NOT inside of [] nor '', and the name is in [name] format, handle it */
/* j.i.c., since we should not fall into this case */
/* !!! work around, when using LIKE to find string pattern, can't use '[', since LIKE operator is treating '[' as a wide char */
select @nametmp = substring(@name, 2, len(@name)-2 )
select @nametmp = REPLACE(@nametmp, N']', N']]')
select @name = N'[' + @nametmp + N']'
end
/* Get the new length */
select @namelen = datalength(@name)
/* start normal process */
if (datalength(@cmd) + @namelen - 1 > 2000) begin
/* Overflow; put preceding stuff into the temp table */
if (@useq > 9) begin
raiserror 55555 N'sp_MSforeach_worker assert failed: command too long'
close hCForEach
deallocate hCForEach
return 1
end
if (@replacecharindex < @namelen) begin
/* If this happened close to beginning, make sure expansion has enough room. */
/* In this case no trailing space can occur as the row ends with @name. */
select @nextcmd = substring(@cmd, 1, @replacecharindex)
select @cmd = substring(@cmd, @replacecharindex + 1, 2000)
select @nextcmd = stuff(@nextcmd, @replacecharindex, 1, @name)
select @replacecharindex = charindex(@replacechar, @cmd)
insert #qtemp values (@useq, @nextcmd)
select @useq = @useq + 1
continue
end
/* Move the string down and stuff() in-place. */
/* Because varchar columns trim trailing spaces, we may need to prepend one to the following string. */
/* In this case, the char to be replaced is moved over by one. */
insert #qtemp values (@useq, substring(@cmd, 1, @replacecharindex - 1))
if (substring(@cmd, @replacecharindex - 1, 1) = N' ') begin
select @cmd = N' ' + substring(@cmd, @replacecharindex, 2000)
select @replacecharindex = 2
end else begin
select @cmd = substring(@cmd, @replacecharindex, 2000)
select @replacecharindex = 1
end
select @useq = @useq + 1
end
select @cmd = stuff(@cmd, @replacecharindex, 1, @name)
select @replacecharindex = charindex(@replacechar, @cmd)
end
/* Done replacing for current @cmd. Get the next one and see if it's to be appended. */
select @usecmd = @usecmd + 1
select @nextcmd = case (@usecmd) when 2 then @command2 when 3 then @command3 else null end
if (@nextcmd is not null and substring(@nextcmd, 1, 2) = N'++') begin
insert #qtemp values (@useq, @cmd)
select @cmd = substring(@nextcmd, 3, 2000), @useq = @useq + 1
continue
end
/* Now exec() the generated @q*, and see if we had more commands to exec(). Continue even if errors. */
/* Null them first as the no-result-set case won't. */
select @q1 = null, @q2 = null, @q3 = null, @q4 = null, @q5 = null, @q6 = null, @q7 = null, @q8 = null, @q9 = null, @q10 = null
select @q1 = qchar from #qtemp where qnum = 1
select @q2 = qchar from #qtemp where qnum = 2
select @q3 = qchar from #qtemp where qnum = 3
select @q4 = qchar from #qtemp where qnum = 4
select @q5 = qchar from #qtemp where qnum = 5
select @q6 = qchar from #qtemp where qnum = 6
select @q7 = qchar from #qtemp where qnum = 7
select @q8 = qchar from #qtemp where qnum = 8
select @q9 = qchar from #qtemp where qnum = 9
select @q10 = qchar from #qtemp where qnum = 10
truncate table #qtemp
exec (@q1 + @q2 + @q3 + @q4 + @q5 + @q6 + @q7 + @q8 + @q9 + @q10 + @cmd)
select @cmd = @nextcmd, @useq = 1
end /* while @cmd is not null, generating @q* for exec() */
/* All commands done for this name. Go to next one. */
fetch hCForEach into @name
end /* while FETCH_SUCCESS */
close hCForEach
deallocate hCForEach
return 0
USE [master]
GO
/****** 对象: StoredProcedure [dbo].[sp_MSforeach_workers] 脚本日期: 07/16/2009 10:24:23 ******/
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
/*
* This is the workers proc for all of the "for each" type procs. Its function is to read the
* next replacement name from the cursor (which returns only a single name), plug it into the
* replacement locations for the commands, and execute them. It assumes the cursor "hCForEach"
* has already been opened by its caller.
*/
CREATE proc [dbo].[sp_MSforeach_workers]
@command1 nvarchar(2000), @replacechar nchar(1) = N'?', @command2 nvarchar(2000) = null, @command3 nvarchar(2000) = null
as
create table #qtemp ( /* Temp command storage */
qnum int NOT NULL,
qchar nvarchar(2000) COLLATE database_default NULL
)
set nocount on
declare @name nvarchar(517), @namelen int, @q1 nvarchar(2000), @q2 nvarchar(2000)
declare @q3 nvarchar(2000), @q4 nvarchar(2000), @q5 nvarchar(2000)
declare @q6 nvarchar(2000), @q7 nvarchar(2000), @q8 nvarchar(2000), @q9 nvarchar(2000), @q10 nvarchar(2000)
declare @cmd nvarchar(2000), @replacecharindex int, @useq tinyint, @usecmd tinyint, @nextcmd nvarchar(2000)
declare @namesave nvarchar(517), @nametmp nvarchar(517), @nametmp2 nvarchar(258)
open hCForEach
fetch hCForEach into @name
/* Loop for each database */
while (@@fetch_status >= 0) begin
/* Initialize. */
/* save the original dbname */
select @namesave = @name
select @useq = 1, @usecmd = 1, @cmd = @command1, @namelen = datalength(@name)
while (@cmd is not null) begin /* Generate @q* for exec() */
/*
* Parse each @commandX into a single executable batch.
* Because the expanded form of a @commandX may be > OSQL_MAXCOLLEN_SET, we'll need to allow overflow.
* We also may append @commandX's (signified by '++' as first letters of next @command).
*/
select @replacecharindex = charindex(@replacechar, @cmd)
while (@replacecharindex <> 0) begin
/* 7.0, if name contains ' character, and the name has been single quoted in command, double all of them in dbname */
/* if the name has not been single quoted in command, do not doulbe them */
/* if name contains ] character, and the name has been [] quoted in command, double all of ] in dbname */
select @name = @namesave
select @namelen = datalength(@name)
declare @tempindex int
if (substring(@cmd, @replacecharindex - 1, 1) = N'''') begin
/* if ? is inside of '', we need to double all the ' in name */
select @name = REPLACE(@name, N'''', N'''''')
end else if (substring(@cmd, @replacecharindex - 1, 1) = N'[') begin
/* if ? is inside of [], we need to double all the ] in name */
select @name = REPLACE(@name, N']', N']]')
end else if ((@name LIKE N'%].%]') and (substring(@name, 1, 1) = N'[')) begin
/* ? is NOT inside of [] nor '', and the name is in [owner].[name] format, handle it */
/* !!! work around, when using LIKE to find string pattern, can't use '[', since LIKE operator is treating '[' as a wide char */
select @tempindex = charindex(N'].[', @name)
select @nametmp = substring(@name, 2, @tempindex-2 )
select @nametmp2 = substring(@name, @tempindex+3, len(@name)-@tempindex-3 )
select @nametmp = REPLACE(@nametmp, N']', N']]')
select @nametmp2 = REPLACE(@nametmp2, N']', N']]')
select @name = N'[' + @nametmp + N'].[' + @nametmp2 + ']'
end else if ((@name LIKE N'%]') and (substring(@name, 1, 1) = N'[')) begin
/* ? is NOT inside of [] nor '', and the name is in [name] format, handle it */
/* j.i.c., since we should not fall into this case */
/* !!! work around, when using LIKE to find string pattern, can't use '[', since LIKE operator is treating '[' as a wide char */
select @nametmp = substring(@name, 2, len(@name)-2 )
select @nametmp = REPLACE(@nametmp, N']', N']]')
select @name = N'[' + @nametmp + N']'
end
/* Get the new length */
select @namelen = datalength(@name)
/* start normal process */
if (datalength(@cmd) + @namelen - 1 > 2000) begin
/* Overflow; put preceding stuff into the temp table */
if (@useq > 9) begin
raiserror 55555 N'sp_MSforeach_worker assert failed: command too long'
close hCForEach
deallocate hCForEach
return 1
end
if (@replacecharindex < @namelen) begin
/* If this happened close to beginning, make sure expansion has enough room. */
/* In this case no trailing space can occur as the row ends with @name. */
select @nextcmd = substring(@cmd, 1, @replacecharindex)
select @cmd = substring(@cmd, @replacecharindex + 1, 2000)
select @nextcmd = stuff(@nextcmd, @replacecharindex, 1, @name)
select @replacecharindex = charindex(@replacechar, @cmd)
insert #qtemp values (@useq, @nextcmd)
select @useq = @useq + 1
continue
end
/* Move the string down and stuff() in-place. */
/* Because varchar columns trim trailing spaces, we may need to prepend one to the following string. */
/* In this case, the char to be replaced is moved over by one. */
insert #qtemp values (@useq, substring(@cmd, 1, @replacecharindex - 1))
if (substring(@cmd, @replacecharindex - 1, 1) = N' ') begin
select @cmd = N' ' + substring(@cmd, @replacecharindex, 2000)
select @replacecharindex = 2
end else begin
select @cmd = substring(@cmd, @replacecharindex, 2000)
select @replacecharindex = 1
end
select @useq = @useq + 1
end
select @cmd = stuff(@cmd, @replacecharindex, 1, @name)
select @replacecharindex = charindex(@replacechar, @cmd)
end
/* Done replacing for current @cmd. Get the next one and see if it's to be appended. */
select @usecmd = @usecmd + 1
select @nextcmd = case (@usecmd) when 2 then @command2 when 3 then @command3 else null end
if (@nextcmd is not null and substring(@nextcmd, 1, 2) = N'++') begin
insert #qtemp values (@useq, @cmd)
select @cmd = substring(@nextcmd, 3, 2000), @useq = @useq + 1
continue
end
/* Now exec() the generated @q*, and see if we had more commands to exec(). Continue even if errors. */
/* Null them first as the no-result-set case won't. */
select @q1 = null, @q2 = null, @q3 = null, @q4 = null, @q5 = null, @q6 = null, @q7 = null, @q8 = null, @q9 = null, @q10 = null
select @q1 = qchar from #qtemp where qnum = 1
select @q2 = qchar from #qtemp where qnum = 2
select @q3 = qchar from #qtemp where qnum = 3
select @q4 = qchar from #qtemp where qnum = 4
select @q5 = qchar from #qtemp where qnum = 5
select @q6 = qchar from #qtemp where qnum = 6
select @q7 = qchar from #qtemp where qnum = 7
select @q8 = qchar from #qtemp where qnum = 8
select @q9 = qchar from #qtemp where qnum = 9
select @q10 = qchar from #qtemp where qnum = 10
truncate table #qtemp
exec (@q1 + @q2 + @q3 + @q4 + @q5 + @q6 + @q7 + @q8 + @q9 + @q10 + @cmd)
select @cmd = @nextcmd, @useq = 1
end /* while @cmd is not null, generating @q* for exec() */
/* All commands done for this name. Go to next one. */
fetch hCForEach into @name
end /* while FETCH_SUCCESS */
close hCForEach
deallocate hCForEach
return 0