·À·¶SQL×¢Èëʽ¹¥»÷
SQL×¢Èëʽ¹¥»÷ÊÇÀûÓÃÊÇÖ¸ÀûÓÃÉè¼ÆÉϵÄ©¶´£¬ÔÚÄ¿±ê·þÎñÆ÷ÉÏÔËÐÐSqlÃüÁîÒÔ¼°½øÐÐÆäËû·½Ê½µÄ¹¥»÷¶¯Ì¬Éú³ÉSqlÃüÁîʱûÓжÔÓû§ÊäÈëµÄÊý¾Ý½øÐÐ
ÑéÖ¤ÊÇSql×¢Èë¹¥»÷µÃ³ÑµÄÖ÷ÒªÔÒò¡£
±ÈÈ磺
Èç¹ûÄãµÄ²éѯÓï¾äÊÇselect * from admin where
username="&user&" and password="&pwd&""
ÄÇô£¬Èç¹ûÎÒµÄÓû§ÃûÊÇ£º1 or 1=1
ÄÇô£¬ÄãµÄ²éѯÓï¾ä½«»á±ä³É£º
select * from admin
where username=1 or 1=1 and password="&pwd&""
ÕâÑùÄãµÄ²éѯÓï¾ä¾Íͨ¹ýÁË£¬´Ó¶ø¾Í¿ÉÒÔ½øÈëÄãµÄ¹ÜÀí½çÃæ¡£
ËùÒÔ·À·¶µÄʱºòÐèÒª¶ÔÓû§µÄÊäÈë½øÐмì²é¡£ÌرðʽһЩÌØÊâ×Ö·û£¬±ÈÈçµ¥ÒýºÅ£¬Ë«ÒýºÅ£¬·ÖºÅ£¬¶ººÅ£¬Ã°ºÅ£¬Á¬½ÓºÅµÈ½øÐÐת»»»òÕß¹ýÂË¡£
ÐèÒª¹ýÂ˵ÄÌØÊâ×Ö·û¼°×Ö·û´®ÓУº
¡¡¡¡ net user
¡¡¡¡ xp_cmdshell
¡¡¡¡ /add
¡¡¡¡ exec
master.dbo.xp_cmdshell
¡¡¡¡ net localgroup administrators
¡¡¡¡ select
¡¡
¡¡ count
¡¡¡¡ Asc
¡¡¡¡ char
¡¡¡¡ mid
¡¡¡¡
¡¡¡¡ :
¡¡¡¡ "
¡¡¡¡
insert
¡¡¡¡ delete from
¡¡¡¡ drop table
¡¡¡¡ update
¡¡¡¡ truncate
¡¡
¡¡ from
¡¡¡¡ %
ÏÂÃæ¹ØÓÚ½â¾ö×¢Èëʽ¹¥»÷µÄ·À·¶´úÂ룬¹©´ó¼Òѧϰ²Î¿¼£¡
js°æµÄ·À·¶SQL×¢Èëʽ¹¥»÷´úÂ룺
¡¡¡¡
<script language="javascript">
<!--
var url = location.search;
var
re=/^\?(.*)(select%20|insert%20|delete%20from%20|count\(|drop%20table|update%20truncate%20|asc\(|mid\(|char\(|xp_cmdshell|exec%20master|net%20localgroup%20administrators|\"|:|net%20user|\|%20or%20)(.*)/gi;
var e = re.test(url);
if(e) {
alert("µØÖ·Öк¬ÓзǷ¨×Ö·û¡«");
location.href="error.asp";
}
//-->
<script>
asp°æµÄ·À·¶SQL×¢Èëʽ¹¥»÷´úÂë¡«£º
[CODE START]
<%
On Error Resume Next
Dim strTemp
If LCase(Request.ServerVariables("HTTPS")) = "off" Then
strTemp =
"http://"
Else
strTemp = "https://"
End If
strTemp = strTemp & Request.ServerVariables("SERVER_NAME")
If
Request.ServerVariables("SERVER_PORT") <> 80 Then strTemp =
strTemp & ":" & Request.ServerVariables("SERV
Ïà¹ØÎĵµ£º
Íâ¼ü
======================
Íâ¼üÊÇÏà¶ÔÓÚÖ÷¼ü˵µÄ£¬Êǽ¨Á¢±íÖ®¼ä µÄÁªÏµµÄ±ØÐëµÄÇ°Ìá¡£
±ÈÈ磺ѧÉú±í ¡¢Ñ§Éú³É¼¨±íÒ»Ò»¶ÔÓ¦ÊÇÒòΪ ËûÃǶ¼¾ßÓÐÏàͬµÄ×ֶΣºÑ§ºÅ£¬°ÑѧÉú±í×÷ΪÖ÷±í£¬Ñ§ºÅÊÇËûµÄÖ÷¼ü£¬Ïà¶ÔÓÚÖ÷±íÀ´Ëµ£¬Ñ§Éú³É¼¨µÄ×ֶΠѧºÅ¾ÍÊÇѧÉú±íµÄÍâ¼ü¡£
ûÓÐÍâ¼ü£¬Á½¸ö±í¾Íû°ì·¨½¨Á¢ÁªÏµ°¡£¡ ......
Ò»¡¢Ê²Ã´ÊÇSQL×¢Èëʽ¹¥»÷?
¡¡¡¡ËùνSQL×¢Èëʽ¹¥»÷£¬¾ÍÊǹ¥»÷Õß°ÑSQLÃüÁî²åÈëµ½Web±íµ¥µÄÊäÈëÓò»òÒ³ÃæÇëÇóµÄ²éѯ×Ö·û´®£¬ÆÛÆ·þÎñÆ÷Ö´ÐжñÒâµÄSQLÃüÁî¡£ÔÚijЩ±í
µ¥ÖУ¬Óû§ÊäÈëµÄÄÚÈÝÖ±½ÓÓÃÀ´¹¹Ôì(»òÕßÓ°Ïì)¶¯Ì¬SQLÃüÁ»ò×÷Ϊ´æ´¢¹ý³ÌµÄÊäÈë²ÎÊý£¬ÕâÀà±íµ¥ÌرðÈÝÒ×Êܵ½SQL×¢Èëʽ¹¥»÷¡£³£¼ûµÄSQL×¢Èëʽ¹¥
»÷¹ý³ÌÀàÈ磺
......
AcessÓëSQLµÄÇø±ð
ÒÔÏÂ總結ÁË×Ô¼ºÔÚ項Ä¿ÖÐËùÓöµ½µÄÓÐ關Acess與SQL²î異µÄһЩµØ·½£º
1£¬¶ÔÓÚÈÕÆÚ×Ö¶Î×Ö¶Î
¡¡¡¡access±íʾΪ:#1981-28-12#
¡¡¡¡SQLSERVER2000±íʾΪ:''1981-02-12''
¡¡¡¡2,SQLÓï¾äÇø±ð£¬_select,_updateÔÚ¶Ôµ¥±í²Ù×÷ʱ¶¼²î²»¶à£¬
¡¡¡¡µ«¶à±í²Ù×÷ʱupdateÓï¾ ......
·ÀÖ¹·Ç·¨±íD99_Tmp,kill_kkµÄ³öÏÖÊÇ·ÀÖ¹ÎÒÃǵÄÍøÕ¾²»±»¹¥»÷,ͬʱҲÊÇSQL°²È«·À·¶Ò»µÀ±ØÒªµÄ·ÀÏß,Ëä˵ÀûÓÃÕâÖÖ·½Ê½¹¥»÷µÄÈ˶¼ÊǺڿÍÖеÄСÄñ,µ«ÊÇÎÒÃÇÒ²²»µÃ²»·À,ÒÔÃâÔì³É²»¿ÉÏëÏóµÄºó¹û,·Ï»°²»¶à˵ÁË,˵Ï·À·¶·½·¨:
xp_cmdshell¿ÉÒÔÈÃϵͳ¹ÜÀíÔ±ÒÔ²Ù×÷ϵͳÃüÁîÐнâÊÍÆ÷µÄ·½Ê½Ö´Ðиø¶¨µÄÃüÁî×Ö·û´®,²¢ÒÔÎı¾Ðз½Ê½·µ»ØÈκÎÊ ......
·þÎñÓë·þÎñÆ÷ÊÇÁ½¸ö²»Í¬µÄ¸ÅÄ·þÎñÆ÷ÊÇÌṩ·þÎñµÄ¼ÆËã»ú£¬ÅäÖ÷þ
ÎñÆ÷Ö÷ÒªÊǶÔÄÚ´æ¡¢´¦ÀíÆ÷¡¢°²È«ÐԵȼ¸¸ö·½ÃæÅäÖá£ÓÉÓÚSQL Server 2005·þÎñÆ÷µÄÉèÖòÎÊý±È½Ï¶à£¬ÕâÀïѡһЩ±È½Ï³£ÓõĽéÉÜ¡£
ÅäÖÃSQL Server 2005·þÎñÆ÷µÄ°ì·¨£ºÆô¶¯¡¾SQL
Server Management
Studio¡¿£¬ÔÚ¡¾¶ÔÏó×ÊÔ´¹ÜÀíÆ÷¡¿´°¿ÚÀÓÒ»÷ÒªÅäÖõķþÎ ......
