sqlserver防止数据库挂马新尝试
想法不错,放着以后应该会有用 网站挂马非常让人头痛,每次的安全措施都是治标不治本,想找到根本原因,只能去分析你的程序源代码,由于很多网站不是一个程序员开发,很多的注入漏洞很难发现,曾经通过公共文件加入过滤代码,基本无效,买了个叫龙盾的IIS防火
想法不错,放着以后应该会有用
网站挂马非常让人头痛,每次的安全措施都是治标不治本,想找到根本原因,只能去分析你的程序源代码,由于很多网站不是一个程序员开发,很多的注入漏洞很难发现,曾经通过公共文件加入过滤代码,基本无效,买了个叫龙盾的IIS防火墙,好像有点用,但最后还是被攻破了,sqlserver又被挂了。
每次注入都要用“UPDATE 表名 set 字段名= REPLACE(字段名,
网站挂马非常让人头痛,每次的安全措施都是治标不治本,想找到根本原因,只能去分析你的程序源代码,由于很多网站不是一个程序员开发,很多的注入漏洞很难发现,曾经通过公共文件加入过滤代码,基本无效,买了个叫龙盾的IIS防火墙,好像有点用,但最后还是被攻破了,sqlserver又被挂了。
每次注入都要用“UPDATE 表名 set 字段名= REPLACE(字段名,'木马地址','')”最后一个引号真想写去死吧!
我们不能阻止住它往数据库里挂木马,但是总有方法我们可以让它挂不成功。最后想到了触发器。熟悉触发器的都知道,sql2000插入数据和修改数据其实都是先放在inserted临时表里,然后才实际去放到对应表里。阻击黑客的脚步就这个临时表里。
下面是一段触发器的代码,暂时对木马注入起到一定的作用。
CREATE trigger 触发器名
on 表名
for update,insert
as
declare @a varchar(100) --存储字段1
declare @b varchar(100) --存储字段2
declare @c varchar(100) --存储字段3
select @a=字段1,@b=字段2,@c=字段3 from inserted
if(@a like '%script%' or @b like '%script%' or @c like '%script%')
begin
ROLLBACK transaction
end
这段触发器的意思是,先定义三个变量,分别存储放在inserted表里的三个容易被黑客下手的字符串型字段,然后用like模糊判断值中是否含有script字样,如果有,就回滚事务,不报错,以麻痹黑客,让他误以为已经挂好马了。各位被挂马的朋友可以把这段脚本拿去,对应着修改,应该可以保证网站不被挂马。另外容易被挂马的字段还有text型,但是这个类型处理比较麻烦点,而且观察发现黑客挂一个表往往是好几个字段同时挂,所以只要一个字段不成功,整个表都是不成功的。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1393
52
37
110
What is the difference between mysql and sqlserver syntax
Apr 22, 2024 pm 06:33 PM
The syntax differences between MySQL and SQL Server are mainly reflected in database objects, data types, SQL statements and other aspects. Database object differences include the storage engine and how filegroups are specified, and the creation of indexes and constraints. Data type differences involve differences in numeric types, character types, and date and time types. SQL statement differences are reflected in result set limitations, data insertion, update and delete operations, etc. Other differences include how identity columns, views, and stored procedures are created. Understanding these differences is important to avoid errors when using different database systems.
iOS 18 adds a new 'Recovered' album function to retrieve lost or damaged photos
Jul 18, 2024 am 05:48 AM
Apple's latest releases of iOS18, iPadOS18 and macOS Sequoia systems have added an important feature to the Photos application, designed to help users easily recover photos and videos lost or damaged due to various reasons. The new feature introduces an album called "Recovered" in the Tools section of the Photos app that will automatically appear when a user has pictures or videos on their device that are not part of their photo library. The emergence of the "Recovered" album provides a solution for photos and videos lost due to database corruption, the camera application not saving to the photo library correctly, or a third-party application managing the photo library. Users only need a few simple steps
How does Hibernate implement polymorphic mapping?
Apr 17, 2024 pm 12:09 PM
Hibernate polymorphic mapping can map inherited classes to the database and provides the following mapping types: joined-subclass: Create a separate table for the subclass, including all columns of the parent class. table-per-class: Create a separate table for subclasses, containing only subclass-specific columns. union-subclass: similar to joined-subclass, but the parent class table unions all subclass columns.
Where is the navicat database file?
Apr 23, 2024 am 10:57 AM
The location where the Navicat database configuration files are stored varies by operating system: Windows: The user-specific path is %APPDATA%\PremiumSoft\Navicat\macOS: The user-specific path is ~/Library/Application Support/Navicat\Linux: The user-specific path is ~/ .config/navicat\The configuration file name contains the connection type, such as navicat_mysql.ini. These configuration files store database connection information, query history, and SSH settings.
Detailed tutorial on establishing a database connection using MySQLi in PHP
Jun 04, 2024 pm 01:42 PM
How to use MySQLi to establish a database connection in PHP: Include MySQLi extension (require_once) Create connection function (functionconnect_to_db) Call connection function ($conn=connect_to_db()) Execute query ($result=$conn->query()) Close connection ( $conn->close())
How to handle database connection errors in PHP
Jun 05, 2024 pm 02:16 PM
To handle database connection errors in PHP, you can use the following steps: Use mysqli_connect_errno() to obtain the error code. Use mysqli_connect_error() to get the error message. By capturing and logging these error messages, database connection issues can be easily identified and resolved, ensuring the smooth running of your application.
How to write navicat database connection url
Apr 24, 2024 am 02:33 AM
The format of the Navicat connection URL is: protocol://username:password@host:port/database name? Parameters, which contain the information required for the connection, including protocol, username, password, hostname, port, database name and optional parameter.
How to connect to remote database using Golang?
Jun 01, 2024 pm 08:31 PM
Through the Go standard library database/sql package, you can connect to remote databases such as MySQL, PostgreSQL or SQLite: create a connection string containing database connection information. Use the sql.Open() function to open a database connection. Perform database operations such as SQL queries and insert operations. Use defer to close the database connection to release resources.
