Please notice, that a full content injection detection is much more complex...
If Exists(Select Top 1 object_id
From tempdb.sys.tables Where name = '##InjWatch'
)
Delete From ##InjWatch
Else
Create Table ##InjWatch(
ctext varchar(max), tab varchar(768), col varchar(768)
);
GO
From tempdb.sys.tables Where name = '##InjWatch'
)
Delete From ##InjWatch
Else
Create Table ##InjWatch(
ctext varchar(max), tab varchar(768), col varchar(768)
);
GO
Set TRANSACTION ISOLATION LEVEL read uncommitted;
Declare CheckHtmlInjectCursor Cursor FAST_FORWARD READ_ONLY For
Select
'Cast([' + c.name + '] As nvarchar(Max))' As c_cast,
c.name As c_name, '' +
s.name + '.[' +T.name + ']' As sT_name
From sys.tables T
Inner Join sys.columns c On c.object_id = T.object_id
And c.max_length > 16
And c.system_type_id In (
Select system_type_id From sys.types Where name In (
-- TODO: check XML, 'user defined' string & binary types :(
'varchar', 'nvarchar', 'char', 'nchar', 'text', 'ntext'
)
)
Inner Join sys.schemas s On s.schema_id = T.schema_id
Declare @c_cast varchar(1024),
@c_name varchar(768), @sT_name varchar(768)
Open CheckHtmlInjectCursor
Fetch Next From CheckHtmlInjectCursor
Into @c_cast, @c_name, @sT_name
While (@@FETCH_STATUS = 0)
Begin
Declare @execSQL nvarchar(max)
Set @execSQL =
'Insert Into ##InjWatch(ctext, tab, col) ' +
'Select ' + @c_cast + ' As ctext, ''' +
@sT_name + ''' As tab, ''' +
@c_name + ''' As col ' +
'From ' + @sT_name + ' ' +
'Where (' + @c_cast + ' Like ''%<%'' And ' +
@c_cast + ' Like ''%>%'') ' +
' Or ' + @c_cast + ' Like ''%script:%''' +
' Or ' + @c_cast + ' Like ''%://%''' +
' Or ' + @c_cast + ' Like ''%href%''' +
' Or ' + @c_cast + ' Like ''%return%'''
Execute sp_executesql @execSQL;
Fetch Next From CheckHtmlInjectCursor
Into @c_cast, @c_name, @sT_name
End
Close CheckHtmlInjectCursor
Deallocate CheckHtmlInjectCursor
Select Distinct * From ##InjWatch
GO
Declare CheckHtmlInjectCursor Cursor FAST_FORWARD READ_ONLY For
Select
'Cast([' + c.name + '] As nvarchar(Max))' As c_cast,
c.name As c_name, '' +
s.name + '.[' +T.name + ']' As sT_name
From sys.tables T
Inner Join sys.columns c On c.object_id = T.object_id
And c.max_length > 16
And c.system_type_id In (
Select system_type_id From sys.types Where name In (
-- TODO: check XML, 'user defined' string & binary types :(
'varchar', 'nvarchar', 'char', 'nchar', 'text', 'ntext'
)
)
Inner Join sys.schemas s On s.schema_id = T.schema_id
Declare @c_cast varchar(1024),
@c_name varchar(768), @sT_name varchar(768)
Open CheckHtmlInjectCursor
Fetch Next From CheckHtmlInjectCursor
Into @c_cast, @c_name, @sT_name
While (@@FETCH_STATUS = 0)
Begin
Declare @execSQL nvarchar(max)
Set @execSQL =
'Insert Into ##InjWatch(ctext, tab, col) ' +
'Select ' + @c_cast + ' As ctext, ''' +
@sT_name + ''' As tab, ''' +
@c_name + ''' As col ' +
'From ' + @sT_name + ' ' +
'Where (' + @c_cast + ' Like ''%<%'' And ' +
@c_cast + ' Like ''%>%'') ' +
' Or ' + @c_cast + ' Like ''%script:%''' +
' Or ' + @c_cast + ' Like ''%://%''' +
' Or ' + @c_cast + ' Like ''%href%''' +
' Or ' + @c_cast + ' Like ''%return%'''
Execute sp_executesql @execSQL;
Fetch Next From CheckHtmlInjectCursor
Into @c_cast, @c_name, @sT_name
End
Close CheckHtmlInjectCursor
Deallocate CheckHtmlInjectCursor
Select Distinct * From ##InjWatch
GO
Mysql Sample:
/* CREATE TEMPORARY TABLE Test.HtmlSQLInjection (
Content Varchar(1024) NULL
, TableName VARCHAR(512) NOT NULL
, ColumnName VARCHAR(512) NOT NULL
, SchemaName VARCHAR(512) NOT NULL
); */
USE test;
DELIMITER $$
DROP PROCEDURE IF EXISTS cursor_proc $$
CREATE PROCEDURE cursor_proc()
BEGIN
DECLARE v_done INTEGER DEFAULT 0;
DECLARE v_s VARCHAR(512) DEFAULT '';
DECLARE v_t VARCHAR(512) DEFAULT '';
DECLARE v_c VARCHAR(512) DEFAULT '';
DECLARE v_queryString VARCHAR(1024) DEFAULT '';
DECLARE CheckHtmlInjectCursor CURSOR FOR
select
information_schema.TABLES.TABLE_SCHEMA,
information_schema.TABLES.TABLE_NAME,
information_schema.COLUMNS.COLUMN_NAME
From information_schema.TABLES CALL `test`.`cursor_proc`();
CALL `test`.`cursor_proc`();
inner join information_schema.COLUMNS
on information_schema.TABLES.TABLE_NAME = information_schema.COLUMNS.TABLE_NAME
where information_schema.TABLES.TABLE_SCHEMA = information_schema.COLUMNS.TABLE_SCHEMA
and information_schema.COLUMNS.DATA_TYPE in
('char', 'varchar', 'binary', 'varbinary', 'blob', 'longblob', 'text', 'mediumtext', 'longtext')
and information_schema.COLUMNS.CHARACTER_MAXIMUM_LENGTH > 15;
DECLARE CONTINUE HANDLER FOR NOT FOUND SET v_done = 1;
OPEN CheckHtmlInjectCursor;
read_loop: LOOP
FETCH CheckHtmlInjectCursor INTO v_s, v_t, v_c;
IF v_done = 1 THEN
LEAVE read_loop;
CLOSE CheckHtmlInjectCursor;
END IF;
SELECT v_c, v_s, v_t;
'SELECT ', v_c, ' FROM ', v_s, '.', v_t, '.', v_c, ' WHERE ', v_c, ' like ''%'' '));
SET @queryString = (
SELECT CONCAT(
'SELECT ', v_c, '.', v_s, '.', v_t, ' FROM ', v_t));
PREPARE stmt FROM @queryString;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
*/
END LOOP read_loop;
/* CLOSE CheckHtmlInjectCursor; */
END $$
DELIMITER ;
Keine Kommentare:
Kommentar veröffentlichen