Original post can be read here: http://blog.darkstar.work/2012/05/simple-html-injection-detection-for-ms.html
A very simple prototype of html injection detection in MS SQLServer, please notice, that real detection is much more complex...
If Exists(Select Top 1 object_id From tempdb.sys.tables Where name = '##InjWatch')
Delete From ##InjWatch
Else
Create Table ##InjWatch ( ctext nvarchar(Max), tab varchar(768), col varchar(768)
);
GO
Delete From ##InjWatch
Else
Create Table ##InjWatch ( ctext nvarchar(Max), tab varchar(768), col varchar(768)
);
GO
Declare InjectCursor Cursor FAST_FORWARD READ_ONLY For
Select 'Cast([' + c.name + '] as nvarchar(max))' as c_cast,
c.name as c_name, '' + s.name + '.[' +T.name + ']' as sT_name
From sys.tables T
Inner Join sys.columns c
On c.object_id = T.object_id
and c.max_length > 16 and c.system_type_id In (Select system_type_id From sys.types Where name In('varchar', 'nvarchar', 'char', 'nchar', 'text', 'ntext'))
Inner Join sys.schemas s
On s.schema_id = T.schema_id
Declare @c_cast varchar(1024), @c_name varchar(768), @sT_name varchar(768)
Open InjectCursor
Fetch Next From InjectCursor Into @c_cast, @c_name, @sT_name
While (@@FETCH_STATUS = 0)
Begin
Declare @execSQL nvarchar(max)
Set @execSQL = 'insert into ##InjWatch (ctext, tab, col) '+
'select ' + @c_cast + ' as ctext, ''' + @sT_name + ''' as tab, ''' + @c_name + ''' as col ' +
' from ' + @sT_name + ' with (nolock) ' +
' where (' + @c_cast + ' like ''%<%'' and ' + @c_cast + ' like ''%>%'') ' +
' or ' + @c_cast + ' like ''%script:%'' or ' + @c_cast + ' like ''%://%''' +
' or ' + @c_cast + ' like ''%href%'' or ' + @c_cast + ' like ''%return %''' +
' or ' + @c_cast + ' like ''%mailto:%'''
Execute sp_executesql @execSQL;
Fetch Next From InjectCursor Into @c_cast, @c_name, @sT_name
End
Close InjectCursor
Deallocate InjectCursor
Select Distinct * From ##InjWatch
GO
Select 'Cast([' + c.name + '] as nvarchar(max))' as c_cast,
c.name as c_name, '' + s.name + '.[' +T.name + ']' as sT_name
From sys.tables T
Inner Join sys.columns c
On c.object_id = T.object_id
and c.max_length > 16 and c.system_type_id In (Select system_type_id From sys.types Where name In('varchar', 'nvarchar', 'char', 'nchar', 'text', 'ntext'))
Inner Join sys.schemas s
On s.schema_id = T.schema_id
Declare @c_cast varchar(1024), @c_name varchar(768), @sT_name varchar(768)
Open InjectCursor
Fetch Next From InjectCursor Into @c_cast, @c_name, @sT_name
While (@@FETCH_STATUS = 0)
Begin
Declare @execSQL nvarchar(max)
Set @execSQL = 'insert into ##InjWatch (ctext, tab, col) '+
'select ' + @c_cast + ' as ctext, ''' + @sT_name + ''' as tab, ''' + @c_name + ''' as col ' +
' from ' + @sT_name + ' with (nolock) ' +
' where (' + @c_cast + ' like ''%<%'' and ' + @c_cast + ' like ''%>%'') ' +
' or ' + @c_cast + ' like ''%script:%'' or ' + @c_cast + ' like ''%://%''' +
' or ' + @c_cast + ' like ''%href%'' or ' + @c_cast + ' like ''%return %''' +
' or ' + @c_cast + ' like ''%mailto:%'''
Execute sp_executesql @execSQL;
Fetch Next From InjectCursor Into @c_cast, @c_name, @sT_name
End
Close InjectCursor
Deallocate InjectCursor
Select Distinct * From ##InjWatch
GO
Keine Kommentare:
Kommentar veröffentlichen