war*_*990 9 sql sql-server security asp.net-mvc sql-injection
我有一个小型网站(MVC5),其中包含"联系我们"功能,今天早上我发现我有来自同一IP的数百封电子邮件.我从数据库查询结果,所有'em只是一堆奇怪的字符串和一些脚本/ SQL注入.
我已经在我的数据库(SQL Server 2014)上使用参数,并对所有用户输入进行白名单过滤.只是想知道我是否应该担心?
Joey'"
Joey\\'\\"
Joey'"'"'"'"
Joey AND 1=1 --
Joey AND 1=2 --
Joey" AND 1=1 --
Joey" AND 1=2 --
Joey'
Joey
Joey\'
Joey
Joey" UNION SELECT 8, table_name, 'vega' FROM information_schema.tables WHERE table_name like'%
1 AND 1=1 --
1 AND 1=2 --
' AND 1=1 --
' AND 1=2 --
" AND 1=1 --
" AND 1=2 --
Joey''
Joey' UNION SELECT 8, table_name, 'vega' FROM information_schema.taables WHERE taable_name like'%
javascript:vvv002664v506297
vbscript:vvv002665v506297
" onMouseOver=vvv002666v506297
" style=vvv002667v506297
' onMouseOver=vvv002668v506297
/../../../../../../../../../../../../etc/passwd
Joey`true`
Joey`false`
Joey`uname`
' style=vvv002669v506297
Joey"`false`"
Joey"`uname`"
Joey'true'
Joey'false'
Joey'uname'
Joey" UNION SELECT 8, table_name, 'vega' FROM information_schema.taables WHERE taable_name like'%
htTp://www.google.com/humans.txt
hthttpttp://www.google.com/humans.txt
hthttp://tp://www.google.com/humans.txt
Joey
Joey-0-0
Joey\'\"
Joey\\'\\"
Joey - 0 - 0
Joey 0 0 - -
http://vega.invalid/;?
//vega.invalid/;?
vega://invalid/;?
src=http://vega.invalid/;?
" src=http://vega.invalid/;?
Joeybogus Vega-Inject:bogus
www.google.com/humans.txt
Joeybogus Vega-Inject:bogus
Joey-0
Joey-0-9
Joey
Joey'"
Joey' UNION SELECT 8, table_name, 'vega' FROM information_schema.tables WHERE table_name like'%
Joey' AND 1=2 --
Joey' AND 1=1 --
Joey''''""""
Joey\'\"
Joey
Joey
Joey
http://www.google.com/humans.txt
Joey
Joey"`true`"
Joey
看起来有人试图使用SQL注入.只要您使用输入验证并转义输入,您就可以在这方面做得好.不过,您可能希望了解其他加强网站的方法.
这是一个用于防止ASP.NET中的SQL注入的资源.一般网站强化的另一种资源.希望能帮助到你!