應(yīng)檢查所有調(diào)用 EXECUTE、EXEC 或 sp_executesql 的代碼?？梢允褂妙愃迫缦碌牟樵儊韼椭鷺?biāo)識(shí)包含這些語句的過程。

SELECT object_Name(id) FROM syscomments

WHERE UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXECUTE (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%EXEC (%'

OR UPPER(text) LIKE '%SP_EXECUTESQL%'

使用 QUOTENAME() 和 REPLACE() 包裝參數(shù)

由數(shù)據(jù)截?cái)鄦⒂玫淖⑷?/H3>

如果分配給變量的任何動(dòng)態(tài) Transact-SQL 比為該變量分配的緩沖區(qū)大，那么它將被截?cái)?。如果攻擊者能夠通過將意外長度的字符串傳遞給存儲(chǔ)過程來強(qiáng)制執(zhí)行語句截?cái)?，則該攻擊者可以操作該結(jié)果。例如，以下腳本創(chuàng)建的存儲(chǔ)過程容易受到由截?cái)鄦⒂玫淖⑷牍簟?/P>

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

-- Declare variable.

-- Note that the buffer here is only 200 characters long.

DECLARE @command varchar(200)

-- Construct the dynamic Transact-SQL.

-- In the following statement, we need a total of 154 characters

-- to set the password of 'sa'.

-- 26 for UPDATE statement, 16 for WHERE clause, 4 for 'sa', and 2 for

-- quotation marks surrounded by QUOTENAME(@loginname):

-- 200 – 26 – 16 – 4 – 2 = 154.

-- But because @new is declared as a sysname, this variable can only hold

-- 128 characters.

-- We can overcome this by passing some single quotation marks in @new.

SET @command= 'update Users set password=' + QUOTENAME(@new, '''') + ' where username=' + QUOTENAME(@loginname, '''') + ' AND password = ' + QUOTENAME(@old, '''')

 

-- Execute the command.

EXEC (@command)

GO

通過向 128 個(gè)字符的緩沖區(qū)傳遞 154 個(gè)字符，攻擊者便可以在不知道舊密碼的情況下為 sa 設(shè)置新密碼。

EXEC sp_MySetPassword 'sa', 'dummy', '123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012'''''''''''''''''''''''''''''''''''''''''''''''''''

因此，應(yīng)對命令變量使用較大的緩沖區(qū)，或直接在 EXECUTE 語句內(nèi)執(zhí)行動(dòng)態(tài) Transact-SQL。

使用 QUOTENAME(@variable, '''') 和 REPLACE() 時(shí)的截?cái)?/H3>

如果 QUOTENAME() 和 REPLACE() 返回的字符串超過了分配的空間，該字符串將被自動(dòng)截?cái)唷Ｒ韵率纠袆?chuàng)建的存儲(chǔ)過程顯示了可能出現(xiàn)的情況。

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

 

-- Declare variables.

DECLARE @login sysname

DECLARE @newpassword sysname

DECLARE @oldpassword sysname

DECLARE @command varchar(2000)

 

-- In the following statements, the data stored in temp variables

-- will be truncated because the buffer size of @login, @oldpassword,

-- and @newpassword is only 128 characters, but QUOTENAME() can return

-- up to 258 characters.

 

SET @login = QUOTENAME(@loginname, '''')

SET @oldpassword = QUOTENAME(@old, '''')

SET @newpassword = QUOTENAME(@new, '''')

 

-- Construct the dynamic Transact-SQL.

-- If @new contains 128 characters, then @newpassword will be '123... n

-- where n is the 127th character.

-- Because the string returned by QUOTENAME() will be truncated,

-- it can be made to look like the following statement:

-- UPDATE Users SET password ='1234. . .[127] WHERE username=' -- other stuff here

SET @command = 'UPDATE Users set password = ' + @newpassword

+ ' where username =' + @login + ' AND password = ' + @oldpassword;

 

-- Execute the command.

EXEC (@command)

GO

因此，以下語句將把所有用戶的密碼都設(shè)置為在前面的代碼中傳遞的值。

EXEC sp_MyProc '--', 'dummy', '12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678'

使用 REPLACE() 時(shí)，可以通過超出分配的緩沖區(qū)空間來強(qiáng)迫字符串截?cái)?。以下示例中?chuàng)建的存儲(chǔ)過程顯示了可能出現(xiàn)的情況。

CREATE PROCEDURE sp_MySetPassword

@loginname sysname,

@old sysname,

@new sysname

AS

-- Declare variables.

DECLARE @login sysname

DECLARE @newpassword sysname

DECLARE @oldpassword sysname

DECLARE @command varchar(2000)

-- In the following statements, data will be truncated because

-- the buffers allocated for @login, @oldpassword and @newpassword

-- can hold only 128 characters, but QUOTENAME() can return

-- up to 258 characters.

 

SET @login = REPLACE(@loginname, '''', '''''')

SET @oldpassword = REPLACE(@old, '''', '''''')

SET @newpassword = REPLACE(@new, '''', '''''')

 

-- Construct the dynamic Transact-SQL.

-- If @new contains 128 characters, @newpassword will be '123...n

-- where n is the 127th character.

-- Because the string returned by QUOTENAME() will be truncated, it

-- can be made to look like the following statement:

-- UPDATE Users SET password='1234…[127] WHERE username=' -- other stuff here

 

SET @command= 'update Users set password = ''' + @newpassword + ''' where username='''

+ @login + ''' AND password = ''' + @oldpassword + '''';

 

-- Execute the command.

EXEC (@command)

GO

與 QUOTENAME() 一樣，可以通過聲明對所有情況都足夠大的臨時(shí)變量來避免由 REPLACE() 引起的字符串截?cái)唷?yīng)盡可能直接在動(dòng)態(tài) Transact-SQL 內(nèi)調(diào)用 QUOTENAME() 或 REPLACE()?；蛘?，也可以按如下方式計(jì)算所需的緩沖區(qū)大小。對于 @outbuffer = QUOTENAME(@input)，@outbuffer 的大小應(yīng)為 2*(len(@input)+1). 。使用 REPLACE() 和雙引號(hào)時(shí)（如上一示例），大小為 2*len(@input) 的緩沖區(qū)便已足夠。

以下計(jì)算涵蓋所有情況：

While len(@find_string) > 0, required buffer size =

round(len(@input)/len(@find_string),0) * len(@new_string)

+ (len(@input) % len(@find_string))

使用 QUOTENAME(@variable, ']') 時(shí)的截?cái)?/H3>

當(dāng) SQL Server 安全對象的名稱被傳遞給使用 QUOTENAME(@variable, ']') 形式的語句時(shí)，可能發(fā)生截?cái)?。以下代碼顯示了這一可能性。

CREATE PROCEDURE sp_MyProc

@schemaname sysname,

@tablename sysname,

AS

 

-- Declare a variable as sysname. The variable will be 128 characters.

-- But @objectname actually must accommodate 2*258+1 characters.

DECLARE @objectname sysname

SET @objectname = QUOTENAME(@schemaname)+'.'+ QUOTENAME(@tablename)

 

-- Do some operations.

GO

當(dāng)您串聯(lián) sysname 類型的值時(shí)，應(yīng)使用足夠大的臨時(shí)變量來保存每個(gè)值的最多 128 個(gè)字符。應(yīng)盡可能直接在動(dòng)態(tài) Transact-SQL 內(nèi)調(diào)用 QUOTENAME()?；蛘撸部梢园瓷弦徊糠炙鰜碛?jì)算所需的緩沖區(qū)大小。