接到一个很有挑战性的任务:一个网站被Google报告有恶意网站,俺的任务就是将这几行字从Google上抹去!
首先的反应是网页被嵌入了iframe的恶意脚本,但是仔细检查后发现并不存在这样的问题,反而是从Google的诊断上看,数据库里的内容比较可疑。
下载下数据库一看,果然在所有设定长度较大的varchar字段和几乎所有的ntext字段上,都在最后被挂了诸如:<script scrr='xxx.com></script'>之类的代码。
问题找到了,但是解决的方法却是不能接受的,一个个清除恶意代码的代价太大,不得已,写了一个遍历清除垃圾码的脚本 :
declare c_cursor cursor local for
select a.name, b.name
from sysobjects as a
join syscolumns as b
on a.id = b.id
join systypes as c
on c.xusertype = b.Xtype
where
a.xtype = 'U'and c.name in('ntext','nvarchar','nchar','varchar','char')
declare @tabname sysname,@colname sysname, @trash varchar(100)
select @trash = 'src=http://www.64do.com/script.js'
open c_cursor
fetch next from c_cursor into @tabname,@colname
while @@fetch_status = 0
begin
--print('update cn98003.'+@tabname+' set '+@colname+'=cn98003.f_Clean('+@colname+') '+'where '+@colname+' like '+'''%'+@trash+'%''')
exec('update cn98003.'+@tabname+' set '+@colname+'=replace(replace(convert(varchar(8000),'+@colname+'),''<script src=http://www.64do.com/script.js></script>'',''''),''<script src=http://www.pkseio.ru/script.js></script>'','''') '+'where '+@colname+' like '+'''%'+@trash+'%''')
fetch next from c_cursor into @tabname,@colname
end
close c_cursor
deallocate c_cursor
执行该脚本,可以解决所有varchar类和长度小于8000的text类型的垃圾码,但是对于长度在 8000以上的ntext字段,由于类型转换的原因,需要改变方法:
declare @ptrval varbinary(16)
declare ct cursor local for
select articleid from cn98003.cv_product where location like '%64do%'
declare @id int
declare @offset int
open ct
fetch next from ct into @id
while @@fetch_status = 0
begin
select @ptrval=textptr(location) from cn98003.cv_product where articleid = @id
select @offset=patindex('%www.64do%',location) from cn98003.cv_product where articleid = @id
updatetext cn98003.cv_product.location @ptrval @offset NULL ''
end
close ct
deallocate ct
经过处理后还原数据库,过了两天后google的恶意网站提醒解除 经过思考,我认为这种入侵其实是通过自动程序采用穷举的方法,其原理同样是sql注入,但是更加凶狠。为了防止sql注入,在asp网站所有文件include这个网页:
- '安全检查设置
- Dim ar_str,ar_qstr,str_index,qstr_index,strlist,strlist1
- strlist = "'|#|exec|insert|select|delete|update|%|chr|char|mid|master|truncate|declare|(|)|*|or|@|and|=|-"
- strlist1 = "exec|insert|select|delete|update|truncate|declare|'"
- If Request.Form <>"" Then
- ar_str = split(strlist1,"|",-1,1)
- For Each qstr_index In Request.Form
- For str_index=0 To Ubound(ar_str)
- If Instr(LCase(Request.Form(qstr_index)),ar_str(str_index)) <>0 Then
- Response.Write " <Script Language=JavaScript>alert('请不要在参数中包含非法字符!');"
- Response.Write " alert('如有问题请与网络管理员联系!');"
- Response.write"javascript:history.go(-1) </SCRIPT>"
- Response.End
- End If
- Next
- Next
- End If
- If Request.QueryString <>"" Then
- ar_str = split(strlist,"|",-1,1)
- For Each qstr_index In Request.QueryString
- For str_index=0 To UBound(ar_str)
- If Instr(1,LCase(Request.QueryString(qstr_index)),ar_str(str_index),1) <>0 Then
- Response.Write " <Script Language=JavaScript>alert('请不要在参数中包含非法字符!');"
- Response.Write " alert('如有问题请与网络管理员联系!');"
- Response.write"javascript:history.go(-1) </SCRIPT>"
- Response.End
- End if
- Next
- Next
- End If