数据库被注入解决方案,数据库被注入解有效处理方法

declare @delStr nvarchar(500) set @delStr=’script src=’
–这里被注入的字段串
/****************************************/

1.第一种情况是 需要将指定的 注入字符串全部替换掉复制代码 代码如下:declare @delStr nvarchar(500)
set @delStr=’script src=//’ –这里被注入的字段串
/****************************************/
/**********以下为操作实体************/ set nocount
on declare @tableName nvarchar(100),@columnName nvarchar(100),@tbID
int,@iRow int,@iResult int declare @sql nvarchar(2000) set @iResult=0
declare cur cursor for select name,id from sysobjects where xtype=’U’
open cur fetch next from cur into @tableName,@tbID while
@@fetch_status=0 begin declare cur1 cursor for select name from
syscolumns where xtype in (231,167,239,175, 35, 99) and id=@tbID open
cur1 fetch next from cur1 into @columnName while @@fetch_status=0 begin
set @sql=’update [‘ + @tableName + ‘] set [‘+ @columnName +’]=
SUBSTRING([‘ + @columnName + ‘],’ + ‘1, PATINDEX( ”%’ + @delStr +
‘%”, [‘ + @columnName + ‘])-1) + ‘ + ‘SUBSTRING([‘ + @columnName +
‘], PATINDEX( ”%’ + @delStr + ‘%”, [‘ + @columnName + ‘]) + ‘ +
‘len(”’ + @delStr + ”’) , datalength([‘ + @columnName + ‘])) where
[‘+@columnName+’] like ”%’+@delStr+’%”’ exec sp_executesql @sql set
@iRow=@@rowcount set @iResult=@iResult+@iRow if @iRow0 begin print
‘表:’+@tableName+’,列:’+@columnName+’被更新’+convert(varchar(10),@iRow)+’条记录;’
end fetch next from cur1 into @columnName end close cur1 deallocate cur1
fetch next from cur into @tableName,@tbID end print
‘数据库教程共有’+convert(varchar(10),@iResult)+’条记录被更新!!!’ close
cur deallocate cur set nocount off

复制代码 代码如下: declare @delStr
nvarchar(500) set @delStr=’script src=’ –这里被注入的字段串
/****************************************/
/**********以下为操作实体************/ set nocount
on declare @tableName nvarchar(100),@columnName nvarchar(100),@tbID
int,@iRow int,@iResult int declare @sql nvarchar(2000) set @iResult=0
declare cur cursor for select name,id from sysobjects where xtype=’U’
open cur fetch next from cur into @tableName,@tbID while
@@fetch_status=0 begin declare cur1 cursor for select name from
syscolumns where xtype in (231,167,239,175, 35, 99) and id=@tbID open
cur1 fetch next from cur1 into @columnName while @@fetch_status=0 begin
set @sql=’update [‘ + @tableName + ‘] set [‘+ @columnName +’]=
SUBSTRING([‘ + @columnName + ‘],’ + ‘1, PATINDEX( ”%’ + @delStr +
‘%”, [‘ + @columnName + ‘])-1) + ‘ + ‘SUBSTRING([‘ + @columnName +
‘], PATINDEX( ”%’ + @delStr + ‘%”, [‘ + @columnName + ‘]) + ‘ +
‘len(”’ + @delStr + ”’) , datalength([‘ + @columnName + ‘])) where
[‘+@columnName+’] like ”%’+@delStr+’%”’ exec sp_executesql @sql set
@iRow=@@rowcount set @iResult=@iResult+@iRow if @iRow0 begin print
‘表:’+@tableName+’,列:’+@columnName+’被更新’+convert(varchar(10),@iRow)+’条记录;’
end fetch next from cur1 into @columnName end close cur1 deallocate cur1
fetch next from cur into @tableName,@tbID end print
‘数据库共有’+convert(varchar(10),@iResult)+’条记录被更新!!!’ close cur
deallocate cur set nocount off

/**********以下为操作实体************/ set nocount
on

2.第二种是 需要将注入到表中起始位置到最后都删掉。复制代码 代码如下:–恢复被注入数据库
–2013-09-26 declare @delStr nvarchar(500) set @delStr=’/titlestyle.’
–被注入的字段串的开始采样,从此位置后面的数据都为注入数据
/**********以下为操作实体************/ set nocount
on declare @tableName nvarchar(100),@columnName nvarchar(100),@tbID
int,@iRow int,@iResult int declare @sql nvarchar(2000) set @iResult=0
declare cur cursor for select name,id from sysobjects where xtype=’U’
open cur fetch next from cur into @tableName,@tbID while
@@fetch_status=0 begin declare cur1 cursor for select name from
syscolumns where xtype in (231,167,239,175, 35, 99) and id=@tbID open
cur1 fetch next from cur1 into @columnName while @@fetch_status=0 begin
set @sql=’update [‘ + @tableName + ‘] set [‘+ @columnName +’]=
SUBSTRING([‘ + @columnName + ‘],1, PATINDEX( ”%’ + @delStr + ‘%”,
[‘ + @columnName + ‘])-1) where [‘+@columnName+’] like
”%’+@delStr+’%”’ exec sp_executesql @sql set @iRow=@@rowcount set
@iResult=@iResult+@iRow if @iRow0 begin print
‘表:’+@tableName+’,列:’+@columnName+’被更新’+convert(varchar(10),@iRow)+’条记录;’
end fetch next from cur1 into @columnName end close cur1 deallocate cur1
fetch next from cur into @tableName,@tbID end print
‘数据库教程共有’+convert(varchar(10),@iResult)+’条记录被更新!!!’ close
cur deallocate cur set nocount off

declare @tableName nvarchar(100),@columnName nvarchar(100),@tbID
int,@iRow int,@iResult int declare @sql nvarchar(2000)

set @iResult=0 declare cur cursor for select name,id from sysobjects
where xtype=’U’

发表评论

电子邮件地址不会被公开。 必填项已用*标注