November 6, 2008 at 1:15 pm
A few months ago a developer we work with was hit hard with SQL injections. We all worked as a team to clean it up, and we wrote an antiscript specific to this attack. I am trying to help someone else out now, and am having trouble figuring out how to change my code to suit this situation. The SQL I have was written so that you put in the beginning of the injection, and the end, (the beginning and end were always the same) and it would delete that, and everything in between and preserve the rest of the data in the columns. This time around, I want to specify the beginning of the string, and delete all the way to the end of the column, and only preserve the data before the string. For example, before I had as the end. It searches the entire database for specific datatype columns, then searches those columns for the string. It deleted that plus anything in the middle. Now I would just want to put something like <*--- and have it delete that, plus everything after. Below is the current code. I have just drawn a blank. Thanks guys.
declare @stringstart int,@StringEnd int
,@GoodString1 varchar(512),@GoodString2 varchar(512)
declare @Table varchar(100),@TempDBVAlue varchar(2000)
declare @column varchar(100)
declare @sql varchar(8000)
set nocount on
create table #TEmp
(
colx varchar (3900)
,ColName varchar(100)
,tablex varchar(100)
,val varchar(3900)
,strindx int
,endindx int
)
declare c cursor for
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u'
AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)
open c
fetch next from c into @Table,@column
while @@fetch_status=0 begin
set @sql='select cast([' + @column + '] as varchar(3900)),''' + @column + ''',''' + @Table + ''',null,null,null from '+ @Table
insert into #TEmp
exec(@sql)
fetch next from c into @Table,@column
end
close c
deallocate c
declare @colx varchar(3900)
,@colname varchar(100)
,@tablex varchar(100)
,@val varchar(3900)
,@strindx int
,@endindx int
declare w cursor for
select colx
,colname
,tablex
,val
,strindx
,endindx
from #Temp
open w
fetch next from w into@colx ,@colname
,@tablex
,@val
,@strindx
,@endindx
while @@fetch_status=0 begin
select @stringstart=CHARINDEX ( ' ')
if @stringstart <> -1 begin
select @GoodString1=SUBSTRING(@colx,1,@stringstart)
set @sql= ' update ' + @tablex +
' set ' + @colname + '=''' + replace(@GoodString1,'''','''''') + '''' +
' where ' + @colname + '=''' + replace(@colx,'''','''''') +''''
exec (@sql)
end
fetch next from w into @colx ,@colname
,@tablex
,@val
,@strindx
,@endindx
end
close w
deallocate w
drop table #Temp
set nocount off
November 6, 2008 at 8:47 pm
I think you have some HTML that's being seen as code and not a post.
If you want to delete everything after say, [*---, then you search for that in charindex, substring from 1 to that value and set the column to that. You don't need to include an ending length.
update MyTable
set MyCol = substring( Mycol, 1, charindex( '[*---', mycol)
November 7, 2008 at 7:41 am
Got it. Thanks! The HTML you seen was the beginning of my string to delete, and the end of my string to delete. This was a piece of code that was used to clean up an injection. Now it is being used to clean up a different kind of injection. Your idea worked using the substring select, since I am already pulling back the rest of the variable data. I just eliminated the end string. Thanks for the help!
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply