Cleaning Up SQL Injection Attack : b.js & preventing SQL Injection (codegroups.com)
submitted by 
shaileshk(20) 3 years, 11 months ago
My website is infected with the SQL Injection and I have try to create clean MS SQL database using the SP .
I hope this will help to you clean up your database and protect with SQL injection in your website.
Please go to the below link and create http://codegroups.com/blog/index.php...on-attack-bjs/
Code:
create PROCEDURE FindReplace
(
@TABLE VARCHAR(200),
@Field VARCHAR(200),
@WHERE VARCHAR(100),
@Find VARCHAR(500),
@REPLACE VARCHAR(500)
)
AS
DECLARE @query VARCHAR(8000)
SET @query = ‘UPDATE ‘ + @TABLE +
‘ SET ‘ + @Field + ‘= REPLACE(CONVERT(varchar(8000),’
+ @Field + ‘),”’ + @Find + ”’,”’ + @REPLACE +”’)’
IF(@WHERE <> ”)
SET @query = @query + ‘ WHERE ‘+@WHERE
EXECUTE (@query)
GO———-
Code:
create Procedure RemoveStringFinal
@FIND VARCHAR(500),
@REPLACE VARCHAR(500)
as
DECLARE @TABLE_NAME VARCHAR(500)
DECLARE @COLUMN_NAME VARCHAR(500)
DECLARE @DATA_TYPE VARCHAR(500)
DECLARE db_cursor CURSOR FOR
select TABLE_NAME, COLUMN_NAME, DATA_TYPE FROM INFORMATION_SCHEMA.COLUMNS
OPEN db_cursor
FETCH NEXT FROM db_cursor INTO @TABLE_NAME, @COLUMN_NAME, @DATA_TYPE
WHILE @@FETCH_STATUS = 0
BEGIN
if @DATA_TYPE = ‘varchar’ or @DATA_TYPE = ‘text’ or @DATA_TYPE = ‘ntext’ or @DATA_TYPE = ‘nvarchar’
begin
print @TABLE_NAME
print @COLUMN_NAME
print @DATA_TYPE
EXEC FindReplace @TABLE_NAME,@COLUMN_NAME,”,@FIND,@REPLACE
end
FETCH NEXT FROM db_cursor INTO @TABLE_NAME, @COLUMN_NAME, @DATA_TYPE
END
CLOSE db_cursor
DEALLOCATE db_cursor———–
–EXEC FindReplace @TABLE_NAME,@COLUMN_NAME,”,’<script src=http://www.en-us18.com/b.js></script>’,’ ‘
Two SP created for Cleaning up SQL Injection database.
1 SP for FindReplace
2 sp - RemoveStringFinal
Run both the Query in Query Analyzer and
Exec RemoveStringFinal ‘<script src=http://www.en-us18.com/b.js></script>’,”
Enter your Attack JS url in above sp and replace with blank space ” i.e Exec RemoveStringFinal ‘<script src=http://www.en-us18.com/b.js></script>’,”
if your data have <script src=http://www.en-us18.com/b.js></script> string in your database then you run above sp with ‘Exec RemoveStringFinal ‘<script src=http://www.en-us18.com/b.js></script>’,”’
I will post soon for How to Protect our database website with SQL Injection.
SQL Injection Protection
Code:
<%
”’ Code for pre
|category: Security
|Views: 70
tags:
Security another
Everyones tags:
Your Tags: