Tuesday, September 21, 2010

SQL - Remove scripts in the database that has been added by SQL Injection

DECLARE @T VARCHAR(255),@C VARCHAR(255)

CREATE TABLE #Affected (TableName varchar(255))

insert into #affected select TableName = 'anDiary'

DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b

  WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)

BEGIN

    if(exists(select * from #Affected where TableName = @T))

    begin

      exec('update ['+@T+'] set ['+@C+'] = substring(['+@C+'], 0, charindex(''<script'',['+@C+']))

              where ['+@C+'] like ''%<script%''')

                exec('update ['+@T+'] set ['+@C+'] = substring(['+@C+'], 0, charindex(''"></title>'',['+@C+']))

              where ['+@C+'] like ''%"></title>%''')

    end

  FETCH NEXT FROM Table_Cursor INTO @T,@C

END CLOSE Table_Cursor

DEALLOCATE Table_Cursor

DROP TABLE #Affected

Posted by Charitha Ranasingha at 4:09 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)