SQL Queries for Cleaning Up Exploits

I am finally getting to bed after spending several hours cleaning up a database infection (not my code). Basically, every string field had a script tag injected into it at the beginning, and some at the end. Here are the SQL queries I ended up writing to fix this:

For the beginning of the field. It basically just grabs a preset string at the beginning of the field and wipes it. Nothing particularly difficult, I just didn’t know how to do it off of the top of my head.
UPDATE [TableName]
SET [ColumnName] = REPLACE(CAST([ColumnName] AS VARCHAR(1000)),'ExploitCode','')
WHERE [ColumnName] LIKE '%ExploitCode%'

A more complicated script for the end of the field. It assumes that the exploit code at the end starts with a < and that there are no other UPDATE [TableName] SET [ColumnName] = LEFT([ColumnName], CHARINDEX('

Hopefully this will be of help to someone else down the road who has to deal with this. Another issue the client will have to deal with are length restrictions on the field causing them to lose data, but I don’t think UPDATE [TableName] SET [ColumnName] = CLAIRVOYANCE([ColumnName], DateThatItWasCorrectWithoutBackups) works. Might I suggest it as a feature for MS SQL 2014?

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>