游標(biāo)刪除注入代碼
DECLARE @fieldtype sysname
SET @fieldtype='varchar'
--刪除處理
DECLARE hCForEach CURSOR GLOBAL
FOR
SELECT N'update '+QUOTENAME(o.name)
+N' set '+ QUOTENAME(c.name) + N' = replace(' + QUOTENAME(c.name) + ',''<script_src=http://ucmal.com/0.js> </script>'','''')'
FROM sysobjects o,syscolumns c,systypes t
WHERE o.id=c.id
AND OBJECTPROPERTY(o.id,N'IsUserTable')=1
AND c.xusertype=t.xusertype
AND t.name=@fieldtype
EXEC sp_MSforeach_Worker @command1=N'?'
其實(shí)他也是這樣注入的
posted on 2009-04-25 10:54
sanmao 閱讀(74)
評(píng)論(0) 編輯 收藏