1 --说明set @str='''</title>''';把替换的木马开始字符写上去。执行就可以了 2 3 declare @tableid int 4 5 declare @tablename sysname 6 7 declare @colid int 8 9 declare @colname sysname 10 11 declare mycursor cursor /* 声明游标,默认为FORWARD_ONLY游标*/ 12 13 FOR 14 15 select c.id,c.name,a.colorder,a.name 16 17 from syscolumns a 18 19 left join systypes b 20 21 on a.xtype=b.xusertype 22 23 left join sysobjects c 24 25 on a.id = c.id 26 27 where c.xtype = 'U' 28 29 and c.name != 'dtproperties' 30 31 and b.name in ('text','ntext','varchar','char','nvarchar','nchar') 32 33 order by c.name asc,a.colorder asc 34 35 OPEN mycursor /* 打开游标*/ 36 FETCH NEXT from mycursor 37 38 into @tableid,@tablename,@colid,@colname /* 读取第一条数据*/ 39 40 41 42 WHILE @@FETCH_STATUS = 0 /* 用WHILE循环控制游标活动*/ 43 44 45 46 BEGIN 47 declare @sql_ varchar(max); 48 /* 开始更新字段*/ 49 begin try 50 declare @str varchar(max); 51 set @str='''</title>'''; 52 set @sql_ = ' update '+@tablename+' set '+@colname+'= replace(cast('+@colname+' as varchar(8000)),substring('+@colname+',charindex('+@str+','+@colname+'),case when cast(charindex('+@str+','+@colname+') as int) > 0 then len(cast('+@colname+' as varchar(8000)))-charindex('+@str+','+@colname+')+1 else 0 end),'''')'; 53 --exec(@sql_) 54 print(@sql_) 55 end try 56 begin catch 57 print(@sql_) 58 end catch 59 60 /* 结束更新字段*/ 61 FETCH NEXT from mycursor 62 63 into @tableid,@tablename,@colid,@colname /* 读取下一条数据*/ 64 END 65 CLOSE mycursor /* 关闭游标*/ 66 67 DEALLOCATE mycursor
直接执行即可