Thursday, April 24, 2008

Mass SQL Injection

Yes, it's true. Another Massive SQL injection on the network, performing a Google search results in over 510,000 modified pages.
From F-Secure WeBlog:
Check it out directly on Google page

Unless that data is sanitized before it gets saved you can't control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):



Which decoded became:



What happens as a result? It finds all text fields in the database and adds a link to malicious javascript to each and every one of them which will make your website display them automatically. So essentially what happened was that the attackers looked for ASP or ASPX pages containing any type of querystring (a dynamic value such as an article ID, product ID, et cetera) parameter and tried to use that to upload their SQL injection code.

That's another big security issue present inside ASP pages, really dangerous:

For more details check out here.

No comments: