How they work:
Like all SQL Injection attacks, this one looks for pages that access an MS SQL database but that don't sanitize its database inputs. The attack appends a piece of T-SQL code to the end of query string value similar to this:
DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C41 ....[more hex code] 26C655F437572736F7220 AS VARCHAR(4000));EXEC(@S);--What this code does is create a variable with a hexadecimal encrypted value and then execute that variable. If we look at the unencrypted version of the code above this is what we have:
How to prevent it:
Preventing this SQL Injection attack centers on permissions set for the database users in MS SQL. Be sure that the user connecting to the database through the website application has permission only on the table(s) they need, and more importantly, make sure they do not have permission to access the sysobjects and syscolumns tables. These tables are the heart of an MS SQL database and access to it will give any intruder the names of all tables and columns in the database.