MS-SQL Injection Attack.. Here we go again.

by Dustin Puryear

I was just reading Michael Mimoso’s account of a new MS-SQL injection attack that is making the rounds. Sigh.

The funny thing is that I was just talking to one of our consultants here at Puryear IT about.. SQL injection attacks. He was working on something involving MS-SQL, and commented that MS-SQL did not properly handle dangerous code in comments in SQL code, which made it possible to attack the SQL server if security was not properly setup. Then I found that blog. Good times.

Anyway, SQL injection attacks aren’t specific to MS-SQL. Almost every database server is susceptible to them, not because of the RDBMS itself, but usually because of:

• The fact that the RDBMS was not properly configured and secured.
• Applications, especially web applications, do a horrible job of checking for sane SQL statements.

There are a few ways to help yourself right out-of-the-box of course. For one, using prepared statements and relying on a properly designed database library in your code helps. For example, instead of using something like:

SELECT col1 FROM table1 WHERE col2 = $input;

You should be preparing the statement and relying more on your SQL library to reject any odd input, like so:

$prepared_sql = prepare(SELECT col1 FROM table1 WHERE col2 = ?);

Generally, the latter form will allow you to not worry about escaping your input. (This is not always the case though, so consult the documentation for the SQL library you are using!) That said, it still makes sense to check for anything overtly dangerous in the user input.

Anyway, back on the original blog entry, I found this pretty funny: ‘"They're blindly tossing SQL injections at sites and getting a high success rate. They're upping the game," Grossman said. "This is a new level of sophistication."’ There is nothing new or sophisticated about blindly running exploits against servers on the Internet. It is an old technique actually, and unfortunately, it’s always had a good rate of return.