Newest SQL Injection attack

I just watched part of the SSWUG show 106, where SQL Server MVP Stephen Wynkoop dissected the current SQL Injection attack that is propogating itself around the net. The 'cool' thing with this one is that instead of passing in SELECT, UPDATE, etc statements to your SQL Server, its doing a CAST of a binary string into an NVARCHAR 4000 data type. That binary string translates to an UPDATE statement that craps up all of your tables, as long as drive space is available.

So...if you are filtering on keywords, your filters will not work.

Move to stored procs...now.

I saw the tail end of this yesterday. The only reason my customer didn't suffer worse is that they had a database size cap of 150mb (shared SQL Server), and we started looking into the unexpected growth.

Take care out there!


No comments: