davidthegray (6/16/2008)
Examining the code was really interesting to me, because I had never seen such a destructive code put into action. The attacker has some brain, and deep knowledge of the SQL server internals....
Bottom line is: take SQL injection risk as a real menace. There are people out there who will try everything to destroy your work and your data, for some mysterious reason! (I hope this post doesn't give some of them some bad ideas, my purpose was the exact opposite.)
Unfortunately, I would have to disagree with the statement about deep knowledge. The attacker is trying to obfuscate the code and this isn't a new attack mechanism. It's actually rather old, dating back to the IIS 4.0 days. Then it was hiding directory traversal attacks by using Unicode. It's just new with respect to applying it to SQL injection. The actual mechanism that is being tried, which inserts a javascript routine into code that will be displayed on the web page, has also been around a while.
K. Brian Kelley
@kbriankelley