That’s what just happened, a massive SQL Injection was discovered on F-secure, hat tip to 0x000000 I found it there, I wonder how many peoples computers just got malware on them.
But imagine in a controlled manner you could either destroy websites ranking by adding 50,000 links to all your competitors.
Unless that data is sanitized before it gets saved you can’t control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls. In this case the injection code starts off like this (note, this is not the complete code):
Which when decoded becomes:
DECLARE @T varchar(255)’@C varchar(255) DECLARE Table_Cursor
CURSOR FOR select a.name’b.name from sysobjects a’syscolumns b
where a.id=b.id and a.xtype=’u’ and (b.xtype=99 or b.xtype=35
is this a good time to mention Firewall Script again