Although this attack targets websites powered by Microsoft SQL Server, databases such as Oracle are also vulnerable to this attack.
The attacks “are a very sophisticated form of SQL injection,” Qualys CTO Wolfgang Kandek told TechNewsWorld. “Normally, SQL injection is targeted to one table. With this attack, they used a generic mechanism of the underlying database to make it work on a much broader set of applications.”
The attacks have targeted sites running IIS and ASP that have an MS-SQL database. However, they are not exploiting a particular flaw in these applications — the exploit could have been written to target any database — Oracle or WebSphere, for example.
Rather, the code exploits what security researchers are bemoaning as an elementary lapse in Web security on the part of developers installing the databases.
In addition to this attack, the article mentions another one, specific to SQL Server, on the horizon:
“The underlying database servers are often misconfigured to have an extended stored procedure xp_cmdshell enabled,” Belani told TechNewsWorld. “This setting allows an attacker to execute commands at the operating system level post compromise via SQL injection. This level of access is hard to come by in other database servers like Oracle.”
The root cause of these attacks is insecure web application design, which allows SQL code to be inserted into a page request and executed in the following database query. This is an old technique known as SQL Injection.
If you’re not familiar with SQL Injection, you need to be, since it’s a very basic flaw with serious ramifications. I recommend highly reading 19 Deadly Sins of Software Security for very good introductions to some very basic design issues.