SQL injection attacks have become the most reliable way for hackers to gain access to valuable data on back-end systems, with many high-profile Web sites falling victim to the technique over the last couple of years. The attacks themselves are fairly straightforward, but the results can be devastating, as this explanation of SQL injection from IBM ISS’s X-Force shows.
From the X-Force’s Frequency X blog:
SQL injection can be pretty simple and straightforward. Yet, through this vector, an attacker could infiltrate deep into an infrastructure and be relatively unseen. What many database administrators don’t understand is that SQL injection doesn’t merely allow the attacker to manipulate the data in a web application’s underlying database – it can provide direct access to the operating system that database is running on. Using features like xp_cmdshell in Microsoft SQL Server, SQL injection can be leveraged to run dos shell commands against the underlying operating system of the SQL Server at the same privilege level as the database application, which is most often SYSTEM level.
Read the full post on SQL injection here.