SQL Injection galore!

Attention developers, programmers, and hobby websiters – please sanitize your inputs!

In this case, the injected SQL is simply updating text fields within the database, to make them include an extra fragment of HTML. This HTML in turn loads a JavaScript from a remote server, typically “http://lizamoon.com/ur.php” or more recently, “http://alisa-carter.com/ur.php.” Both domain names resolve to the same IP address, and presently that server is not functional, leaving browsers unable to load the malicious script when they visit infected pages. Previously, it contained a simple script to redirect users to a fake anti-virus site.

The massive scale of these attacks (and the rapidly growing number of affected URLs) was first noticed by Websense Security Labs. On Tuesday, around 28,000 URLs were compromised; now more than 20 times more URLs are infected, and the numbers are still growing.

via: Massive SQL injection attack making the rounds—694K URLs so far

And in addition:

Two hackers going by the names TinKode and Ne0h managed to gain access to sensitive information on MySQL.com, the website for the popular open source database.

In the data shared by the hackers, some of the password hashes were cracked to reveal complete login details for accounts associated with mySQL.com, including the WordPress account login details for Robin Schumacher, the former director of product management, and Kaj Arnö, former vice president of community relations.

Some of the passwords revealed simple phrases. Schumacher set his password as a simple 4-digit number—with three repeating digits. The hackers also posted several other database tables without the password hashes.

That’s the same number I use on my luggage!

via: Hackers use blind SQL injection attack to crack Oracle-Sun, MySQL.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s