Real, Famous SQL Injection Attacks

RobertKaucher

I'm doing some research for a presentation and I figured with all the Info Sec guys on this forum someone will have some information on this.

I am looking for analysis of real SQL injection attacks that have been used by noteworthy malware in the past. I'm not interested in articles that explain fundamental/basic ideas or generic SQL injections. I would like a very low level discussion of the actual attack, how it worked and the problems it caused. So a serious discussion of the attack used on the Sony web site or the one that was going around a few months back that defaced the iTunes site and spread other malware. Any help on the topic would be helpful.

JDMurray

SQL injection attacks mostly originate from humans using tools and scripts and not by Malware. You can certainly create a Trojan horse to gain admin privilege and start searching for databases to inject and exfiltrate, but I can't think of any famous attacks that used Malware for this purpose. It's usually people injecting their way in through a Web site's GUI.

RobertKaucher

Asprox is at least one example. Asprox SQL Injection Malware | White Fir Design Lizamoon is another...
How to Defeat Lizamoon in One Easy Step | News & Opinion | PCMag.com

powerfool

Consider the implications of repeatable SQL injection attacks for web-interfaces and cross-walk that with "Google Hacking." I remember several years back about an article discussing default passwords and Filemaker web interface. You could do a search of text that shows up on the login screen and get hits for hundreds of thousands of these and 50% had the default password. Now, extrapolate that to systems with know SQL injection vulnerabilities...