Despite the amount of virtual ink spent covering the ongoing SQL injection attacks, many site developers and web users seem oblivious to the threat. This may be the result of a few factors: (1) Readers distrust security vendor warnings, assuming it's all marketing hype; (2) There have been so many inaccuracies published about the attacks, that users are simply confused; and/or (3) When users do see alerts coming from legitimate web sites, many may automatically assume it's a false positive. After all, security vendors have preached time and again that staying safe online means sticking with known, legitimate web sites. Extrapolating from that, doesn't it imply that all known, legitimate web sites are safe?

In two words, not anymore.

But while the SQL injection attacks are a very real and very pervasive threat, it could just be the tip of the iceberg. In addition to adding data through SQL injection, attackers may also be able to read, delete or modify other data. And depending on whether accounts are exposed or how those accounts are configured, such compromise could result in escalation of privileges and ultimately in complete compromise of the server. Considering that databases are central to most of today's Web apps, the potential impact could shakeup the entire Web.

And speaking of shaking things ups, here's what Alberto Revelli (aka icesurfer) has to say about his SQL server 'injection and takeover tool':

"Fancy going from a SQL Injection to a full GUI access on the DB server? What about extracting password hashes on the fly? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have the latest release of sqlninja!"

You can catch a glimpse of this on his sqlninja demo page.