SQL injection is one of the oldest and most well-understood vulnerability classes in software security. Most developers know the rules: use parameterized queries, avoid string concatenation, sanitize your inputs. And yet, SQL injection vulnerabilities continue to appear even in places where you least expect them.
This article documents a SQL injection vulnerability I discovered in sys.sp_dbmmonitorupdate, a Microsoft-signed system stored procedure. For other SQL Server security vulnerabilities I’ve discovered, see the full series here.
What makes this case particularly interesting is not just that the vulnerability exists in a trusted system object, but how it works: the injection bypasses