Dozens of military, government and education websites have been hacked and are up for sale, according to researchers from Imperva's Hacker Intelligence Initiative (HII).
The list includes defence, state and university sites in Europe and the US that have been hacked exploiting SQL injection vulnerabilities, the researchers said.
Administrator access to these sites is being sold at $55 to $499 each, said Noa Bar Yosef, senior security strategist at Imperva.
In some cases, hackers are selling personally identifiable information (PII) from infiltrated sites at $20 for 1,000 records.
"The victims' vulnerabilities were probably obtained by an SQL injection vulnerability automatic scanner and exploited in automatic manner," said Noa Bar Yosef.
SQL injection attacks on websites and remedies for hardening sites are well documented, yet many sites are still vulnerable.
In a recent high-profile attack, the British Royal Navy website was compromised using SQL injection in November 2010.
Security firm Sophos said the attack was a strong reminder to website owners of the importance of protecting their sites against attack.
"All website owners should take note of this attack and the need to build secure websites that cannot be breached easily by hackers," said Graham Cluley, senior technology consultant at Sophos.
Perhaps one of the best-known SQL injection attack was carried out in 2009, when the US Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack.
The gang stole cards from a number of corporate victims after researching their payment processing systems. Among the companies hit were retail group TJX and credit card processor Heartland Payment Systems.