The blog pretty much speaks for itself: http://www.circleid.com/posts/20081022_sql_injection_attacks_chinese_way/

Client-side browser vulns are of little use without an effective way of spreading them to the victims - unfortunately - it's still relatively easy for the miscreants to spread them around using tools like this.
Interesting the comment about SQL injection via cookies . . .