Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!)
From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Sat, 07 Feb 2009 22:10:59 -0600

--On February 7, 2009 10:02:21 AM -0600 Daniel Kachakil <dani () kachakil com> wrote:

I have written a paper describing how the technique works and in which
fundamentals it is based, and I have also developed a tool which
implements
this technique as a proof of concept (with the source code included).

You can get them through this URL:

http://www.kachakil.com/papers/SFX-SQLi-en.htm

Having read your paper, I'm a bit confused about what you think the "new SQL injection technique" is that you've discovered. I understand you have determined a way to *extract* data in a more compact and efficient format, but I didn't see any new *injection* technique. IOW, the FOR XML construct isn't going to assist you in obtaining the data - only in obtaining it more efficiently.

Did I miss something?

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]