Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing: [PEN-TEST] Hacking SQL queries ...

[PEN-TEST] Hacking SQL queries ...

From: Aurobindo Sundaram (+1 512 918 1390) <sundaram_at_AUSTIN.APC.SLB.COM>
Date: Wed, 7 Feb 2001 14:07:35 -0600

I have to audit a bit of code that does the following

SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name

where input is the user-input. When I try the input 'test, the code
generated is

SELECT Name FROM Users WHERE Name LIKE '%''test%' ORDER BY Name

Since I'm an SQL newbie, I'd be curious to know how someone could supply
the appropriate input to do bad things on the SQL server - either in R/O or
R/W mode

If there are SQL hacking pages someplace, a link would be appreciated

Thanks,
Robin
Received on Feb 08 2001

This message: [ Message body ]
Next message: Nicolas GREGOIRE: "Re: [PEN-TEST] Hacking SQL queries ..."
Previous message: Nathan Catlow: "Re: [PEN-TEST] Spoofing switched networks"
In reply to: Reinder Wiersma: "Re: [PEN-TEST] Expand right under Win2K"
Next in thread: Nicolas GREGOIRE: "Re: [PEN-TEST] Hacking SQL queries ..."
Reply: Nicolas GREGOIRE: "Re: [PEN-TEST] Hacking SQL queries ..."
Reply: Aaron C. Newman: "Re: [PEN-TEST] Hacking SQL queries ..."
Reply: Florian Specker: "Re: [PEN-TEST] Hacking SQL queries ..."
Reply: Philip Wagenaar: "Re: [PEN-TEST] Hacking SQL queries ..."
Maybe reply: O'Kelly, Aidan: "Re: [PEN-TEST] Hacking SQL queries ..."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]