Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing: Re: [PEN-TEST] Hacking SQL queries ...

Re: [PEN-TEST] Hacking SQL queries ...

From: Nicolas GREGOIRE <nicolas.gregoire_at_7THZONE.COM>
Date: Wed, 7 Feb 2001 23:13:37 +0100

"Aurobindo Sundaram (+1 512 918 1390)" a écrit :
>
> I have to audit a bit of code that does the following
>
> SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name

Bad, so bad ...

Check r.f.p.'s PacketStorm hack
(http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=7)

The Perl module DBI doesn't allow several queries in one line.
So you can just insert some fields in the "where"
But with MS-SQL, all is possible (delete table, mail results, ...)

Nicob
Received on Feb 08 2001

This message: [ Message body ]
Next message: Aaron C. Newman: "Re: [PEN-TEST] Hacking SQL queries ..."
Previous message: Aurobindo Sundaram (+1 512 918 1390): "[PEN-TEST] Hacking SQL queries ..."
In reply to: Aurobindo Sundaram (+1 512 918 1390): "[PEN-TEST] Hacking SQL queries ..."
Next in thread: Aaron C. Newman: "Re: [PEN-TEST] Hacking SQL queries ..."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]