Home page logo

pen-test logo Penetration Testing mailing list archives

MS Access+pen-test
From: wymerzp () sbu edu
Date: 13 Jun 2007 19:55:07 -0000

I was looking over a client's website when I discovered a classic (almost cliche) sql injection vulnerability (i.e. 
Username ' OR ''=' | Password ' OR ''='). I did more poking and prodding and discovered that they are using MS Access 
for a backend. I know you can't string queries together (i.e. Select user from tbl where blah = var; Select...). My 
question is then, is there any 'good way' to use sql injection against this database to drive home the severity of the 
lack of input validation? Currently, the best I got was access to non-sensitive information that one simply needed to 
supply an email for.
Thanks a lot,

This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]