Home page logo

pen-test logo Penetration Testing mailing list archives

Re: any sql injection bypass on filters?
From: Jacky Jack <jacksonsmth698 () gmail com>
Date: Thu, 23 Sep 2010 14:38:26 +0800

@The Dead

The application filters all characters except a-zA-Z.

If I send 0x0000 Hex string, it will become x.
If I send char(00), it will become char.

@Joe Peters

I fail to think that  simply causing the application issue a general
SQL can't be assumed as sql injection vulnerability.
I doubt this is just a kind of information disclosure/leakage where
the database name, field name are leaked through errors?

I must confirm this is actually exploitable to prove the clients
either by extracting some useful information.

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]