Data Thief
Data Thief is a “proof-on-concept” tool used to
demonstrate to web administrators and developers how
easy it is to steal data from a web application that
is vulnerable to SQL Injection. Data Thief is designed
to retrieve the data from a Microsoft SQL Server
back-end behind a web application with a SQL Injection
vulnerability. Once a SQL Injection vulnerability is
identified, Data Thief does all the work of listing
the linked severs, laying out the database schema, and
actually selecting the data from a table in the
application.
http://www.appsecinc.com/resources/freetools/
The tool is based in this paper:
Manipulating Microsoft SQL Server Using SQL Injection:
This paper will focus on advanced techniques that can
be used in an attack on an application utilizing
Microsoft SQL Server as a backend. These techniques
demonstrate how an attacker could use a SQL Injection
vulnerability to retrieve the database content from
behind a firewall and penetrate the internal network.
http://www.appsecinc.com/news/briefing.html#inject
Feedback is welcome.
NEW SECURITY LIST: For people interested in SQL Server
security, vulnerabilities, SQL injection, etc., I'm
starting a new mailing list you can join at:
http://groups.yahoo.com/group/sqlserversecurity/
Enjoy!!
Cesar.
__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
Received on May 01 2003
Intro
