Penetration Testing mailing list archives

RE: Pen-testing AS400 DB2 LANSA

From: "Amichai Shulman" <shulman () imperva com>
Date: Wed, 22 Jun 2005 13:27:57 +0200

There are many options, usually a good starting point would be to look
at the returned error message (if any). Otherwise my guess would be to
just terminate a statement (" --") and take it from there.

Amichai Shulman
CTO




Imperva, Inc.
12 Hachilazon St.
Ramat Gan


(972)-3-6120133 x103 Office
(972)-3-7511133 Fax
(972)-50-6544451 Mobile
shulman () imperva com

................................         

InfoWorld product
review gives Imperva the
HIGHEST SCORE
in Application Security
http://imperva.com/go/iw/

 
 
 
 
 
 
 
 
 
 
 
 
 


-----Original Message-----
From: Eoin Keary [mailto:eoinkeary () hotmail com] 
Sent: Wednesday, June 22, 2005 10:51 AM
To: Amichai Shulman; pen-test () securityfocus com
Cc: eoin.keary () owasp org
Subject: RE: Pen-testing AS400 DB2 LANSA


Thanks Amichai,
Regular tests such as "O'Brien" or "  ' Or 1=1 -- ' do not work. So I
was 
wondering if there are any other vectors one could try specific to DB2 &

AS400

From: "Amichai Shulman" <shulman () imperva com>
To: <pen-test () securityfocus com>
CC: <eoin.keary () owasp org>
Subject: RE: Pen-testing AS400 DB2 LANSA
Date: Wed, 22 Jun 2005 09:32:31 +0200

We did a pen-test on a web application a while ago that used DB2 on 
AS400 as backend database. Found SQL injection to work much like with 
any other database. Interesting thing though was that we invoked a 
denial-of-service attack against the AS400 by injecting a computation 
intensive query.

Amichai Shulman
CTO

Imperva, Inc.
12 Hachilazon St.
Ramat Gan

(972)-3-6120133 x103 Office
(972)-3-7511133 Fax
(972)-50-6544451 Mobile
shulman () imperva com

-----Original Message-----
From: eoin.keary () owasp org [mailto:eoin.keary () owasp org]
Sent: Wednesday, June 15, 2005 3:34 PM
To: pen-test () securityfocus com
Subject: Pen-testing AS400 DB2 LANSA

Hi,
anyone have any knowledge on SQL injection for a AS400 running DB2?

Eoin


_________________________________________________________________
Go where quality Irish singles meet - get FREE Match.com membership! 
http://match.msn.ie

Current thread:

Pen-testing AS400 DB2 LANSA eoin . keary (Jun 16)
- <Possible follow-ups>
- RE: Pen-testing AS400 DB2 LANSA Amichai Shulman (Jun 22)
  - RE: Pen-testing AS400 DB2 LANSA Eoin Keary (Jun 22)
- RE: Pen-testing AS400 DB2 LANSA Amichai Shulman (Jun 22)