Full Disclosure mailing list archives

Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!)

From: Paul Schmehl <pschmehl_lists () tx rr com>
Date: Sat, 07 Feb 2009 22:10:59 -0600

--On February 7, 2009 10:02:21 AM -0600 Daniel Kachakil<dani () kachakil com> wrote:


I have written a paper describing how the technique works and in which
fundamentals it is based, and I have also developed a tool which
implements
this technique as a proof of concept (with the source code included).

You can get them through this URL:

http://www.kachakil.com/papers/SFX-SQLi-en.htm

Having read your paper, I'm a bit confused about what you think the "newSQL injection technique" is that you've discovered. I understand you havedetermined a way to *extract* data in a more compact and efficient format,but I didn't see any new *injection* technique. IOW, the FOR XMLconstruct isn't going to assist you in obtaining the data - only inobtaining it more efficiently.


Did I miss something?

Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) Daniel Kachakil (Feb 07)
- Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) seclists (Feb 07)
- Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) Paul Schmehl (Feb 07)
  - Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) Daniel Kachakil (Feb 08)