Penetration Testing mailing list archives

Re: [PEN-TEST] stacking SQL requests

From: Justin Shaffer <justins () SCREAMINGMEDIA COM>
Date: Thu, 31 Aug 2000 08:46:28 -0400

i could be wrong, because i havent looked into it at all, but i believe
that that part of it (which lets you or doesnt let you execute multiple
sql commands) is in the DBD. I think i can issue multiple commands in a
single call w/ the DBI/Oracle DBD that i use.

-Justin

Emmanuel Gadaix wrote:


Anybody knows anything equivalent for _Oracle_ SQL ?

(sending mail, executing shell commands, etc.)

Thanks

At 01:21 AM 31/8/2000, you wrote:

You can find M$ info on xp_sendmail at:

http://support.microsoft.com/support/SQL/Content/inprodhlp/_xp_sendmail.asp?
LN=EN-US&SD=gn&FR=0

Please note that  you have to have configured the SQLMail agent (install
Outlook, setup profile, etc) for any of this to even run. As far a quoted
statements, I'm under the presumption that you have to roll your own. Anyone
that doesn't do any syntax checking on the queries from this type of thing
is asking for it.

'drew

-----Original Message-----
From: Nicolas Gregoire [mailto:nicolas.gregoire () 7THZONE COM]
Sent: Wednesday, August 30, 2000 11:30 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] stacking SQL requests


Emmanuel Gadaix a écrit :

That is, inputs such as: hisname' ; select sysdate from dual --
will result in:
ERROR at line 2:
ORA-00911: invalid character
Anybody on the list has been playing with this on Oracle? Other databases?


Do you use a interface between your web-form and your DB ?

For exemple, using Perl and the DBI.pm interface with the MySQL driver,
it is impossible to execute something like :

(select * from CLIENTS where nom="my_name" ; drop CLIENTS ) #)"

when your input is :

my_name" ; drop CLIENTS ) #

because the DBI perl module forbid the excution of more than one command
at the same time.

I don't know for other DB ...., sorry

(who know about a stored-procedure in MS SQL allowing to send results by
mail ?)


--
Emmanuel Gadaix
The Relay Group
http://relaygroup.com

9A1C A656 5F15 977D 0A1B  5E11 E06F 439C 3C68 7413


--
Justin Shaffer
UNIX System Administrator/IT
ScreamingMedia
Direct 212 659 2090
Mobile 646 734 4414

Current thread:

Re: [PEN-TEST] stacking SQL requests Andrew Lawton (Aug 30)
- <Possible follow-ups>
- Re: [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
  - Re: [PEN-TEST] stacking SQL requests Justin Shaffer (Aug 31)
    - Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 31)
- Re: [PEN-TEST] stacking SQL requests Michael Owen (Aug 31)