Penetration Testing mailing list archives
Re: SQL Injection
From: Nicolas Gregoire <nicolas.gregoire () 7thzone com>
Date: Mon, 10 Sep 2001 13:07:39 +0200
Kevin Spett wrote :
I am working on a script where I am able to inject arbitrary SQL code into the request, but am unable to get the records I want. [snip] Also, good sites or papers that discuss SQL code injection would be appreciated.
A good paper about this subject is "Web Application Disassembly with ODBC Error Messages" by David Litchfield, from the BlackHats 2001 sessions. There is a copy on my website : http://nicob.net/BHWin01Litchfield.doc and here another mirror : http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-01/Litchfield/BHWin01Litchfield.doc Nicob ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- SQL Injection Kevin Spett (Sep 07)
- Re: SQL Injection Sverre H. Huseby (Sep 10)
- Re: SQL Injection thorhs (Sep 18)
- Re: SQL Injection Nicolas Gregoire (Sep 10)
- Re: SQL Injection Pete Finnigan (Sep 10)
- Re: SQL Injection Sverre H. Huseby (Sep 10)