Penetration Testing mailing list archives
Re: Which SQL is that? SQL Injection question
From: Tonu Samuel <tonu () jes ee>
Date: Tue, 18 Jul 2006 13:50:22 +0300
On Tuesday 18 July 2006 01:01, Daniele Bellucci wrote:
be aware , INFORMATION_SCHEMA is not available in MySQL lesser than v.5!
5.0.4 is the first to be exact.
'+and+concat('a','a')='aa Also works and provides resultconcat is ONLY available in mysql! Postgres, Oracle, M$ SQL Serve they all have different function for strings concats.
Sometime they have alias procedures defined. Googled around it seen similar solutions. Also if I remember properly DB2 had such function but not sure anymore.
Other DBMS uses different function to concatenatre strings .. that's why IMHO target DBMS is MySql!'+and+concat('a','a')='a emtpy screenbecause in MySQL: select concat('a','a') returns 'aa'
MySQL always knew about comments in SQL command. This one does not which is really weird. Anyway I try to find something more to test it against MySQL fingerprints. Maybe some characters are blacklisted somehow. Tõnu ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Which SQL is that? SQL Injection question Tonu Samuel (Jul 17)
- Re: Which SQL is that? SQL Injection question Daniele Bellucci (Jul 17)
- Re: Which SQL is that? SQL Injection question Tonu Samuel (Jul 18)
- Re: Which SQL is that? SQL Injection question killy (Jul 18)
- Re: Which SQL is that? SQL Injection question Daniele Bellucci (Jul 17)