Penetration Testing mailing list archives
MS Access+pen-test
From: wymerzp () sbu edu
Date: 13 Jun 2007 19:55:07 -0000
I was looking over a client's website when I discovered a classic (almost cliche) sql injection vulnerability (i.e. Username ' OR ''=' | Password ' OR ''='). I did more poking and prodding and discovered that they are using MS Access for a backend. I know you can't string queries together (i.e. Select user from tbl where blah = var; Select...). My question is then, is there any 'good way' to use sql injection against this database to drive home the severity of the lack of input validation? Currently, the best I got was access to non-sensitive information that one simply needed to supply an email for. Thanks a lot, Zach ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- MS Access+pen-test wymerzp (Jun 15)
- Re: MS Access+pen-test Jim Halfpenny (Jun 25)