Re: SQL Injection - Waitfor delay

[p1g <killfactory () gmail com>]

x,


Check out the DefCon site. There was a session that covered some these
techniques.

On Mon, Oct 13, 2008 at 9:42 AM, xelerated <xelerated () gmail com> wrote:
> Hi all,
> I am trying to find more information about a SQL Injection using
> "waitfor delay".
>
> So far, no one that I have asked in the pen test and security field
> feels its a vulnerability, but my client does think its a big deal but
> there really is very little information that I can find on it.
> I hear rumors that using the waitfor delay can help enumerate a
> database, but again, I'm not sure about that.
>
> Id like to pull on the vast knowledge of this list to see if that
> counts in a test as a SQL Inject, and if its a big deal if you can use
> it.
>
>
> Thanks!
> Chris
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------



-- 
-p1g
SnortCP, ESSE-D, C|HFI, TNCP, TECP, NACP, A+, whatever..
  ,,__
o"     )~  oink oink
   ' ' ' '

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------