Penetration Testing mailing list archives
Re: any sql injection bypass on filters?
From: Jacky Jack <jacksonsmth698 () gmail com>
Date: Thu, 23 Sep 2010 14:38:26 +0800
@The Dead The application filters all characters except a-zA-Z. If I send 0x0000 Hex string, it will become x. If I send char(00), it will become char. @Joe Peters I fail to think that simply causing the application issue a general SQL can't be assumed as sql injection vulnerability. I doubt this is just a kind of information disclosure/leakage where the database name, field name are leaked through errors? I must confirm this is actually exploitable to prove the clients either by extracting some useful information. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- any sql injection bypass on filters? Jacky Jack (Sep 22)
- Re: any sql injection bypass on filters? The Dead (Sep 22)
- Re: any sql injection bypass on filters? Speedy (Sep 23)
- Re: any sql injection bypass on filters? Jacky Jack (Sep 23)
- Re: any sql injection bypass on filters? Dan Crowley (Sep 23)
- Re: any sql injection bypass on filters? Speedy (Sep 23)
- Re: any sql injection bypass on filters? Joe Peters (Sep 23)
- Re: any sql injection bypass on filters? Jacky Jack (Sep 23)
- Re: any sql injection bypass on filters? Joe Peters (Sep 23)
- Re: any sql injection bypass on filters? Jacky Jack (Sep 23)
- Re: any sql injection bypass on filters? The Dead (Sep 22)