Penetration Testing mailing list archives
Re: any sql injection bypass on filters?
From: Joe Peters <joepete () joepete com>
Date: Wed, 22 Sep 2010 20:35:12 -0400
On Thu, 2010-09-23 at 04:35 +0800, Jacky Jack wrote:
If I change its parameter value to a value other than "ASC", "DESC", the application issues a generic sql error starting with "You have an error in your SQL syntax". So, in this situation, can the application still be assumed as vulnerable to sql injection?
If you are causing an error on the sql server, then I would say yes. The app should only be passing only valid values/commands to the database. If you are able to get the database to throw an error, then conceptually, if there is a vulnerability on the database server, you could exploit it. -- JoePete ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- any sql injection bypass on filters? Jacky Jack (Sep 22)
- Re: any sql injection bypass on filters? The Dead (Sep 22)
- Re: any sql injection bypass on filters? Speedy (Sep 23)
- Re: any sql injection bypass on filters? Jacky Jack (Sep 23)
- Re: any sql injection bypass on filters? Dan Crowley (Sep 23)
- Re: any sql injection bypass on filters? Speedy (Sep 23)
- Re: any sql injection bypass on filters? Joe Peters (Sep 23)
- Re: any sql injection bypass on filters? Jacky Jack (Sep 23)
- Re: any sql injection bypass on filters? Joe Peters (Sep 23)
- Re: any sql injection bypass on filters? Jacky Jack (Sep 23)
- Re: any sql injection bypass on filters? The Dead (Sep 22)