WebApp Sec mailing list archives

RE: Blind SQL Injection / Stored procedures

From: "Evans, Arian" <Arian.Evans () fishnetsecurity com>
Date: Thu, 17 Nov 2005 09:48:00 -0600

Fancois, nice explanation,

-----Original Message-----
From: LAROUCHE Francois [mailto:Francois.Larouche () accorservices com] 
Sent: Thursday, November 17, 2005 8:59 AM

[...]

d) If you still can't well sorry... I think there is no other 
way except those already mentioned by the others (by the way 
to execute xp_makewebtask you need to have high user 
privileges something you are obviously not)


Has anyone published a complete list/table of MSSQL (and other DB)
stored procs/pls on the web, and what the default privs to them are?

I've made one but I'm not sure yet if I'm allowed to publish it.

This would be a nice handy sql-injection reference table for
people who are new to SQLi with stored procs, or just have a
bad memory/aren't very smart [me].

-ae

Current thread:

Blind SQL Injection / Stored procedures Andres Molinetti (Nov 15)
- Re: Blind SQL Injection / Stored procedures Adam Tuliper (Nov 15)
- Re: Blind SQL Injection / Stored procedures Laramies (Nov 16)
- RE: Blind SQL Injection / Stored procedures Victor Chapela (Nov 18)
- <Possible follow-ups>
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 16)
  - RE: Blind SQL Injection / Stored procedures Andres Molinetti (Nov 16)
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 17)
  - Re: Blind SQL Injection / Stored procedures Phillip Powell (Nov 17)
- RE: Blind SQL Injection / Stored procedures Evans, Arian (Nov 17)
  - Re: [WEB SECURITY] RE: Blind SQL Injection / Stored procedures Frederic Charpentier (Nov 17)
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 18)
  - Re: Blind SQL Injection / Stored procedures ascii (Nov 18)