Security Basics mailing list archives
RE: BlackBox testing for SQL injection
From: "Miguel Dilaj" <mdilaj () nccglobal com>
Date: Wed, 29 Jun 2005 08:43:51 +0100
Hi Michael, Well, usually you don't know these if you're a pentester. Look for the papers entitled "Advanced SQL Injection" and "More Advanced SQL Injection" (probably at http://www.ngssoftware.com/papers.htm). In one of them you've the process to discover table structure. Using SQL abstracts you from source code worries. Cheers, Miguel -----Original Message----- From: mickael kael [mailto:mickael.kael () gmail com] Sent: 28 June 2005 11:08 To: security-basics () securityfocus com Subject: BlackBox testing for SQL injection Hello, I want to know if it is possible to find real SQL injection with blackbox tool. For example, parosproxy print some alerts of SQL injection params. "GET http://192.168.1.4/test/html/modules.php?name=Your_Account&op=userinfo&bypas s=1&uname=user'INJECTED_PARAM HTTP/1.1 " But how can we test it if we don't know table structure and source code ? Thanks in advance for your idea, Best Cordially, Mk, *********************************************************************************************************** DISCLAIMER: This e-mail contains proprietary information, some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail. If you are not the intended recipient you may not use, disclose, distribute, copy, print or rely on this e-mail. ***********************************************************************************************************
Current thread:
- BlackBox testing for SQL injection mickael kael (Jun 28)
- RE: BlackBox testing for SQL injection Miguel Dilaj (Jun 29)