RE: BlackBox testing for SQL injection

["Miguel Dilaj" <mdilaj () nccglobal com>]

Hi Michael,

Well, usually you don't know these if you're a pentester.
Look for the papers entitled "Advanced SQL Injection" and "More Advanced SQL
Injection" (probably at http://www.ngssoftware.com/papers.htm).
In one of them you've the process to discover table structure.
Using SQL abstracts you from source code worries.
Cheers,

Miguel



-----Original Message-----
From: mickael kael [mailto:mickael.kael () gmail com] 
Sent: 28 June 2005 11:08
To: security-basics () securityfocus com
Subject: BlackBox testing for SQL injection


Hello,

I want to know if it is possible to find real SQL injection with blackbox
tool. For example, parosproxy print some alerts of SQL injection params. 
"GET
http://192.168.1.4/test/html/modules.php?name=Your_Account&op=userinfo&bypas
s=1&uname=user'INJECTED_PARAM
HTTP/1.1
"
But how can we test it if we don't know table structure and source code ? 

Thanks in advance for your idea,

Best Cordially,

Mk,


***********************************************************************************************************
DISCLAIMER:                                                                                                
This e-mail contains proprietary information, some or all of which may be legally privileged.              
It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail, 
please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,
disclose, distribute, copy, print or rely on this e-mail.                                                  
***********************************************************************************************************