Bugtraq mailing list archives

Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!)

From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Sun, 08 Feb 2009 17:16:30 +0100

Razi Shaban escribió:

I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
injection technique which allows to extract the whole information of a
Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
way.


This isn't new, this is old news. It might be the first paper written
about the topic, but these methods have been used for years.


Please, Razi, could you name any reference? I suppose that if the method is
well-known, as you're suggesting, it shouldn't be difficult at all to find
at least one. I can't believe no tool is implementing such a great idea, if
it is "old news".

-- 

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Current thread:

SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Daniel Kachakil (Feb 06)
- Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Razi Shaban (Feb 06)
  - Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Roman Medina-Heigl Hernandez (Feb 09)
    - Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Razi Shaban (Feb 09)
    - Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Amit Klein (Feb 09)