Full Disclosure mailing list archives
Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!)
From: "Daniel Kachakil" <dani () kachakil com>
Date: Sun, 8 Feb 2009 14:28:27 +0100
Dear Paul: Thanks for your comments. And yes, I think you are 100% right. The SFX-SQLi "injection technique/method" (is there a better name for it?) will not help you to extract more data than other existing techniques. The XMLSCHEMA option is only an alternative way to get the column names (instead of using SYSOBJECTS, for instance). Maybe it can also bypass some basic filters (e.g. there is no need to use the WHERE clause), but this is secondary... The main difference is this: - Time-based SQL injection: 1 request -> 1/2 char using Deep Blind (but very slowly) - Blind SQL injection: 1 request -> 1/7 char - Union / error-based SQL injection: 1 request -> 1 field - SFX-SQL injection: 1 request -> 1 table So yes, this technique will extract the same data, but thousands of times faster than other methods. Regards, Daniel Kachakil -------------------------------------------------- From: "Paul Schmehl" <pschmehl_lists () tx rr com> Sent: Sunday, February 08, 2009 5:10 AM To: <full-disclosure () lists grok org uk> Cc: "Daniel Kachakil" <dani () kachakil com> Subject: Re: [Full-disclosure] SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!)
--On February 7, 2009 10:02:21 AM -0600 Daniel Kachakil <dani () kachakil com> wrote:I have written a paper describing how the technique works and in which fundamentals it is based, and I have also developed a tool which implements this technique as a proof of concept (with the source code included). You can get them through this URL: http://www.kachakil.com/papers/SFX-SQLi-en.htmHaving read your paper, I'm a bit confused about what you think the "new SQL injection technique" is that you've discovered. I understand you have determined a way to *extract* data in a more compact and efficient format, but I didn't see any new *injection* technique. IOW, the FOR XML construct isn't going to assist you in obtaining the data - only in obtaining it more efficiently. Did I miss something? Paul Schmehl, If it isn't already obvious, my opinions are my own and not those of my employer. ****************************************** WARNING: Check the headers before replying
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) Daniel Kachakil (Feb 07)
- Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) seclists (Feb 07)
- Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) Paul Schmehl (Feb 07)
- Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) Daniel Kachakil (Feb 08)