Penetration Testing mailing list archives
Re: [PEN-TEST] stacking SQL requests
From: Andrew Lawton <ALawton () INFOSYSINC COM>
Date: Wed, 30 Aug 2000 14:21:11 -0400
You can find M$ info on xp_sendmail at: http://support.microsoft.com/support/SQL/Content/inprodhlp/_xp_sendmail.asp? LN=EN-US&SD=gn&FR=0 Please note that you have to have configured the SQLMail agent (install Outlook, setup profile, etc) for any of this to even run. As far a quoted statements, I'm under the presumption that you have to roll your own. Anyone that doesn't do any syntax checking on the queries from this type of thing is asking for it. 'drew -----Original Message----- From: Nicolas Gregoire [mailto:nicolas.gregoire () 7THZONE COM] Sent: Wednesday, August 30, 2000 11:30 AM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: [PEN-TEST] stacking SQL requests Emmanuel Gadaix a écrit :
That is, inputs such as: hisname' ; select sysdate from dual -- will result in: ERROR at line 2: ORA-00911: invalid character Anybody on the list has been playing with this on Oracle? Other databases?
Do you use a interface between your web-form and your DB ? For exemple, using Perl and the DBI.pm interface with the MySQL driver, it is impossible to execute something like : (select * from CLIENTS where nom="my_name" ; drop CLIENTS ) #)" when your input is : my_name" ; drop CLIENTS ) # because the DBI perl module forbid the excution of more than one command at the same time. I don't know for other DB ...., sorry (who know about a stored-procedure in MS SQL allowing to send results by mail ?)
Current thread:
- Re: [PEN-TEST] stacking SQL requests Andrew Lawton (Aug 30)
- <Possible follow-ups>
- Re: [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] stacking SQL requests Justin Shaffer (Aug 31)
- Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 31)
- Re: [PEN-TEST] stacking SQL requests Justin Shaffer (Aug 31)
- Re: [PEN-TEST] stacking SQL requests Michael Owen (Aug 31)