Re: [PEN-TEST] stacking SQL requests

[Emmanuel Gadaix <emmanuel () RELAYGROUP COM>]

Anybody knows anything equivalent for _Oracle_ SQL ?

(sending mail, executing shell commands, etc.)

Thanks


At 01:21 AM 31/8/2000, you wrote:
> You can find M$ info on xp_sendmail at:
>
> http://support.microsoft.com/support/SQL/Content/inprodhlp/_xp_sendmail.asp?
> LN=EN-US&SD=gn&FR=0
>
> Please note that  you have to have configured the SQLMail agent (install
> Outlook, setup profile, etc) for any of this to even run. As far a quoted
> statements, I'm under the presumption that you have to roll your own. Anyone
> that doesn't do any syntax checking on the queries from this type of thing
> is asking for it.
>
> 'drew
>
> -----Original Message-----
> From: Nicolas Gregoire [mailto:nicolas.gregoire () 7THZONE COM]
> Sent: Wednesday, August 30, 2000 11:30 AM
> To: PEN-TEST () SECURITYFOCUS COM
> Subject: Re: [PEN-TEST] stacking SQL requests
>
>
> Emmanuel Gadaix a écrit :
>
> > That is, inputs such as: hisname' ; select sysdate from dual --
> > will result in:
> > ERROR at line 2:
> > ORA-00911: invalid character
> > Anybody on the list has been playing with this on Oracle? Other databases?
>
> Do you use a interface between your web-form and your DB ?
>
> For exemple, using Perl and the DBI.pm interface with the MySQL driver,
> it is impossible to execute something like :
>
> (select * from CLIENTS where nom="my_name" ; drop CLIENTS ) #)"
>
> when your input is :
>
> my_name" ; drop CLIENTS ) #
>
> because the DBI perl module forbid the excution of more than one command
> at the same time.
>
> I don't know for other DB ...., sorry
>
> (who know about a stored-procedure in MS SQL allowing to send results by
> mail ?)


--
Emmanuel Gadaix
The Relay Group
http://relaygroup.com

9A1C A656 5F15 977D 0A1B  5E11 E06F 439C 3C68 7413