Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sql injection - missed it at bh/defcon

From: Vadim Berezniker <vadim () berezniker com>
Date: Tue, 07 Aug 2001 20:35:04 -0400
nemo latin wrote:

All,

[snip trunc cut]
Any suggestions ??






__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/




Try this for example:

'or''='

This would translate a normal query like
SELECT a,b,c FROM users WHERE username='something' AND password=''or''=''

The second condition in this case will always be true.
The syntax might vary from database to database though.


--
AIM: Kryptolus
BrainLINK Web Development Team       [http://www.brainlink.com]
607 Site Design Web Development Team [http://www.607design.com]


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: