Penetration Testing mailing list archives
Re: [PEN-TEST] Hacking SQL queries ...
From: Nicolas GREGOIRE <nicolas.gregoire () 7THZONE COM>
Date: Wed, 7 Feb 2001 23:13:37 +0100
"Aurobindo Sundaram (+1 512 918 1390)" a écrit :
I have to audit a bit of code that does the following SELECT Name FROM Users WHERE Name LIKE '%input%' ORDER BY Name
Bad, so bad ... Check r.f.p.'s PacketStorm hack (http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=7) The Perl module DBI doesn't allow several queries in one line. So you can just insert some fields in the "where" But with MS-SQL, all is possible (delete table, mail results, ...) Nicob
Current thread:
- Re: [PEN-TEST] Expand right under Win2K Gary Flynn (Feb 06)
- Re: [PEN-TEST] Expand right under Win2K Tamas Foldi (Feb 06)
- <Possible follow-ups>
- Re: [PEN-TEST] Expand right under Win2K Reinder Wiersma (Feb 07)
- [PEN-TEST] Hacking SQL queries ... Aurobindo Sundaram (+1 512 918 1390) (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Nicolas GREGOIRE (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Aaron C. Newman (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Florian Specker (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Philip Wagenaar (Feb 07)
- Re: [PEN-TEST] Hacking SQL queries ... Aaron C. Newman (Feb 10)
- [PEN-TEST] Hacking SQL queries ... Aurobindo Sundaram (+1 512 918 1390) (Feb 07)