Penetration Testing mailing list archives
Re: SQL
From: "Andrea secondote?" <btnew () hotmail com>
Date: Thu, 22 Nov 2001 11:56:39 +0100
From: "Kevin Spett" <kspett () spidynamics com> To:<PEN-TEST () securityfocus com> Date: Mon, 19 Nov 2001 17:56:06 -0800
There's code like this in the web app:
SQL_Query_String = "SELECT somefield FROM Users WHERE Username = '" & strUserName & "' AND Password = '" & strPassword & "'" strValue = SQL_Query(SQL_Query_String) ..
[snip]Hi I'm a newbie in pen-testing. I read this article and I've found a link too. I've tryed this metod on my website which had a url like this: http://www.thesite.com/login.asp. I've check out the error so I've found how was wrote the field username & password so I've put ' or user like '% etc... and the site answer me with..: Wellcome operator. Ok. But what I don't understand is like taking advantage of this attack for having password or account o sensible information.. Can you give me some other informatin about it? Thanks
.::SNHYPER::. Security Team Milano _________________________________________________________________Scarica GRATUITAMENTE MSN Explorer all'indirizzo http://explorer.msn.it/intl.asp
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/