Penetration Testing mailing list archives

Re: sql injection with MS Access

From: "rudi carell" <rudicarell () hotmail com>
Date: Thu, 29 Nov 2001 09:09:17





hola,

thats dependend heavily on the interface the web-app uses!


as an example .. (ODBC+MSSQL+PHP) does not recognize comments ..

did you try out a NULL-BYTE[\000] ?

if it is not possible to premature cut-off the query ..
i d recommand combining the original query with  UNION
and SUBSELECT-Statements ..


you said:

Hi,
I am currently testing SQL injection with a web application and MS Access
database. I have some difficulties as I do not knowing the commentcharacter
for Access Database.


cu
rC




security () freefly com
http://www.freefly.com/security/















_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

sql injection with MS Access helmut schmidt (Nov 28)
- Re: sql injection with MS Access Kevin Spett (Nov 28)
- Re: sql injection with MS Access Sverre H. Huseby (Nov 28)
- <Possible follow-ups>
- Re: sql injection with MS Access rudi carell (Nov 29)