Penetration Testing mailing list archives

Re: SQL Injection

From: Nicolas Gregoire <nicolas.gregoire () 7thzone com>
Date: Mon, 10 Sep 2001 13:07:39 +0200

Kevin Spett wrote :


I am working on a script where I am able to inject arbitrary SQL code into
the request, but am unable to get the records I want.

[snip]

Also, good sites or papers that discuss SQL code injection would be
appreciated.


A good paper about this subject is "Web Application Disassembly with
ODBC Error Messages" by David Litchfield, from the BlackHats 2001
sessions.

There is a copy on my website :
http://nicob.net/BHWin01Litchfield.doc

and here another mirror :
http://opensores.thebunker.net/pub/mirrors/blackhat/presentations/win-usa-01/Litchfield/BHWin01Litchfield.doc

Nicob

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

SQL Injection Kevin Spett (Sep 07)
- Re: SQL Injection Sverre H. Huseby (Sep 10)
  - Re: SQL Injection thorhs (Sep 18)
- Re: SQL Injection Nicolas Gregoire (Sep 10)
- Re: SQL Injection Pete Finnigan (Sep 10)