Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Knowledge shared

From: "Brett Moore" <brett () softwarecreations co nz>
Date: Fri, 1 Feb 2002 00:44:27 +1300
Ok so I have some thoughts. No official format.

1) SQL INJECTION

"SQL injection does not work with stored procedures"...Shakes pear 1654

example:

X = WEB VARIABLE = INTEGER

X = 10
EXEC MY_STOREDPROCEDURE X = EXEC MY_STOREDPROCEDURE 10
~
X = 10;EXEC MASTER..XP_CMDSHELL''
EXEC MY_STOREDPROCEDURE X = 10;EXEC MASTER..XP_CMDSHELL''

2) SQL TIP
SET NOEXEC = Compiles each query but does not execute it.

If 007 knowns the field names used in a web page creation then 007 can
obtain information from the second query.

3) http://www.microsoft.com/technet/security/bulletin/MS01-060.asp
Of course any tester that obtains sql injection capabilities on a test site
can abuse this if the test site is not patched.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: