Penetration Testing mailing list archives
SQL Injection and text fields
From: Mariano Nuñez Di Croce <mnunez () cybsec com>
Date: Fri, 20 Aug 2004 10:15:08 -0300
I'm currently pen-testing a web application based on ASP and SQL Server.I have already figured out the table and field name by the use of the "having 1=1--" and appending "group by table.name" clauses.
The problem is that I have text fields and those can't be use in the GROUP BY clause, so I get an error and cannot continue with the Injection.
Any ideas? -- ---------------------------- Mariano Nuñez Di Croce CYBSEC S.A. Security Systems Email: mnunez () cybsec com Tel/Fax: (54-11) 4382-1600 Web: http://www.cybsec.com ------------------------------ ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.securityfocus.com/sponsor/InfoSecInstitute_pen-test_040817 -------------------------------------------------------------------------------
Current thread:
- SQL Injection and text fields Mariano Nuñez Di Croce (Aug 20)
- Re: SQL Injection and text fields Ben Timby (Aug 21)
- Re: SQL Injection and text fields Mariano Nuñez Di Croce (Aug 21)
- Re: SQL Injection and text fields Ben Timby (Aug 20)
- Re: SQL Injection and text fields Ben Timby (Aug 20)
- Re: SQL Injection and text fields Mariano Nuñez Di Croce (Aug 21)
- Re: SQL Injection and text fields Ben Timby (Aug 21)