Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to evade white spaces in a SQL injection

From: Falcifer <falcifer2001 () yahoo es>
Date: Fri, 26 Mar 2004 01:34:58 +0100
Sorry, but i dont understand it.

Can you explain it a bit more;

Suppous that the original query is:
select * from users where useid=&my_user_without_spaces and
password=&password

where &my_user_without_spaces and &password where the inputs submitted
by the webform but both vars without spaces;

Thanks

El jue, 25-03-2004 a las 18:13, Jeff Bryner escribió:

--- Falcifer <falcifer2001 () yahoo es> wrote:

Hi,

I've one aplication coded on asp with a login form and the only
character that it validates its the withe space.

Can i perform a sql injection on it? how?


SQL is nice enough to do some automatic parsing for you..so

select''+@@version

will work.  Of course if the validation is client side, just bypass it.



=====
Jeff
-----------------------
You... you can't dump me! I'm using your name for all my passwords! What exactly am I supposed to do about that!? 

- Justin Simoni

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html



---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: