Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

MS SQL injection

From: "Mike Klingler" <whitehatguru () gmail com>
Date: Thu, 21 Sep 2006 09:02:52 -0500
Colleagues,
   I have a basic understanding of sql injection for ms sql, but on
this recent pen test the methods I have used in the past aren't
cutting it.

I was able to enumerate the table name and columns utilizing the '
having 1=1;-- and ' group by x,x,x,x having 1=1;--, but once I got all
of the column names on the group by list it issued the following error
instead of returning without an error.  "Microsoft][ODBC SQL Server
Driver][SQL Server]Unclosed quotation mark before the character string
' '."  Any ideas on what I need me to do to overcome this problem?

Thanks guys

--
Michael Klingler, CISSP
SecurityMetrics Penetration Tester

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: