Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

MS Access+pen-test

From: wymerzp () sbu edu
Date: 13 Jun 2007 19:55:07 -0000
I was looking over a client's website when I discovered a classic (almost cliche) sql injection vulnerability (i.e. 
Username ' OR ''=' | Password ' OR ''='). I did more poking and prodding and discovered that they are using MS Access 
for a backend. I know you can't string queries together (i.e. Select user from tbl where blah = var; Select...). My 
question is then, is there any 'good way' to use sql injection against this database to drive home the severity of the 
lack of input validation? Currently, the best I got was access to non-sensitive information that one simply needed to 
supply an email for.
Thanks a lot,
Zach

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: