Penetration Testing mailing list archives

Pentesting Webserver

From: sherwyn.williams () gmail com
Date: Sat, 27 Oct 2007 19:39:07 +0000

Hello all,

I am in the middle of a test, so far I found out ftp, amount other things allows anonymous login, but my main concern 
is looking for sql injection points.

I used Paros and found a point, I can enter something like anything' x' or x=x' for both the username and email filed 
on the form and that would allow me to login as username admin, now I would like to know how can I use this to get a 
full list of accounts and what not to include in my report.

I tried doing some  queries of this nature from the web browser but I am not even getting an error message, ex 
http://test.com?email=code&password=code

Sql is a new area for me so any and all help is needed
Sent via BlackBerry from T-Mobile


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Pentesting Webserver sherwyn . williams (Oct 29)
- <Possible follow-ups>
- Re: Pentesting Webserver cwright (Oct 29)
  - Re: Pentesting Webserver infolookup (Oct 30)
  - Re: Pentesting Webserver Arian Amador (Oct 30)
- Re: Re: Pentesting Webserver cwright (Oct 30)