Penetration Testing mailing list archives
Re: Executing PHP Code from MSSQL table
From: Alexander Klimov <alserkli () inbox ru>
Date: Wed, 17 Oct 2007 12:28:08 +0200 (IST)
On Mon, 15 Oct 2007, Danux wrote:
after testing a PHP-MSSQL app, i am able to insert and update tables
but i can't execute store_procedures, so, i was wondering if its
possible to update a table putting something like: "phpinfo()" or
(passthru("ipconfig")) in order to execute while loading the page?
You cannot execute strings directly, but if developers are clueless enough it is very likely that they actually eval code stored in db (this blunder is especially common in `content management systems') -- grep for eval and other similar functions. Yet another common mistake is to store in database paths to code that is included in pages. -- Regards, ASK ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Executing PHP Code from MSSQL table Danux (Oct 15)
- Re: Executing PHP Code from MSSQL table Jim Halfpenny (Oct 16)
- Re: Executing PHP Code from MSSQL table Matthew Lee Hinman (Oct 18)
- Re: Executing PHP Code from MSSQL table Danux (Oct 18)
- Re: Executing PHP Code from MSSQL table Matthew Lee Hinman (Oct 18)
- Re: Executing PHP Code from MSSQL table Alexander Klimov (Oct 18)
- Re: Executing PHP Code from MSSQL table Robin Wood (Oct 19)
- Re: Executing PHP Code from MSSQL table Danux (Oct 19)
- Re: Executing PHP Code from MSSQL table Jim Halfpenny (Oct 16)