WebApp Sec mailing list archives

Re: SQL Injection data retrieving??

From: Roland Despins <roland2004 () romandie com>
Date: 13 Sep 2004 06:26:47 -0000

In-Reply-To: <web-342407326 () admin nni com>

if it is your app as you said, wouldnt you then know if:

I assume that "__big_field" is the name of the databse?
Right?


was indeed your own application's db name? : )



Yes probalby! but I'm doing this for the compagny where I work. We are simulating a "realworld case". (I mean i'm like 
the bad hacker outside on the net trying to break into our application without any knowledge)

The guys here are not too woried about security, I've discover that ou application is vulnerable to SQL injection and 
I'm trying to build some sort of "exploit" in order to show them how simple it is to get data out of our database! So 
they might consider security from a other point of view...

Roland

Current thread:

Re: SQL Injection data retrieving??, (continued)
- Re: SQL Injection data retrieving?? Jonathan Angliss (Sep 11)
  - Re: SQL Injection data retrieving?? saphyr (Sep 12)
- Re: SQL Injection data retrieving?? nummish (Sep 11)
- Re: SQL Injection data retrieving?? Ben Timby (Sep 11)
- Re: SQL Injection data retrieving?? Adam Tuliper (Sep 11)
  - Re: SQL Injection data retrieving?? Adam Tuliper (Sep 12)
- Re: SQL Injection data retrieving?? saphyr (Sep 12)
- Re: SQL Injection data retrieving?? Roland Despins (Sep 12)
  - Re: SQL Injection data retrieving?? Jonathan Angliss (Sep 13)
- RE: SQL Injection data retrieving?? Mark McDonald (Sep 13)
- Re: SQL Injection data retrieving?? Roland Despins (Sep 13)
  - Re: SQL Injection data retrieving?? Jonathan Angliss (Sep 15)
    - RE: SQL Injection data retrieving?? Peter Harrison (Sep 16)
- RE: SQL Injection data retrieving?? Shields, Larry (Sep 18)