Bugtraq mailing list archives
Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!)
From: Amit Klein <aksecurity () gmail com>
Date: Mon, 9 Feb 2009 19:45:04 +0200
Apparently the concept has been known to white hats as well, for some time. Dennis Hurst from HP has this blog entry from December 2007: http://www.communities.hp.com/securitysoftware/blogs/dennis/archive/2007/12/07/Project-Management-Institute-meeting-in-Alpharetta-GA-_2D00_-4-Dec-2007.aspx In it, there's a link to a presentation he gave at Project Management Institute meeting on December 6th, 2007. The link to the presentation is: http://www.communities.hp.com/securitysoftware/blogs/dennis/attachment/72396.ashx In it, it's pretty clear that Dennis was aware of the "SELECT ... FOR XML" trick at that time, and he also probably demonstrated it in public. One of his slides reads as following: demo SQL Injection (how to do this:' union select 1,1,(select * from customers for xml auto) from sysobjects where '' = ') I hope that settles it... Thanks, -Amit On Sun, Feb 8, 2009 at 6:29 PM, Razi Shaban <razishaban () gmail com> wrote:
On Sun, Feb 8, 2009 at 6:16 PM, Roman Medina-Heigl Hernandez <roman () rs-labs com> wrote:Razi Shaban escribió:I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL injection technique which allows to extract the whole information of a Microsoft SQL Server 2005/2008 database in an extremely fast and efficient way.This isn't new, this is old news. It might be the first paper written about the topic, but these methods have been used for years.Please, Razi, could you name any reference? I suppose that if the method is well-known, as you're suggesting, it shouldn't be difficult at all to find at least one. I can't believe no tool is implementing such a great idea, if it is "old news". -- Saludos, -RomanNot reference, not white paper, not tool. I am talking about the real internet, where things aren't talked about but actually happen. Hackers have been using methods similar to this for years, it's about time a white-hat discovered this. Regards, Razi Shaban
Current thread:
- SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Daniel Kachakil (Feb 06)
- Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Razi Shaban (Feb 06)
- Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Roman Medina-Heigl Hernandez (Feb 09)
- Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Razi Shaban (Feb 09)
- Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Amit Klein (Feb 09)
- Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Roman Medina-Heigl Hernandez (Feb 09)
- Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) Razi Shaban (Feb 06)