Penetration Testing mailing list archives

Re: SQL

From: root <root@localhost.localdomain>
Date: Tue, 20 Nov 2001 05:36:04 +0600


        You can sql inject that form. To see more on these attacks check

http://www.sqlsecurity.com/faq-inj.asp
http://www.silksoft.co.za/data/sqlinjectionattack.htm

-- 
jacg

El Lun 19 Nov 2001 22:24, escribiste:

Hello all,


I am doing a pen test against a IIS 5 web server. The web server requires a
user name and password via a logon form. if a single quote character is
entered (username)the following error is produced

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password=''.

I remember reading somewhere that this can be used to gain further access?
but i cant find the info.

Can any one help?

Thanks in advance.

Gary


---------------------------------------------------------------------------
- This list is provided by the SecurityFocus Security Intelligence Alert
(SIA) Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

SQL Gary O'leary-Steele (Nov 19)
- Re: SQL Kevin Spett (Nov 20)
- Re: SQL root (Nov 20)
- Re: SQL neil-at-geekshanty-dot-com (Nov 20)
- Re: SQL Sverre H. Huseby (Nov 20)
- <Possible follow-ups>
- RE: SQL Holmes, Ben (Nov 20)
- RE: SQL Javier Fernández-Sanguino (Nov 20)
- RE: SQL Paul Midian (Nov 20)
- Re: SQL David . French (Nov 20)
- RE: SQL Andy Miller (Nov 21)
- Re: SQL Andrea secondote? (Nov 22)
- RE: SQL rudi carell (Nov 22)
- RE: SQL Javier Fernández-Sanguino (Nov 23)