Penetration Testing mailing list archives
RE: Blind SQL Injection Techniques
From: "Paul Melson" <pmelson () gmail com>
Date: Thu, 14 Dec 2006 14:33:16 -0500
-----Original Message----- Subject: Blind SQL Injection Techniques
It seems that when injecting any invalid sql statement I get the same
custom error page coming back that
doesn't reveal any information.
There are other ways to prove injection is possible, like INSERT-ing a new row, creating a user, or copying a table from their SQL server to one you set up on your network.* You should definitely read: http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt PaulM * Personally, I would consider getting an OPENROWSET injection to connect to a netcat listener as a successful proof of concept. Actually copying data is a formality at that point. It's definitely worth getting your client's written permission before you attempt copying their data across the Internet as there may be compliance issues (HIPAA Rule 3, for example) that this exposes them to. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Blind SQL Injection Techniques One2 (Dec 13)
- Re: Blind SQL Injection Techniques Leonardo Rodrigues (Dec 16)
- RE: Blind SQL Injection Techniques Paul Melson (Dec 16)
- RE: Blind SQL Injection Techniques Gurpreet Singh (Dec 16)
- Re: Blind SQL Injection Techniques Rick Zhong (Dec 19)
- <Possible follow-ups>
- Re: Blind SQL Injection Techniques Paulo Ribeiro (Dec 16)