Penetration Testing mailing list archives
RE: sql injection: url or form based?
From: "LAROUCHE Francois" <Francois.LAROUCHE () consulting-for accor com>
Date: Mon, 13 Feb 2006 17:10:07 +0100
Hi Johnny, I think you've got the essential of the differences with the previous answers. But one was missing: the limit of the size of the GET. (about 2083 for IE if I recall well). Some URL by themselves can be REALLY long without any SQL injection and if you find a UNION injection and it needs let's say 60 values AND you need to encode each character + add comments between words to evade IDS, reverse proxies, or filters then you can go easily beyond the limit of the URL for the given web server. Or when you want to create a new function or stored procedure on the attacked sql server, you need space as well. Don't laugh. It happened to me a couple of times... POST has no limit. Personally, I prefer POST. Especially over HTTPS, it's a nice way to be really stealthy :) And besides, programmers are much more lazy when it comes to check values from hidden or select HTML tags, they think since it's "hidden" it cannot be tampered with. Cheers! François Larouche -----Original Message----- From: johnny Mnemonic [mailto:security4thefainthearted () hotmail com] Sent: Friday, February 10, 2006 7:07 AM To: pen-test () securityfocus com Subject: sql injection: url or form based? I see many references to manipulation of SQL backend databases through both URL based and Forms based SQL injection but I'm wondering what are the essentials differences between both methods and when to use one over the other. Thanks. _________________________________________________________________ Get cheap fares online with MSN Travel http://www.msn.com.sg/travel/ ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------------- This e-mail, any attachments and the information contained therein ("this message") are confidential and intended solely for the use of the addressee(s). If you have received this message in error please send it back to the sender and delete it. Unauthorized publication, use, dissemination or disclosure of this message, either in whole or in part is strictly prohibited. ********************************************************************** Ce message électronique et tous les fichiers joints ainsi que les informations contenues dans ce message ( ci après "le message" ), sont confidentiels et destinés exclusivement à l'usage de la personne à laquelle ils sont adressés. Si vous avez reçu ce message par erreur, merci de le renvoyer à son émetteur et de le détruire. Toutes diffusion, publication, totale ou partielle ou divulgation sous quelque forme que se soit non expressément autorisées de ce message, sont interdites. ********************************************************************** ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- sql injection: url or form based? johnny Mnemonic (Feb 10)
- Re: sql injection: url or form based? FocusHacks (Feb 10)
- Re: sql injection: url or form based? Bernhard Finkbeiner (Feb 10)
- Re: sql injection: url or form based? Brian Rectanus (Feb 11)
- Re: sql injection: url or form based? Bernhard Finkbeiner (Feb 10)
- Re: sql injection: url or form based? dork (Feb 10)
- Re: sql injection: url or form based? AdamT (Feb 10)
- <Possible follow-ups>
- RE: sql injection: url or form based? Evans, Arian (Feb 10)
- RE: sql injection: url or form based? Kyle Quest (Feb 10)
- RE: sql injection: url or form based? LAROUCHE Francois (Feb 13)
- Re: sql injection: url or form based? FocusHacks (Feb 10)