WebApp Sec mailing list archives
Re: SQL Injection Basics
From: Bart McKinnley <bartsimpson1997 () yahoo com>
Date: Fri, 14 Feb 2003 07:05:59 -0800 (PST)
I ran across three presentations that deal with SQL Injection. They helped me out when I was testing a few asp pages I created. The first discusses the basics of how to test web applications for SQL injection vulnerabilities. The second goes into the specifics of how to manually identify and test for SQL injection vulnerabilities. And the third describes how to exploit SQL injection to retrieve data from the database. Found them @ http://www.issadvisor.com/viewtopic.php?t=123 On Sat, 2003-02-08 at 20:21, raul.johhut () hushmail com wrote:
I am pen testing a webapp and am having some
problems with SQL injection.
The app creates an ODBC error. Is this a garuntee of
SQL Injection ?
If I use www.victim/test.asp?userid=sfdsd the error is "inncorrect syntax near line 28 of
test.asp" (or thats the English translation equiv in my case).
I know the database is called master, and has a
table test. What is the syntax I should use?
What are the best freeware and open source tools for
testing SQL injection ? I tried WPosion which was OK.
I also tried WebSleuth (which seems to have gone
from GPL to closed source commercial btw). Am I right is saying that the SQL plugin has to connect directly to the database to work? I can only see port 80 so don't think this will work?
Thanks, Raul. Concerned about your privacy? Follow this link to
get
FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate
Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
__________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com
Current thread:
- Re: SQL Injection Basics, (continued)
- Re: SQL Injection Basics Mark Curphey (Feb 11)
- Re: SQL Injection Basics Jim McGarvey (Feb 12)
- Re: SQL Injection Basics dreamwvr () dreamwvr com (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 11)
- RE: SQL Injection Basics Mark Mcdonald (Feb 11)
- RE: SQL Injection Basics Jason Benson (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)
- Re: SQL Injection Basics Alex Russell (Feb 12)
- RE: SQL Injection Basics David Cameron (Feb 12)
- RE: SQL Injection Basics Brass, Phil (ISS Atlanta) (Feb 13)
- Re: SQL Injection Basics Bart McKinnley (Feb 14)