WebApp Sec mailing list archives
New SQL Injection POC tool
From: Cesar <cesarc56 () yahoo com>
Date: Tue, 29 Apr 2003 16:07:07 -0700 (PDT)
Data Thief Data Thief is a “proof-on-concept” tool used to demonstrate to web administrators and developers how easy it is to steal data from a web application that is vulnerable to SQL Injection. Data Thief is designed to retrieve the data from a Microsoft SQL Server back-end behind a web application with a SQL Injection vulnerability. Once a SQL Injection vulnerability is identified, Data Thief does all the work of listing the linked severs, laying out the database schema, and actually selecting the data from a table in the application. http://www.appsecinc.com/resources/freetools/ The tool is based in this paper: Manipulating Microsoft SQL Server Using SQL Injection: This paper will focus on advanced techniques that can be used in an attack on an application utilizing Microsoft SQL Server as a backend. These techniques demonstrate how an attacker could use a SQL Injection vulnerability to retrieve the database content from behind a firewall and penetrate the internal network. http://www.appsecinc.com/news/briefing.html#inject Feedback is welcome. NEW SECURITY LIST: For people interested in SQL Server security, vulnerabilities, SQL injection, etc., I'm starting a new mailing list you can join at: http://groups.yahoo.com/group/sqlserversecurity/ Enjoy!! Cesar. __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Current thread:
- New SQL Injection POC tool Cesar (May 01)