From: Paul Melson (pmelson@gmail.com)
Date: Thu Dec 14 2006 - 14:33:16 EST
-----Original Message-----
Subject: Blind SQL Injection Techniques
> It seems that when injecting any invalid sql statement I get the same
custom error page coming back that
> doesn't reveal any information.
There are other ways to prove injection is possible, like INSERT-ing a new
row, creating a user, or copying a table from their SQL server to one you
set up on your network.*
You should definitely read:
http://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
PaulM
* Personally, I would consider getting an OPENROWSET injection to connect to
a netcat listener as a successful proof of concept. Actually copying data
is a formality at that point. It's definitely worth getting your client's
written permission before you attempt copying their data across the Internet
as there may be compliance issues (HIPAA Rule 3, for example) that this
exposes them to.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:27 EDT