Re: How to evade white spaces in a SQL injection

From: Jeff Bryner (jbryner1@yahoo.com)
Date: Thu Mar 25 2004 - 12:13:14 EST


--- Falcifer <falcifer2001@yahoo.es> wrote:
> Hi,
>
> I've one aplication coded on asp with a login form and the only
> character that it validates its the withe space.
>
> Can i perform a sql injection on it? how?

SQL is nice enough to do some automatic parsing for you..so

select''+@@version

will work. Of course if the validation is client side, just bypass it.

=====
Jeff
-----------------------
You... you can't dump me! I'm using your name for all my passwords! What exactly am I supposed to do about that!?

- Justin Simoni

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT