RE: Pen-testing AS400 DB2 LANSA

From: Amichai Shulman (shulman@imperva.com)
Date: Wed Jun 22 2005 - 07:27:57 EDT

• Next message: Harold: "CíALíS - new generatíon of sexual boosters!"
• Previous message: Drage, Nick: "RE: CEH training"
• Maybe in reply to: eoin.keary@owasp.org: "Pen-testing AS400 DB2 LANSA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

There are many options, usually a good starting point would be to look
at the returned error message (if any). Otherwise my guess would be to
just terminate a statement (" --") and take it from there.

Amichai Shulman
CTO

Imperva, Inc.
12 Hachilazon St.
Ramat Gan

(972)-3-6120133 x103 Office
(972)-3-7511133 Fax
(972)-50-6544451 Mobile
shulman@imperva.com

................................

InfoWorld product
review gives Imperva the
HIGHEST SCORE
in Application Security
http://imperva.com/go/iw/

-----Original Message-----
From: Eoin Keary [mailto:eoinkeary@hotmail.com]
Sent: Wednesday, June 22, 2005 10:51 AM
To: Amichai Shulman; pen-test@securityfocus.com
Cc: eoin.keary@owasp.org
Subject: RE: Pen-testing AS400 DB2 LANSA

Thanks Amichai,
Regular tests such as "O'Brien" or " ' Or 1=1 -- ' do not work. So I
was
wondering if there are any other vectors one could try specific to DB2 &

AS400

>From: "Amichai Shulman" <shulman@imperva.com>
>To: <pen-test@securityfocus.com>
>CC: <eoin.keary@owasp.org>
>Subject: RE: Pen-testing AS400 DB2 LANSA
>Date: Wed, 22 Jun 2005 09:32:31 +0200
>
>We did a pen-test on a web application a while ago that used DB2 on
>AS400 as backend database. Found SQL injection to work much like with
>any other database. Interesting thing though was that we invoked a
>denial-of-service attack against the AS400 by injecting a computation
>intensive query.
>
>Amichai Shulman
>CTO
>
>
>
>
>Imperva, Inc.
>12 Hachilazon St.
>Ramat Gan
>
>
>(972)-3-6120133 x103 Office
>(972)-3-7511133 Fax
>(972)-50-6544451 Mobile
>shulman@imperva.com
>
>
>-----Original Message-----
>From: eoin.keary@owasp.org [mailto:eoin.keary@owasp.org]
>Sent: Wednesday, June 15, 2005 3:34 PM
>To: pen-test@securityfocus.com
>Subject: Pen-testing AS400 DB2 LANSA
>
>
>Hi,
>anyone have any knowledge on SQL injection for a AS400 running DB2?
>
>Eoin

_________________________________________________________________
Go where quality Irish singles meet - get FREE Match.com membership!
http://match.msn.ie

• Next message: Harold: "CíALíS - new generatíon of sexual boosters!"
• Previous message: Drage, Nick: "RE: CEH training"
• Maybe in reply to: eoin.keary@owasp.org: "Pen-testing AS400 DB2 LANSA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:27 EDT