Re: [Full-Disclosure] Latest MS SQL Server vulnerabilities revealed.

From: Cesar (cesarc56_at_yahoo.com)
Date: 05/01/03

  • Next message: tom ferris: "[Full-Disclosure] MDG Web Server 4D 3.6.0 Buffer Overflow" 
    To: full-disclosure@lists.netsys.com
Date: Wed, 30 Apr 2003 17:55:39 -0700 (PDT)

    MS SQL Server DOES allow multiple statements, you
    should be confused with mysql. The ideas presented in
    paper work most of the time on web applications
    vulnerable to SQL injection, the only problem is when
    firewalls block all outbound connections, but that can
    be bypassed using other OLEDB providers.

    Cesar.

    --- Michael - <michael@nix.org> wrote:
    >
    > After reading your papers I must say it was quite
    > interesting and it introduce quite a few new ideas.
    > However, most of them (at leat in your paper found
    > at
    >
    http://www.appsecinc.com/presentations/Manipulating_SQL_Server_Using_SQL_Injection.pdf
    > ) base themselves on the idea that you can perform
    > an 'insert' with SQL injection. In my experience,
    > this is impossible most of the time due to the fact
    > that MSSQL doesnt allow multiple statement and that
    > you can only add an union in the middle of an SQL
    > statement that is usualy part of a web application.
    >
    > Michael
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter:
    http://lists.netsys.com/full-disclosure-charter.html

    __________________________________
    Do you Yahoo!?
    The New Yahoo! Search - Faster. Easier. Bingo.
    http://search.yahoo.com
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: tom ferris: "[Full-Disclosure] MDG Web Server 4D 3.6.0 Buffer Overflow"

    Relevant Pages

    • Re: Php MySQL query wont work..syntax error..help!
      ... corresponds to your MySQL server version for the right syntax to use ... SQL statements arround the calling function. ... whether multiple statements can be processed at once ...
      (comp.lang.php)
    • re:Latest MS SQL Server vulnerabilities revealed
      ... MS SQL Server DOES allow multiple statements, ... paper work most of the time on web applications ... Do you Yahoo!? ...
      (Bugtraq)
    • RE: Multiple statements within one $dbh->do()
      ... I am trying to execute two SQL statements within one call to ... I have used multiple statements in the ODBC driver but have not done ... Oracle driver is not working. ...
      (perl.dbi.users)
    • SQL multiple statements?
      ... Is it possible to use multiple statements in SQL?? ... I have one query that i'm working with, The statements I want to use are as ... Prev by Date: ...
      (comp.databases.ms-access)
    • RE: SQL Authentication
      ... Most web applications that are expose to the internet are annonymous. ... Windows Auth from a DMZ environment to a server in your Corp environment ... Other choices are using Standard SQL Authentication with SSL encryption. ...
      (microsoft.public.sqlserver.security)
    • Quantcast