[TOOL] Data Thief, SQL Injection Proof of Concept
From: SecuriTeam (support_at_securiteam.com)
Date: 04/30/03
- Previous message: SecuriTeam: "[UNIX] HPUX rexec Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 30 Apr 2003 11:22:06 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Data Thief, SQL Injection Proof of Concept
------------------------------------------------------------------------
DETAILS
Data Thief is a "proof-on-concept" tool used to demonstrate to web
administrators and developers how easy it is to steal data from a web
application that is vulnerable to SQL Injection. Data Thief is designed to
retrieve the data from a Microsoft SQL Server back-end behind a web
application with a SQL Injection vulnerability. Once a SQL Injection
vulnerability is identified, Data Thief does all the work of listing the
linked severs, laying out the database schema, and actually selecting the
data from a table in the application.
Data Thief uses techniques illustrated and described within the
<http://www.appsecinc.com/techdocs/whitepapers.html#inject> Manipulating
Microsoft SQL Server Using SQL Injection white paper. Data Thief does not
discover SQL Injection, only serves to demonstrate how easily they can be
exploited and how far reaching they can be.
ADDITIONAL INFORMATION
The information has been provided by <mailto:cesarc56@yahoo.com> Cesar.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] HPUX rexec Buffer Overflow Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
