SQL

From: Gary O'leary-Steele (GaryO@sec-1.com)
Date: 11/19/01

• Previous message: rudi carell: "Re: ASP code testing"
• Next in thread: Holmes, Ben: "RE: SQL"
• Reply: Holmes, Ben: "RE: SQL"
• Reply: Kevin Spett: "Re: SQL"
• Reply: Javier Fernández-Sanguino: "RE: SQL"
• Reply: root: "Re: SQL"
• Reply: Paul Midian: "RE: SQL"
• Reply: neil-at-geekshanty-dot-com: "Re: SQL"
• Reply: Sverre H. Huseby: "Re: SQL"
• Reply: David.French@ey.com: "Re: SQL"
• Reply: Andy Miller: "RE: SQL"
• Reply: Andrea secondote?: "Re: SQL"
• Reply: rudi carell: "RE: SQL"
• Reply: Javier Fernández-Sanguino: "RE: SQL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Gary O'leary-Steele" <GaryO@sec-1.com>
To: <PEN-TEST@securityfocus.com>
Subject: SQL
Date: Mon, 19 Nov 2001 16:24:08 -0000
Message-ID: <NLEEKGBCFBNEHNPCPNFLEEBKCAAA.GaryO@sec-1.com>

Hello all,

I am doing a pen test against a IIS 5 web server. The web server requires a
user name and password via a logon form. if a single quote character is
entered (username)the following error is produced

[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password=''.

I remember reading somewhere that this can be used to gain further access?
but i cant find the info.

Can any one help?

Thanks in advance.

Gary

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

---

• Previous message: rudi carell: "Re: ASP code testing"
• Next in thread: Holmes, Ben: "RE: SQL"
• Reply: Holmes, Ben: "RE: SQL"
• Reply: Kevin Spett: "Re: SQL"
• Reply: Javier Fernández-Sanguino: "RE: SQL"
• Reply: root: "Re: SQL"
• Reply: Paul Midian: "RE: SQL"
• Reply: neil-at-geekshanty-dot-com: "Re: SQL"
• Reply: Sverre H. Huseby: "Re: SQL"
• Reply: David.French@ey.com: "Re: SQL"
• Reply: Andy Miller: "RE: SQL"
• Reply: Andrea secondote?: "Re: SQL"
• Reply: rudi carell: "RE: SQL"
• Reply: Javier Fernández-Sanguino: "RE: SQL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: faster scans? (nmap) ... one host using nmap for syn scans in burst mode with the ... >>>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) Re: pen test help please asap ... > Machine A on client site makes a configurable encrypted OUTBOUND ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) Re: ettercap help ... Anyways have never tried Ettercap for VNC. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) Re: ettercap help ... > I can get it to sniff telnet, ftp, pop, smb, but no vnc. ... > This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) Re: Wardialing ... >>> achieving the connection with the modem. ... >>This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > pen-test  > 2001-11