Re: SQL
From: David.French@ey.comDate: 11/20/01
- Previous message: Sverre H. Huseby: "Re: SQL"
- Maybe in reply to: Gary O'leary-Steele: "SQL"
- Next in thread: Andy Miller: "RE: SQL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <garyo@sec-1.com> Subject: Re: SQL From: David.French@ey.com Message-ID: <OFCCFB84D3.1BE90413-ON86256B0A.0001659F@ey.com> Date: Mon, 19 Nov 2001 18:20:52 -0600
The following is where you can find a paper written by David Litchfield
that might be helpful to you.
www.blackhat.com/presentations/win-usa-01/Litchfield/BHWin01Litchfield.doc
Dave
|------------------------+------------------------+------------------------|
| | "Gary O'leary-Steele"| |
| | <GaryO@sec-1.com> | To: |
| | | <PEN-TEST@securityfoc|
| | 11/19/2001 10:24 AM | us.com> |
| | Please respond to | cc: |
| | garyo | (bcc: David C. |
| | | French/Chicago/AUDIT/|
| | | EYLLP/US) |
| | | Subject: |
| | | SQL |
|------------------------+------------------------+------------------------|
Hello all,
I am doing a pen test against a IIS 5 web server. The web server requires a
user name and password via a logon form. if a single quote character is
entered (username)the following error is produced
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark
before the character string '' and password=''.
I remember reading somewhere that this can be used to gain further access?
but i cant find the info.
Can any one help?
Thanks in advance.
Gary
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
______________________________________________________________________
The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from your computer. Thank you. Ernst & Young LLP
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Sverre H. Huseby: "Re: SQL"
- Maybe in reply to: Gary O'leary-Steele: "SQL"
- Next in thread: Andy Miller: "RE: SQL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
