Re: SQL

From: Andrea secondote? (btnew@hotmail.com)
Date: 11/22/01

• Previous message: Keith Perry: "Re: wanted: a script to try dictionary attacks against NOTES ID"
• Maybe in reply to: Gary O'leary-Steele: "SQL"
• Next in thread: rudi carell: "RE: SQL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Andrea secondote?" <btnew@hotmail.com>
To: pen-test@securityfocus.com
Subject: Re: SQL
Date: Thu, 22 Nov 2001 11:56:39 +0100
Message-ID: <F27088IB6AaA1ShsuaO00005d5f@hotmail.com>

>From: "Kevin Spett" <kspett@spidynamics.com>
>To:<PEN-TEST@securityfocus.com>
>Date: Mon, 19 Nov 2001 17:56:06 -0800

>There's code like this in the web app:

>SQL_Query_String = "SELECT somefield FROM Users WHERE Username = '" &
>strUserName & "' AND Password = '" & strPassword & "'"
>strValue = SQL_Query(SQL_Query_String) ..
[snip]

Hi I'm a newbie in pen-testing. I read this article and I've found a link
too. I've tryed this metod on my website which had a url like this:
http://www.thesite.com/login.asp. I've check out the error so I've found how
was wrote the field username & password so I've put ' or user like '% etc...
and the site answer me with..: Wellcome operator. Ok.
But what I don't understand is like taking advantage of this attack for
having password or account o sensible information.. Can you give me some
other informatin about it? Thanks

   .::SNHYPER::.
Security Team Milano

_________________________________________________________________
Scarica GRATUITAMENTE MSN Explorer all'indirizzo
http://explorer.msn.it/intl.asp

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

---

• Previous message: Keith Perry: "Re: wanted: a script to try dictionary attacks against NOTES ID"
• Maybe in reply to: Gary O'leary-Steele: "SQL"
• Next in thread: rudi carell: "RE: SQL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: SQL ... Subject: SQL ... >> This list is provided by the SecurityFocus Security ... For more information on SecurityFocus' SIA service which ... >This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) RE: Insurance ... property--data beign deemed "intangible" for the purposes of insurance. ... for physical security testing there are often 3rd parties ... For more information on SecurityFocus' SIA service which ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) RE: Pen-Testing Lotus Notes/Domino ... Subject: Pen-Testing Lotus Notes/Domino ... of document security. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) R: Pen-Testing help (Compaq Insight & htsearch) ... This web server happens to be in front of their ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) RE: how to isolate a virtual hosted website, in order to do a A&P? ... scripts for the customer's particular website. ... Security Testing modules of the OSSTMM. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > pen-test  > 2001-11