RE: Knowledge shared
From: Rayburn, Gordon (grayburn@firstam.com)Date: 02/12/02
- Previous message: Rayburn, Gordon: "RE: How to aggregate output of NMAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Rayburn, Gordon" <grayburn@firstam.com> To: "'Brett Moore'" <brett@softwarecreations.co.nz>, "'pen-test@securityfocus.com'" <pen-test@securityfocus.com> Date: Mon, 11 Feb 2002 19:18:48 -0800
You're halfway right. If your procedure's variable is INT type, then you
cannot inject the xp_cmdshell execution. Char in INT won't work. Most
people will still use a char type and will still be vulnerable. Part of
your security comes from good design of the db's as well, too bad most
developers won't pay attention.
> -----Original Message-----
> From: Brett Moore [SMTP:brett@softwarecreations.co.nz]
> Sent: Thursday, January 31, 2002 3:44 AM
> To: webappsec@securityfocus.com; pen-test@securityfocus.com
> Subject: Knowledge shared
>
> Ok so I have some thoughts. No official format.
>
> 1) SQL INJECTION
>
> "SQL injection does not work with stored procedures"...Shakes pear 1654
>
> example:
>
> X = WEB VARIABLE = INTEGER
>
> X = 10
> EXEC MY_STOREDPROCEDURE X = EXEC MY_STOREDPROCEDURE 10
> ~
> X = 10;EXEC MASTER..XP_CMDSHELL''
> EXEC MY_STOREDPROCEDURE X = 10;EXEC MASTER..XP_CMDSHELL''
>
> 2) SQL TIP
> SET NOEXEC = Compiles each query but does not execute it.
>
> If 007 knowns the field names used in a web page creation then 007 can
> obtain information from the second query.
>
> 3) http://www.microsoft.com/technet/security/bulletin/MS01-060.asp
> Of course any tester that obtains sql injection capabilities on a test
> site
> can abuse this if the test site is not patched.
>
>
>
> --------------------------------------------------------------------------
> --
> This list is provided by the SecurityFocus Security Intelligence Alert
> (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
> see:
> https://alerts.securityfocus.com/
>
"MMS <firstam.com>" made the following
annotations on 02/11/02 19:20:06
------------------------------------------------------------------------------
"THIS E-MAIL MESSAGE AND ANY FILES TRANSMITTED HEREWITH, ARE INTENDED SOLELY FOR THE USE OF THE INDIVIDUAL(S) ADDRESSED AND MAY CONTAIN CONFIDENTIAL, PROPRIETARY OR PRIVILEGED INFORMATION. IF YOU ARE NOT THE ADDRESSEE INDICATED IN THIS MESSAGE (OR RESPONSIBLE FOR DELIVERY OF THIS MESSAGE TO SUCH PERSON) YOU MAY NOT REVIEW, USE, DISCLOSE OR DISTRIBUTE THIS MESSAGE OR ANY FILES TRANSMITTED HEREWITH. IF YOU RECEIVE THIS MESSAGE IN ERROR, PLEASE CONTACT THE SENDER BY REPLY E-MAIL AND DELETE THIS MESSAGE AND ALL COPIES OF IT FROM YOUR SYSTEM."
==============================================================================
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
- Previous message: Rayburn, Gordon: "RE: How to aggregate output of NMAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
