SQL Injection - retrieving all rows

• Previous message: methodic: "mothra2 beta releases"
• Next in thread: Zacharias Pigadas: "RE: SQL Injection - retrieving all rows"
• Reply: Zacharias Pigadas: "RE: SQL Injection - retrieving all rows"
• Reply: Kevin Spett: "Re: SQL Injection - retrieving all rows"
• Reply: Kirk Schafer: "Re: SQL Injection - retrieving all rows"
• Reply: Athanasios Vamvakas: "RE: SQL Injection - retrieving all rows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 20 Mar 2002 19:24:59 +0800
From: mel <meling@scan-associates.net>
To: pen-test@securityfocus.com

Hi,

I've been able to enumerate over 50 plus tables in a recent pen-test,
now come the hard part - I want to dump data from the most important
table that contains user names and passwords. However, the ASP app
that I exploit only returns one row at a time. Is there anyway to
overcome this?

I've been looking for apps that return multiple rows (such as search,etc)
but to know avail. I've tried dumping asp codes using BULK INSERT, but
the command is only available for system account. Creating an stored
procedure does not seem to work as well :(

Now, I'm thinking of writing a script that dump the data one at a time,
but I would like the advice from fellow pen-testers first.

Cheers,

--mel

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Previous message: methodic: "mothra2 beta releases"
• Next in thread: Zacharias Pigadas: "RE: SQL Injection - retrieving all rows"
• Reply: Zacharias Pigadas: "RE: SQL Injection - retrieving all rows"
• Reply: Kevin Spett: "Re: SQL Injection - retrieving all rows"
• Reply: Kirk Schafer: "Re: SQL Injection - retrieving all rows"
• Reply: Athanasios Vamvakas: "RE: SQL Injection - retrieving all rows"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Proposal? ... Do you have a Pen-Test Agreement form drawn up yet? ... > This list is provided by the SecurityFocus Security ... > SecurityFocus' SIA service which automatically alerts you to ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) Re: [PEN-TEST] Wireless (In)Security ... Subject: [PEN-TEST] Wireless Security ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) Netware Again: New eDirectory with NDS v8.78 ... are created during a pen-test. ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) webstar servers and macintosh ... Subject: webstar servers and macintosh ... We are doing a pen-test for a small firm running WebSTAR 3.0.1 and Eudora ... Internet Mail Server 3.0 ... ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test) RE: honeypot in conjunction with pen test? ... I don't believe that installing honeypots before pen-test is a really ... would be used against your honeypot and other parts of the system. ... This list is provided by the SecurityFocus Security Intelligence Alert ... (Pen-Test)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint