Re: How to evade white spaces in a SQL injection

From: Jeff Bryner (jbryner1_at_yahoo.com)
Date: 03/25/04

  • Next message: Lachniet, Mark: "RE: Pen-tester's analysis of .NET security?"
    Date: Thu, 25 Mar 2004 09:13:14 -0800 (PST)
    To: Falcifer <falcifer2001@yahoo.es>, pen-test@securityfocus.com
    
    

    --- Falcifer <falcifer2001@yahoo.es> wrote:
    > Hi,
    >
    > I've one aplication coded on asp with a login form and the only
    > character that it validates its the withe space.
    >
    > Can i perform a sql injection on it? how?

    SQL is nice enough to do some automatic parsing for you..so

    select''+@@version

    will work. Of course if the validation is client side, just bypass it.

    =====
    Jeff
    -----------------------
    You... you can't dump me! I'm using your name for all my passwords! What exactly am I supposed to do about that!?

    - Justin Simoni

    __________________________________
    Do you Yahoo!?
    Yahoo! Finance Tax Center - File online. File on time.
    http://taxes.yahoo.com/filing.html

    ---------------------------------------------------------------------------
    You're a pen tester, but is google.com still your R&D team?
    Now you can get trustworthy commercial-grade exploits and the latest
    techniques from a world-class research group.
    www.coresecurity.com/promos/sf_ept1
    ----------------------------------------------------------------------------


  • Next message: Lachniet, Mark: "RE: Pen-tester's analysis of .NET security?"

    Relevant Pages