Re: How to evade white spaces in a SQL injection

From: Falcifer (falcifer2001_at_yahoo.es)
Date: 03/26/04

Next message: dd: "Re: Pen-tester's analysis of .NET security?"

Previous message: Jon Hart: "Re: nmap shows open UDP port 113"
In reply to: Jeff Bryner: "Re: How to evade white spaces in a SQL injection"
Next in thread: Jeff Bryner: "RE: How to evade white spaces in a SQL injection"
Reply: Jeff Bryner: "RE: How to evade white spaces in a SQL injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: jeff@jeffbryner.com
Date: Fri, 26 Mar 2004 01:34:58 +0100

Sorry, but i dont understand it.

Can you explain it a bit more;

Suppous that the original query is:
select * from users where useid=&my_user_without_spaces and
password=&password

where &my_user_without_spaces and &password where the inputs submitted
by the webform but both vars without spaces;

Thanks

El jue, 25-03-2004 a las 18:13, Jeff Bryner escribió:
> --- Falcifer <falcifer2001@yahoo.es> wrote:
> > Hi,
> >
> > I've one aplication coded on asp with a login form and the only
> > character that it validates its the withe space.
> >
> > Can i perform a sql injection on it? how?
>
> SQL is nice enough to do some automatic parsing for you..so
>
> select''+@@version
>
> will work. Of course if the validation is client side, just bypass it.
>
>
>
> =====
> Jeff
> -----------------------
> You... you can't dump me! I'm using your name for all my passwords! What exactly am I supposed to do about that!?
>
> - Justin Simoni
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html

---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------

Next message: dd: "Re: Pen-tester's analysis of .NET security?"

Previous message: Jon Hart: "Re: nmap shows open UDP port 113"
In reply to: Jeff Bryner: "Re: How to evade white spaces in a SQL injection"
Next in thread: Jeff Bryner: "RE: How to evade white spaces in a SQL injection"
Reply: Jeff Bryner: "RE: How to evade white spaces in a SQL injection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: How to evade white spaces in a SQL injection
... > character that it validates its the withe space. ... > Can i perform a sql injection on it? ... Do you Yahoo!? ... Finance Tax Center - File online. ...
(Pen-Test)
Re: SSA RAID10 Question
... It builds the raid but the total amount of disk space is that of the 9.1GB disks only. ... Monitoring ... Do you Yahoo!? ... Finance Tax Center - File online. ...
(AIX-L)
Re: [SLE] new install/partition question
... > (Win98 is on primary master) ... > windows on the secondary slave. ... > Do you Yahoo!? ... Finance Tax Center - File online. ...
(SuSE)
problem with NFS (automount ???) --- pls ignore
... > rebooted the server and it resolved the problem. ... > Do you Yahoo!? ... Finance Tax Center - File online. ...
(SunManagers)
Re: Async I/O at AIX 5.2
... it only uses the legacy aioservers. ... > Do you Yahoo!? ... Finance Tax Center - File online. ... > their use of the Company's electronic mail system. ...
(AIX-L)