aspx applictions SQL Injection

From: Mohamed Ali (rxmohamed_at_hotmail.com)
Date: 10/12/04

  • Next message: mccauley_at_gmx.net: "PPTP bruteforce" 
    To: pen-test@securityfocus.com
Date: Tue, 12 Oct 2004 08:24:23 +0000

    Hi all,

    I did a full pen-test on my client’s web application and almost I can get
    all data and data dictionary information I need through exploiting SQL
    injection vulnerabilities they have in many dynamic pages.

    The question is when I discussed these issues with IT people they recommend
    not to solve any of them but just converting to .Net technology I’m not
    familiar with Net tech. but this recommendation sounds weird to me IS THERE
    ANY WAY TO PROVE THAT THEIR RECOMMENDATION IS NOT ENOUGH TO PREVERT
    UNAUTHRIZED ACCESS THROUGH SQL INJECTION (their platform IIS ,SQL Server
    and Oracle )

    Any suggestions would be appreciated.

    Thanks

    Ahmed Rashad
    IT Audit Manger
    Experts.ae

    _________________________________________________________________
    Express yourself instantly with MSN Messenger! Download today it's FREE!
    http://messenger.msn.com/

    ------------------------------------------------------------------------------
    Internet Security Systems. - Keeping You Ahead of the Threat

    When business losses are measured in seconds, Internet threats must be stopped before they impact your network. To learn how Internet Security Systems keeps organizations ahead of the threat with preemptive intrusion prevention, download the new whitepaper, Defining the Rules of Preemptive Protection, and end your reliance on reactive security technology.

    http://www.securityfocus.com/sponsor/ISS_pen-test_041001
    -------------------------------------------------------------------------------

  • Next message: mccauley_at_gmx.net: "PPTP bruteforce"

    Relevant Pages

    • Official release of SQL Power Injector 1.2
      ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
      (Bugtraq)
    • Official release of SQL Power Injector 1.2
      ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
      (Pen-Test)
    • Official release of SQL Power Injector 1.2
      ... One of the major improvements is an innovative way to optimize and accelerate the dichotomy in the Blind SQL injection, saving time/number of requests up to 25%. ... Also another great time saver is a new Firefox plugin that will launch SQL Power Injector with all the information of the current webpage with its session context. ... No more time wasted to copy paste the session cookies after you logged... ...
      (Security-Basics)
    • [Full-disclosure] OTRS 1.x/2.x Multiple Security Issues
      ... OTRS, the Open Source Ticket Request System, is a trouble ... ranging from cross site scripting to SQL injection. ... A malicious user may be able to conduct blind SQL code ... an attacker may be able to exploit this issue. ...
      (Full-Disclosure)
    • Official release of SQL Power Injector 1.1
      ... I have the pleasure to announce that a new version of SQL Power Injector is now officially available on my web site: ... For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal ... Response of the SQL injection in a customized browser ...
      (Pen-Test)