MS SQL injection
- From: "Mike Klingler" <whitehatguru@xxxxxxxxx>
- Date: Thu, 21 Sep 2006 09:02:52 -0500
Colleagues,
I have a basic understanding of sql injection for ms sql, but on
this recent pen test the methods I have used in the past aren't
cutting it.
I was able to enumerate the table name and columns utilizing the '
having 1=1;-- and ' group by x,x,x,x having 1=1;--, but once I got all
of the column names on the group by list it issued the following error
instead of returning without an error. "Microsoft][ODBC SQL Server
Driver][SQL Server]Unclosed quotation mark before the character string
' '." Any ideas on what I need me to do to overcome this problem?
Thanks guys
--
Michael Klingler, CISSP
SecurityMetrics Penetration Tester
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
- Prev by Date: RE: Papers prior to pen-test
- Next by Date: Re: Pen-Testing Smoothwall FireWall
- Previous by thread: Pen-Testing Smoothwall FireWall
- Next by thread: [Call for Papers] DIMVA 2007
- Index(es):
Relevant Pages
|
|
