RE: BlackBox testing for SQL injection

From: Miguel Dilaj (mdilaj_at_nccglobal.com)
Date: 06/29/05

  • Next message: J.Ayoola: "RE: New Virus?" 
    To: <security-basics@securityfocus.com>
Date: Wed, 29 Jun 2005 08:43:51 +0100

    Hi Michael,

    Well, usually you don't know these if you're a pentester.
    Look for the papers entitled "Advanced SQL Injection" and "More Advanced SQL
    Injection" (probably at http://www.ngssoftware.com/papers.htm).
    In one of them you've the process to discover table structure.
    Using SQL abstracts you from source code worries.
    Cheers,

    Miguel

    -----Original Message-----
    From: mickael kael [mailto:mickael.kael@gmail.com]
    Sent: 28 June 2005 11:08
    To: security-basics@securityfocus.com
    Subject: BlackBox testing for SQL injection

    Hello,

    I want to know if it is possible to find real SQL injection with blackbox
    tool. For example, parosproxy print some alerts of SQL injection params.
    "GET
    http://192.168.1.4/test/html/modules.php?name=Your_Account&op=userinfo&bypas
    s=1&uname=user'INJECTED_PARAM
    HTTP/1.1
    "
    But how can we test it if we don't know table structure and source code ?

    Thanks in advance for your idea,

    Best Cordially,

    Mk,

    ***********************************************************************************************************
    DISCLAIMER:
    This e-mail contains proprietary information, some or all of which may be legally privileged.
    It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail,
    please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,
    disclose, distribute, copy, print or rely on this e-mail.
    ***********************************************************************************************************

  • Next message: J.Ayoola: "RE: New Virus?"
    • Quantcast