| To: | pen-test@securityfocus.com |
|---|---|
| Subject: | MS Access+pen-test |
| From: | wymerzp@sbu.edu |
| Date: | 13 Jun 2007 19:55:07 -0000 |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | pentest-list2@consult.net |
| Delivered-to: | mailing list pen-test@securityfocus.com |
| Delivered-to: | moderator for pen-test@securityfocus.com |
| List-help: | <mailto:pen-test-help@securityfocus.com> |
| List-id: | <pen-test.list-id.securityfocus.com> |
| List-post: | <mailto:pen-test@securityfocus.com> |
| List-subscribe: | <mailto:pen-test-subscribe@securityfocus.com> |
| List-unsubscribe: | <mailto:pen-test-unsubscribe@securityfocus.com> |
| Mailing-list: | contact pen-test-help@securityfocus.com; run by ezmlm |
| Resent-date: | Fri, 15 Jun 2007 10:44:59 -0600 (MDT) |
| Resent-from: | pen-test-return-1078484372@securityfocus.com |
| Resent-message-id: | <20070615164459.6C8471455EE@outgoing2.securityfocus.com> |
| Resent-sender: | listbounce@securityfocus.com |
| Sender: | listbounce@securityfocus.com |
I was looking over a client's website when I discovered a classic (almost cliche) sql injection vulnerability (i.e. Username ' OR ''=' | Password ' OR ''='). I did more poking and prodding and discovered that they are using MS Access for a backend. I know you can't string queries together (i.e. Select user from tbl where blah = var; Select...). My question is then, is there any 'good way' to use sql injection against this database to drive home the severity of the lack of input validation? Currently, the best I got was access to non-sensitive information that one simply needed to supply an email for. Thanks a lot, Zach ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------ |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Tcpdfilter, scott |
|---|---|
| Next by Date: | Re: Pentesting Old unsupported Firewall Appliances, Tiago Batista |
| Previous by Thread: | Tcpdfilter, scott |
| Next by Thread: | Re: MS Access+pen-test, Jim Halfpenny |
| Indexes: | [Date] [Thread] [Top] [All Lists] |