RE: Password Tesing using SQL Injection

From: Balwant Rathore <balwant(at)mahindrabt.com>
Date: Mon Mar 17 2003 - 10:13:01 EST

Hi,

Comments in-line

> I am facing problem to compare two files one on the client &
> another one on the server so for that I want some way to transfer
> file from the clinet site to the server site.

You can try as follows:
1. Display master..sysxlogins.passowrd data in browser using SQL Injections. 2. Compare encrypted password using pwdcompare function. As you have mentioned.

        pwdcompare(rtrim(Password-List.word),master..sysxlogins.password) = 1;

I tried this but it doesn't display encrypted passwords in browser. And I was not in position to give sufficient time on this.

Sincerely,

Balwant Rathore, CISSP
Security Practices Group,
Mahindra-British Telecom Ltd.
Oberoi Estate Gardens, Chandivali,
Mumbai - 400 072, India.
Tel : +91 22 56922000 Extn - 8010
Fax : +91 22 28528959
Mobile: +91 98208 03333

---

Disclaimer

This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.

---

Visit us at http://www.mahindrabt.com

---

Did you know that you have VNC running on your network? Your hacker does. Plug your security holes now! Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html Received on Mon Mar 17 11:27:49 2003