Re: SQL Injection Basics

From: Bart McKinnley <bartsimpson1997(at)yahoo.com>
Date: Fri Feb 14 2003 - 10:05:59 EST

I ran across three presentations that deal with SQL Injection. They helped me out when I was testing a few asp pages I created.

The first discusses the basics of how to test web applications for SQL injection vulnerabilities. The second goes into the specifics of how to manually identify and test for SQL injection vulnerabilities. And the third describes how to exploit SQL injection to retrieve data from the database.

Found them @
http://www.issadvisor.com/viewtopic.php?t=123

On Sat, 2003-02-08 at 20:21, raul.johhut@hushmail.com wrote:
> I am pen testing a webapp and am having some
problems with SQL injection.
>
> The app creates an ODBC error. Is this a garuntee of
SQL Injection ?
>
> If I use www.victim/test.asp?userid=sfdsd
test.asp" (or thats the English translation equiv in my case).
>
> I know the database is called master, and has a
table test. What is the syntax I should use?
>
> What are the best freeware and open source tools for
testing SQL injection ? I tried WPosion which was OK.
>
> I also tried WebSleuth (which seems to have gone
from GPL to closed source commercial btw). Am I right is saying that the SQL plugin has to connect directly to the database to work? I can only see port 80 so don't think this will work?
>
> Thanks, Raul.
get
> FREE encrypted email: https://www.hushmail.com/?l=2
Program:
> https://www.hushmail.com/about.php?subloc=affiliate&l=427

---

Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Received on Fri Feb 14 10:11:57 2003