[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Framework for the aid of exploiting SQL injection

To: "Roman Medina-Heigl Hernandez" <roman@xxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Framework for the aid of exploiting SQL injection
From: "David Litchfield" <davidl@xxxxxxxxxxxxxxx>
Date: Thu, 17 Nov 2005 18:20:42 -0000

Hi Roman,

Is there any recommended tool which helps to get databases tables,
entries, structure, etc, given a particular SQL injection bug in one
application? I mean, it should *automatically* try different sentences
to figure out the names of the columns and in general, other useful info
from the database. Perhaps a PoC of some of NGSSoftware's papers or a
more elaborated tool...

I've just put up sqlinjector.zip on the databasesecurity.com website ( http://www.databasesecurity.com/webapplications.htm ). This is the tool (source and exe) you refer to. I never got around to completing it but it works as is - I'd rather the code was tidier. HTH, David

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Framework for the aid of exploiting SQL injection
  - From: Dave

References:
- [Full-disclosure] Framework for the aid of exploiting SQL injection
  - From: Roman Medina-Heigl Hernandez

Prev by Date: [Full-disclosure] Framework for the aid of exploiting SQL injection
Next by Date: Re: [Full-disclosure] Framework for the aid of exploiting SQL injection
Previous by thread: [Full-disclosure] Framework for the aid of exploiting SQL injection
Next by thread: Re: [Full-disclosure] Framework for the aid of exploiting SQL injection
Index(es):
- Date
- Thread