lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 9 Feb 2009 19:45:04 +0200
From: Amit Klein <aksecurity@...il.com>
To: Razi Shaban <razishaban@...il.com>
Cc: Roman Medina-Heigl Hernandez <roman@...labs.com>,
	Daniel Kachakil <dani@...hakil.com>, bugtraq@...urityfocus.com
Subject: Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table 
	in one request!)

Apparently the concept has been known to white hats as well, for some time.

Dennis Hurst from HP has this blog entry from December 2007:
http://www.communities.hp.com/securitysoftware/blogs/dennis/archive/2007/12/07/Project-Management-Institute-meeting-in-Alpharetta-GA-_2D00_-4-Dec-2007.aspx

In it, there's a link to a presentation he gave at Project Management
Institute meeting on December 6th, 2007. The link to the presentation
is:
http://www.communities.hp.com/securitysoftware/blogs/dennis/attachment/72396.ashx

In it, it's pretty clear that Dennis was aware of the "SELECT ... FOR
XML" trick at that time, and he also probably demonstrated it in
public. One of his slides reads as following:

demo
SQL Injection
(how to do this:' union select 1,1,(select * from
customers for xml auto) from sysobjects where '' = ')

I hope that settles it...
Thanks,
-Amit


On Sun, Feb 8, 2009 at 6:29 PM, Razi Shaban <razishaban@...il.com> wrote:
> On Sun, Feb 8, 2009 at 6:16 PM, Roman Medina-Heigl Hernandez
> <roman@...labs.com> wrote:
>> Razi Shaban escribió:
>>>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>>>> injection technique which allows to extract the whole information of a
>>>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>>>> way.
>>>
>>> This isn't new, this is old news. It might be the first paper written
>>> about the topic, but these methods have been used for years.
>>
>> Please, Razi, could you name any reference? I suppose that if the method is
>> well-known, as you're suggesting, it shouldn't be difficult at all to find
>> at least one. I can't believe no tool is implementing such a great idea, if
>> it is "old news".
>>
>> --
>>
>> Saludos,
>> -Roman
>
> Not reference, not white paper, not tool. I am talking about the real
> internet, where things aren't talked about but actually happen.
> Hackers have been using methods similar to this for years, it's about
> time a white-hat discovered this.
>
> Regards,
> Razi Shaban
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ