| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 8 Feb 2009 14:28:27 +0100 From: "Daniel Kachakil" <dani@...hakil.com> To: "Paul Schmehl" <pschmehl_lists_nada@...rr.com>, <full-disclosure@...ts.grok.org.uk> Subject: Re: SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) Dear Paul: Thanks for your comments. And yes, I think you are 100% right. The SFX-SQLi "injection technique/method" (is there a better name for it?) will not help you to extract more data than other existing techniques. The XMLSCHEMA option is only an alternative way to get the column names (instead of using SYSOBJECTS, for instance). Maybe it can also bypass some basic filters (e.g. there is no need to use the WHERE clause), but this is secondary... The main difference is this: - Time-based SQL injection: 1 request -> 1/2 char using Deep Blind (but very slowly) - Blind SQL injection: 1 request -> 1/7 char - Union / error-based SQL injection: 1 request -> 1 field - SFX-SQL injection: 1 request -> 1 table So yes, this technique will extract the same data, but thousands of times faster than other methods. Regards, Daniel Kachakil -------------------------------------------------- From: "Paul Schmehl" <pschmehl_lists@...rr.com> Sent: Sunday, February 08, 2009 5:10 AM To: <full-disclosure@...ts.grok.org.uk> Cc: "Daniel Kachakil" <dani@...hakil.com> Subject: Re: [Full-disclosure] SFX-SQLi: A new SQL injection technique for SQL Server (dumps a table in one request!) > --On February 7, 2009 10:02:21 AM -0600 Daniel Kachakil > <dani@...hakil.com> wrote: >> >> I have written a paper describing how the technique works and in which >> fundamentals it is based, and I have also developed a tool which >> implements >> this technique as a proof of concept (with the source code included). >> >> You can get them through this URL: >> >> http://www.kachakil.com/papers/SFX-SQLi-en.htm > > Having read your paper, I'm a bit confused about what you think the "new > SQL injection technique" is that you've discovered. I understand you have > determined a way to *extract* data in a more compact and efficient format, > but I didn't see any new *injection* technique. IOW, the FOR XML > construct isn't going to assist you in obtaining the data - only in > obtaining it more efficiently. > > Did I miss something? > > Paul Schmehl, If it isn't already > obvious, my opinions are my own > and not those of my employer. > ****************************************** > WARNING: Check the headers before replying > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists