lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030429224935.60820.qmail@web40005.mail.yahoo.com>
Date: Tue, 29 Apr 2003 15:49:35 -0700 (PDT)
From: Cesar <cesarc56@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Latest MS SQL Server vulnerabilities revealed



There are available to download, a new POC tool, paper
and presentation on the latest MS SQL Server bugs.


Hunting Flaws in Microsoft SQL Server Presentation

This presentation was delivered at the Black Hat 2003
Windows Security Conference, and illustrates many new
Microsoft SQL Server vulnerabilities. Improvements
that were made to Microsoft SQL Server in the new SP3
release to fix these vulnerabilities are also
discussed. Also, a new tool to exploit the SQL
Injection techniques described in the paper
Manipulating Microsoft SQL Server Using SQL Injection
was also introduced. 

http://www.appsecinc.com/news/briefing.html#hunting


Hunting Flaws in Microsoft SQL Server White Paper

This paper illustrates many new Microsoft SQL Server
vulnerabilities and how they were found. It explores
many of the issues discussed in its counterpart
presentation. 

http://www.appsecinc.com/news/briefing.html#hunting2


Data Thief

Data Thief is a �proof-on-concept� tool used to
demonstrate to web administrators and developers how
easy it is to steal data from a web application that
is vulnerable to SQL Injection. Data Thief is designed
to retrieve the data from a Microsoft SQL Server
back-end behind a web application with a SQL Injection
vulnerability. Once a SQL Injection vulnerability is
identified, Data Thief does all the work of listing
the linked severs, laying out the database schema, and
actually selecting the data from a table in the
application.

http://www.appsecinc.com/resources/freetools/

Feedback is welcome.

NEW SECURITY LIST: For people interested in SQL Server
security, vulnerabilities, SQL injection, etc., I'm
starting a new mailing list you can join at:

http://groups.yahoo.com/group/sqlserversecurity/

Enjoy!!

Cesar


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ