lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <498F055E.9050902@rs-labs.com>
Date: Sun, 08 Feb 2009 17:16:30 +0100
From: Roman Medina-Heigl Hernandez <roman@...labs.com>
To: Razi Shaban <razishaban@...il.com>
Cc: Daniel Kachakil <dani@...hakil.com>, bugtraq@...urityfocus.com
Subject: Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table
 	in one request!)

Razi Shaban escribió:
>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>> injection technique which allows to extract the whole information of a
>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>> way.
> 
> This isn't new, this is old news. It might be the first paper written
> about the topic, but these methods have been used for years.

Please, Razi, could you name any reference? I suppose that if the method is
well-known, as you're suggesting, it shouldn't be difficult at all to find
at least one. I can't believe no tool is implementing such a great idea, if
it is "old news".

-- 

Saludos,
-Roman

PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ