| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 8 Feb 2009 18:29:05 +0200 From: Razi Shaban <razishaban@...il.com> To: Roman Medina-Heigl Hernandez <roman@...labs.com> Cc: Daniel Kachakil <dani@...hakil.com>, bugtraq@...urityfocus.com Subject: Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table in one request!) On Sun, Feb 8, 2009 at 6:16 PM, Roman Medina-Heigl Hernandez <roman@...labs.com> wrote: > Razi Shaban escribió: >>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL >>> injection technique which allows to extract the whole information of a >>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient >>> way. >> >> This isn't new, this is old news. It might be the first paper written >> about the topic, but these methods have been used for years. > > Please, Razi, could you name any reference? I suppose that if the method is > well-known, as you're suggesting, it shouldn't be difficult at all to find > at least one. I can't believe no tool is implementing such a great idea, if > it is "old news". > > -- > > Saludos, > -Roman Not reference, not white paper, not tool. I am talking about the real internet, where things aren't talked about but actually happen. Hackers have been using methods similar to this for years, it's about time a white-hat discovered this. Regards, Razi Shaban
Powered by blists - more mailing lists