[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2d792fb20902080829t386ef04dud3e749640843d2e3@mail.gmail.com>
Date: Sun, 8 Feb 2009 18:29:05 +0200
From: Razi Shaban <razishaban@...il.com>
To: Roman Medina-Heigl Hernandez <roman@...labs.com>
Cc: Daniel Kachakil <dani@...hakil.com>, bugtraq@...urityfocus.com
Subject: Re: SFX-SQLi: A new SQL injection technique for MSSQL (dumps a table
in one request!)
On Sun, Feb 8, 2009 at 6:16 PM, Roman Medina-Heigl Hernandez
<roman@...labs.com> wrote:
> Razi Shaban escribió:
>>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>>> injection technique which allows to extract the whole information of a
>>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>>> way.
>>
>> This isn't new, this is old news. It might be the first paper written
>> about the topic, but these methods have been used for years.
>
> Please, Razi, could you name any reference? I suppose that if the method is
> well-known, as you're suggesting, it shouldn't be difficult at all to find
> at least one. I can't believe no tool is implementing such a great idea, if
> it is "old news".
>
> --
>
> Saludos,
> -Roman
Not reference, not white paper, not tool. I am talking about the real
internet, where things aren't talked about but actually happen.
Hackers have been using methods similar to this for years, it's about
time a white-hat discovered this.
Regards,
Razi Shaban
Powered by blists - more mailing lists