Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Pen-testing AS400 DB2 LANSA

from [Amichai Shulman] Network Security [Permanent Link]
Subject: RE: Pen-testing AS400 DB2 LANSA
Date: Wed, 22 Jun 2005 13:27:57 +0200 
There are many options, usually a good starting point would be to look
at the returned error message (if any). Otherwise my guess would be to
just terminate a statement (" --") and take it from there.

Amichai Shulman
CTO




Imperva, Inc.
12 Hachilazon St.
Ramat Gan


(972)-3-6120133 x103 Office
(972)-3-7511133 Fax
(972)-50-6544451 Mobile
shulman@imperva.com

................................         

InfoWorld product
review gives Imperva the
HIGHEST SCORE
in Application Security
http://imperva.com/go/iw/

 
 
 
 
 
 
 
 
 
 
 
 
 


-----Original Message-----
From: Eoin Keary [mailto:eoinkeary@hotmail.com] 
Sent: Wednesday, June 22, 2005 10:51 AM
To: Amichai Shulman; pen-test@securityfocus.com
Cc: eoin.keary@owasp.org
Subject: RE: Pen-testing AS400 DB2 LANSA


Thanks Amichai,
Regular tests such as "O'Brien" or "  ' Or 1=1 -- ' do not work. So I
was 
wondering if there are any other vectors one could try specific to DB2 &

AS400



From: "Amichai Shulman" <shulman@imperva.com>
To: <pen-test@securityfocus.com>
CC: <eoin.keary@owasp.org>
Subject: RE: Pen-testing AS400 DB2 LANSA
Date: Wed, 22 Jun 2005 09:32:31 +0200

We did a pen-test on a web application a while ago that used DB2 on 
AS400 as backend database. Found SQL injection to work much like with 
any other database. Interesting thing though was that we invoked a 
denial-of-service attack against the AS400 by injecting a computation 
intensive query.

Amichai Shulman
CTO




Imperva, Inc.
12 Hachilazon St.
Ramat Gan


(972)-3-6120133 x103 Office
(972)-3-7511133 Fax
(972)-50-6544451 Mobile
shulman@imperva.com


-----Original Message-----
From: eoin.keary@owasp.org [mailto:eoin.keary@owasp.org]
Sent: Wednesday, June 15, 2005 3:34 PM
To: pen-test@securityfocus.com
Subject: Pen-testing AS400 DB2 LANSA


Hi,
anyone have any knowledge on SQL injection for a AS400 running DB2?

Eoin


_________________________________________________________________
Go where quality Irish singles meet - get FREE Match.com membership! 
http://match.msn.ie
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: CEH training, Drage, Nick
Next by Date:  RE: CEH training, Tim Singletary
Previous by Thread:  RE: Pen-testing AS400 DB2 LANSA, Eoin Keary
Next by Thread:  Government Compliance, Dave
Indexes:  [Date] [Thread] [Top] [All Lists]