Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: SQL In the Request

from [Arian J. Evans] Network Security [Permanent Link]
Subject: RE: SQL In the Request
Date: Fri, 6 Oct 2006 14:13:30 -0500 
If everything runs on the local host and you are admin,
I guess I don't see a problem. :)

A developer I helped convert to the dark side showed
me a portal he found that was basically this, but
the SQL query was constructed from cookies. That way
the developers could remotely troubleshoot and debug
the app by using in-browser cookie editors or simply
dropping a cookie (query section) they didn't like
to manipulate the query dynamically.

Obviously there were a couple of other implications
to this implementation style as well.

-ae


-----Original Message-----
From: listbounce@securityfocus.com 
[mailto:listbounce@securityfocus.com] On Behalf Of bryan allott
Sent: Thursday, October 05, 2006 10:29 AM
To: webappsec@securityfocus.com; websecurity@webappsec.org
Subject: SQL In the Request

Just when i thought i had seen it all... -i come across a 
site which passes 
in the following as part of the REQUEST..
yes, the SWF builds a request and sends it through to a php 
server... in 
plain text.

POST /flashsql.php?id=106 HTTP/1.1

= QUERYSTRING ====
 id=106

= BODY ====
 host=dedi119b.your-server.co.za
 sql_=SELECT DISTINCT(movies.id), movies.name, filename FROM 
movies LEFT 
JOIN groups_movies ON (movies.id = groups_movies.movie_id) 
LEFT JOIN groups 
ON (groups.id = groups_movies.group_id) LEFT JOIN 
files_groups ON (groups.id 
= files_groups.group_id) LEFT JOIN files ON (files.id = 
files_groups.file_id) WHERE movies.id 
IN(155,150,52,149,134,133,76) AND 
files.file_type_id=9 ORDER BY movies.id
 dat=sk_cms

is there anyway that this can be "acceptable" ? 


--------------------------------------------------------------
-----------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and 
consultants to 
use AppScan in client engagements. AppScan is the leading Web 
application 
assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=70150
0000008YSz
--------------------------------------------------------------
------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants to 
use AppScan in client engagements. AppScan is the leading Web application 
assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  More Fun with CSS History Theft, bugtraq
Next by Date:  RE: [WEB SECURITY] Re: SQL In the Request, Jeff Robertson
Previous by Thread:  SQL In the Request, bryan allott
Next by Thread:  RE: [WEB SECURITY] Re: SQL In the Request, Ory Segal
Indexes:  [Date] [Thread] [Top] [All Lists]