[Kevin Spett] | I would like to know if there are other ways of doing this. You could look for a place where your input is stored in a databse without validation, and insert a sub-select that picks up the information you want. Example: I was working my way through a system yesterday. In this system I could register new users. On the user preferences page, I could change my E-mail address. Fortunately, the programmers had forgotten to "wash" the input, so I was able to enter the following as my E-mail address: ' + (SELECT password FROM users WHERE username='foobar') + ' The + signs are used for string concatenation in MS SQL Server. After entering this text, my E-mail field was updated to contain the password of the user foobar. (Long live clear text passwords! :) ) My input probably resultet in an SQL query that looks like this: UPDATE users SET email='' + (SELECT password FROM users WHERE username='foobar') + '' ------------------------------------------------------------ WHERE username='sverre' The underlined text is the "E-mail address" provided by me. Hope this helps a litte bit. Sverre. -- shhat_private Try my Nerd Quiz at http://shh.thathost.com/ http://nerdquiz.thathost.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 08:06:00 PDT