You can sql inject that form. To see more on these attacks check http://www.sqlsecurity.com/faq-inj.asp http://www.silksoft.co.za/data/sqlinjectionattack.htm -- jacg El Lun 19 Nov 2001 22:24, escribiste: > Hello all, > > > I am doing a pen test against a IIS 5 web server. The web server requires a > user name and password via a logon form. if a single quote character is > entered (username)the following error is produced > > [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark > before the character string '' and password=''. > > I remember reading somewhere that this can be used to gain further access? > but i cant find the info. > > Can any one help? > > Thanks in advance. > > Gary > > > --------------------------------------------------------------------------- >- This list is provided by the SecurityFocus Security Intelligence Alert > (SIA) Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 09:17:41 PST